How one law firm made security a business development opportunity

For all the external threats facing companies today, sometimes the hardest challenge can be changing perceptions internally about cybersecurity and what the security team does. Changing mindsets to see security as an aid to winning new business is one way to help change the view of security in the organization.

Freshfields Bruckhaus Deringer LLP is an international law firm with roots as far back as the mid-1700s. A member of the prestigious “Magic Circle” group of law firms and the oldest international law firm in the world, today it has 27 offices around the world, over 300 partners worldwide and more than 4,000 staff.

CISO Mark Walmsley leads a security team of around 20 that is responsible for physical security, supplier assurance, network design, client audit, incident response, penetration testing, training awareness, and privacy work. “People might say legal is behind other industries [around security], but actually I think we’re catching up very quickly,” says Walmsley. “Law firms, like other professional services firms, are fairly cash rich and can make decisions reasonably quickly.”

Talk to the business about the right things

Walmsley worked at the company as a lawyer before moving into the IT department and working his way up to the role of CISO. The fact he has the experience and understanding of the business he is helping secure can be beneficial. “I’m very fortunate in that I have lived on both sides of the fence. Lawyers are detail people. Anything that you say they will drill into, so it’s all about planning what you’re saying to them, how you’re going to say it, what’s the key messages and keeping it nice and short.”

Understanding what makes legal eagles tick and where their priorities lie allows the security team to pitch new controls or technologies in a way that isn’t simply about reducing risk. For example, the move to Office365, which has security benefits, was sold to the lawyers as a way for them work with more flexibility and generate more potential business opportunities.  

“As soon as you start to talk to lawyers about opportunity for revenue, in terms of clients, and you start talking about flexibility, immediately you have their attention, and the byproduct of it is security,” says Walmsley. “If you don’t talk about security and control but actually flip it to talk about the benefits and the opportunities, particularly from a client perspective, that’s a different conversation and people become empowered.”

Using security as a business development opportunity

As well as working with the business to explain how better security can enable them to win more business, Freshfields’ security team uses its expertise as a business development opportunity. An example of this, Walmsley says, is adopting industry-specific standards to appeal to the businesses they already work with in different sectors.

“We work for a couple of car manufacturers, and they have particular security controls that the rest of the world doesn’t really know or appreciate,” says Walmsley. “If we set for ourselves against the standard that no other law firm has, it means that these car manufacturers give us more business, because internally, they’re able to justify on their risk exposure that it works for them.”

Having conversations with the security teams of your partners and clients is another way to help the business. “Lawyers talk to lawyers, but typically what happens is that we end up in a place where we can talk to the risk function at a client but our lawyers can’t, and then they go back to their boards as a risk function and say Freshfields are doing this for us at this level, Freshfields then go down in their risk review so it means we can do more critical work for them,” says Walmsley. “Suddenly the lawyers are going ‘I don’t know how we’re getting this kind of work.’ [We say it’s] because we’re working at different level inside that business.”

At that point, the business gets that it isn’t just about security because of the business development opportunity. “We talk about security as how we differentiate ourselves from other people,” says Walmsley.

Be proactive as a supplier when it comes to security

Supply chain security is currently a high-profile topic. The Target breach via an HVAC supplier is probably the most notorious, but attackers are using third parties such as managed service providers (MSPs) as steppingstones into other organizations. Walmsley says he is keen to have more proactive relationships with the security and risk teams at organizations Freshfields supplies services to. “Like every industry, legal gets audited heavily by its clients,” he says. “There are always gaps in every organization. Doesn’t it make sense to be finding out what they’re really concerned about and therefore what they’re likely to ask questions on and get way ahead of the curve?”

“There’s nothing worse than getting knocked on the door by your clients saying, ‘We’re coming in to audit you,’ and you’re in the dark as to what you have to produce,” says Walmsley. “At Freshfields we pick up the phone to the auditors outside of the audit cycle and ask what’s on their radar, what are they worried about. Commonality gives us a benchmark to get closer to the client also gives us an opportunity to understand the things that we don’t know, and vice-versa.”

From those conversations, Freshfields can inform some of the company’s strategy going forward. If, for example, a client says they are strongly focused on their own suppliers, or even their partners’ suppliers, Freshfields will ensure that it has doubled down on its own supply-chain management processes in time for the next audit from that and any other customer.

“How much credibility does that give you, and how good is it that an auditor can say, ‘They phoned me in advance, they understood the questions that we needed, they’re able to deliver it, and we turned up and audited it today and it’s in their security program’? As soon as you do that you end up having this relationship that is not an auditor relationship, it’s a knowledge-sharing relationship.”

Driving security understanding and accountability

The legal sector is quickly undergoing a digital transformation. In a saturated market, many law firms are looking to differentiate with various digital and machine learning-powered solutions. “You do have to innovate in the space,” says Walmsley, “particularly as you get the likes of the likes of KPMG, Accenture, Deloitte all starting to offer legal services, you need to step into their world a little bit.”

To manage this, CISOs in the sector are faced with the need to innovate, manage legacy, and reduce the burden on what is often a small security team. While he tries to avoid saying no outright to new ideas as that might drive shadow IT or other poor security practices, Walmsley instead tries to drive accountability amongst the business.

“When people say to us. ‘Will you accept this risk?’, I say no. We can do it, but you have to be accountable for the risk. You know you’re going off reservation, you need to be accountable yourself, so if it blows up it’s you that’s in the firing line,” says Walmsley. “If they really do want to do something, then we can jointly own the risk. If they walk away, then at least you know they actually didn’t need or want it.”

Freshfields’s security team works to drive understanding and accountability to teach the business what security does day-to-day and show them firsthand the challenges involved. It runs daily security briefings where it reviews threat intelligence, active campaigns going on in the wild, where Freshfields may be being mentioned online, recent incidents that may include Freshfields employee emails, etc. The security team now brings its partners and business staff into those briefings in small groups and goes through the live intelligence with them.

“More often than not someone that they know comes up in one of our reports,” says Walmsley. “Someone might spot one of their team in the intelligence, or someone might be worried about a person leaving the organization. We are able to run via an approval process there and then a live threat report on an individual and able to say that all of their activity to date has been fine, but we will put them into the monitor and track them.”

Visibility into the complexity of what security does gives Freshfields’ business leaders a better view of the challenge. “They realize it’s not binary. It’s not yes/no. Are we safe or not safe? It’s like playing chess,” says Walmsley. “You have to move your pieces around the entire time to ensure that you’ve got your best level of defense. Once you show people the complexity of what the threat looks like, and what the processes and the behaviors need to be, they suddenly start to get it and become accountable.”