Chief information security officers (CISOs) have evolved since organizations first created and filled the positions. The CISO role was primarily technical, controlling access to data, securing networks and databases, and patching vulnerabilities. Today CISOs are executive managers of cost centers directing information security, regulatory compliance, and risk management. But at Lewis Brisbois, a national, full-service law firm with more than 1,200 attorneys and offices in 42 cities and 26 states, the CISO role has taken a turn to generate revenue.
Lewis Brisbois named Frank Gillman as the firm’s new CISO in February. But different than an enterprise risk management executive, Gillman does not maintain the firm’s information security program. Instead, he works with the firm’s Data Privacy & Cybersecurity practice group to provide a suite of client services under attorney-client privileges, including client engagements to secure networks and to prepare clients for data-security incidents.
The firm’s Data Privacy & Cybersecurity practice consists of more than 20 attorneys and several legal assistants and paralegals. The group helps clients perform pre-breach security assessments and post-breach analysis, notifications, and remediations. Before creating the CISO position, the firm regularly brought in third-party technology consultants to do much of the IT-related work. Rather than outsource technical knowledge for cybersecurity engagements, the firm created the CISO position to use Gillman’s more than 30 years of experience as a law firm CIO to do more of the technical work in-house. The practice group provides Gillman with the support he needs to prepare for client meetings and complete client deliverables.
Gillman is brought in on matters as a technology consultant, who interprets technical challenges, identifies gaps between regulations and practices, and provides detailed remediation advice for clients to comply with regulatory requirements. In most instances, when cyber-lawyers engage security assessments, they bring in third-party tech consultants for a technical deep dive that can add up to relatively high costs and reduce the firm’s quality control over work product.
Although the Lewis Brisbois CISO role is new, it’s founded on a tried-and-true service model found in many law firms. The strategy is to in-source costly services to clients, rather than outsource them, and it has worked with e-discovery services. Many firms set up in-house e-discovery services for litigation rather than contract with third-party service providers. With e-discovery units, firms have more control over costs, timing, and work product. The in-house departments can recoup expenses and even generate substantial revenue.
In-house technical consultants
With an in-house tech consultant, “Lewis Brisbois can provide a more comprehensive, seamless data security offering under the attorney-client privilege,” says Gillman. “The firm can do fixed-fee deliverables at a far better overall cost value to clients.” When attorneys make vulnerability assessments and put security controls in place, clients know they can ensure its security and achieve regulatory compliance in a confidential manner.
“Gillman’s role allows the firm to provide client-facing services requiring technical and operational expertise without engaging third-party experts,” says Lewis Brisbois partner Sean Hoar, the firms Data Privacy & Cybersecurity chair. “We have an in-house expert who has as much functional knowledge as any third-party expert we previously engaged.”
According to Hoar, Gillman still provides thought leadership about the security of the firm’s digital infrastructure, but he also provides value to client engagements with experiential insight. “Giving a more holistic security package adds greater overall financial value to our clients and positively differentiates our service model from our competition,” says Hoar.
Other practice groups at the firm use Gillman’s client-facing and billable services to serve clients in many business sectors, including healthcare, technology, retail, hospitality, labor and employment, and corporate transactions, all of whom need data privacy and information security services. “If a client has an information system or processes consumer data, they need our services,” explains Hoar. “Consequently, we work closely with attorneys in other practice areas to meet the needs of their clients.”
Not every law firm has the personnel to make an effective client-facing CISO. The role requires technical expertise, business acumen, and people skills. Gillman assists clients’ own IT and security personnel to enable security controls, conduct incident response planning, and develop information security policies and procedures.
For Gillman’s skills and experience, the transformation from CIO to CISO appears as a natural progression. The same progress may not be available for other CIOs, which, interestingly, will create opportunities for a new breed of non-lawyer, auxiliary personnel within law firms.