P2P

I n May, I had the opportunity to take a break from the daily routine of Zoom and Teams meetings. I attended both the ILTA LegalSEC Summit as well as the ALA Annual Conference, an ambitious feat since they were just a day or two apart. It was a great opportunity to reconnect with people in person and meet a lot of new people. Here are some of the highlights. LegalSEC Summit 2023 This was my third year on the Planning Committee for the LegalSEC Summit and the experience keeps getting better. I will grant that the first year I was involved, the conference was fully virtual, which presented unique challenges in keeping people engaged. Last year the conference was in San Antonio, TX during October, and because this year's conference was in May, I was concerned that having the conferences closer together would give the team less time to prepare. However, this year's committee worked very well together, and – through teamwork and collaboration – I think we knocked it out of the park. Day One Workshop: LegalSEC 2023 was held in Baltimore, MD at the Baltimore Marriott Waterfront. The conference kicked off with a workshop led by Karl Larsen, Career Development Manager at Ogletree Deakins PLLC, titled "Essential Communication Skills for Cybersecurity Professionals." While some may prefer more technical sessions, soft skills are critical to a successful security program. A key takeaway during this three-hour workshop was "The only message that matters is the one that is received." In other words, while you may think you were communicating clearly, if the recipient(s) of your message did not understand it in the way you intended, you need to do better. He also emphasized that what is opaque or unknown causes people to assume the worst, so be sure to include some detail when sending meeting notices. Day Two Keynote: The keynote on day two was Jeff McKissack, President of Defense by Design, who shared that we as information security professionals often emphasize the purely technological defenses, but may have a tendency to forget about the human factor. He regaled us with stories of interviewing serial killers and criminals to learn how they were able to charm their victims. He noted that, long before the internet, there were three methods for exploiting people that still exist today: impersonation, bribery, and blackmail. The only thing that has changed is technology, which has now made it easier for criminals to target unsuspecting victims. Jeff pointed out that annual background checks can help HR departments be alert to bribery or blackmail schemes. He also emphasized that staff should be trained to verify the identity of any outside vendor by calling their company after looking up their number on the internet or internal systems and asking their employer to describe the person who was sent to your site. Additional Highlights: As a member of the Planning Committee, I coordinated three sessions. The first on the schedule was "Using Security Frameworks for Business Partner Accountability." I felt it was important to hear about this from both the business partner perspective and the law firm perspective, so I recruited David Hansen, VP of Compliance at NetDocuments, and Brenda Schwerdt, Manager – Compliance Vendor Risk Management. Brenda described her compliance program and which frameworks she uses, while emphasizing that she does not use the same criteria when evaluating a cloud DMS provider that she would when evaluating a copy shop vendor. Having David in the session provided some lively debate about utilizing third-party vendors to initiate and store compliance data, bringing to light that those companies have relationships with the firms, but not with the business partner. Business partners often decline to participate in these compliance 27 I L T A N E T . O R G

• Cover