The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/34686
roadmap Attributes that will define the maturity of information risk management in the next few years include: Governance CIOs cannot act in isolation when making decisions about or taking action to address information risks. Law firms are best served by creating a risk management team to address information risks in the broader context of the legal and operational risks. This team should include roles responsible for information risk and data breaches (not likely to be the same person). Such a team provides a check-and-balance by making information risk decisions separate from the IT personnel tasked with implementing them. Despite good intentions, a busy and cost-conscious IT department often compromises good risk management protocol; a risk management team provides a forum for determining the firm’s tolerance for risk in the context of its business priorities. Risk Management Through Contract The maturity of IT vendors and the proliferation of “as-a- service” options will drive the evolution of risk management skill sets from technical to legal competencies. COOs and lawyers, who are often uncomfortable navigating technical risks, are already warming to managing risks through contract negotiations, agreed formal procedures and incident responsibilities. IT will be best positioned when it can address both technical and legal aspects of information risk. Self-Audit Many regulated companies already employ monitoring tools, data scanning software and governance risk compliance (GRC) dashboards to understand their current state in real time and manage their progress in relation to risk initiatives. Law firms are just beginning to keep basic, manual risk registers (inventories of risk issues and actions to be taken to address them). Over time, they will be expected to dynamically inventory, monitor, assess and address information risk issues. IT departments need to develop the risk-savvy skill sets to use these tools. Physical Disaggregation of Information In opposition to the ongoing trend to consolidate systems into primary datacenters, the physical locations of information will grow as firms turn to vendors for infrastructure or software as a service. Risk management policies and audit capabilities will need to extend across organizational and geographic boundaries, especially as virtualized systems make data flowing in and out of vendors more straightforward and dynamic. Risk Standards Over the past two years, law departments have increased the depth and complexity of their risk-related questions markedly. This trend is expected to continue accelerating, with multiple departments standardizing on similar risk expectations. As a response to these expectations, over a dozen law firms have achieved the ISO 27001 information security certification in response to now-common RFP requirements. Accordingly, expect growth in certifications and standardization. This action plan and roadmap should provide a starting point to ensure good risk governance is in place. Without it, IT is inappropriately taking all the risk on its own shoulders. ILTA David Cunningham is one of the original consultants of Baker Robbins & Company, helping it grow from 12 to 120 consultants and now part of Hildebrandt Baker Robbins. David leads strategic technology assessments, cost reduction and outsourcing analysis, and risk management assessments. He established the Law Firm Technology Scorecard and co-leads the risk management practice. He can be reached at dcunningham@hbrconsulting.com. Meg Block has over 25 years of experience consulting to the legal community. A Managing Director, she is a senior leader in Hildebrandt Baker Robbins’ information management service line. Her specialties are business process reviews and the design and implementation of enterprise-wide information programs in the areas records management, new business intake, conflicts of interest, IP and litigation calendar-docket. She also teams with email and document management experts to develop practical and defendable digital records management strategies. She can be reached at mblock@hbrconsulting.com. Peer to Peer the quarterly magazine of ILTA 35