Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change, and how his firm wards off threats by embracing innovation.
As an IT professional, what attracted you to a career in the legal sector?
I’ve had experience in a wide variety of sectors, but I was fascinated by the security challenges of the legal space. Although I wasn’t a legal expert when I joined Kelley Drye, I moved across from health care, which is another industry that is extremely sensitive to cybersecurity risks, so I understood the importance of the problem.
How important is it that the top level of a firm is alert to the dangers of cybersecurity?
Even at board level, there should be people who understand the more nuanced technical details of a security project. At Kelley Drye we’ve been lucky to get great buy-in from our managing partner and CIO. They see a direct connection between a well-constructed security policy and the broader success of the business.
I can’t speak for other law firms, but ever since I’ve been working in the legal sector, I’ve seen significant positive movement in how people approach and value security. This is one really refreshing change. We regularly get inquiries from partners asking whether we are protecting ourselves against this or that new threat – they pay attention and want to ensure firm and client safety. If we can continue developing this kind of curious mindset, I’ll be happy.
It’s important to remember that a main driver of this new focus comes from partners being keenly aware of potential damage to a firm’s reputation. You don’t want to be the firm in the headlines because of a security breach, and you have to preserve client relationships, which are the bedrock of any firm.
Why is email a particularly high-risk activity at law firms?
I think all industries are susceptible to engaging in risky behaviors, but the kinds of data held in law firms means any unauthorized email that goes to a personal address is potentially more dangerous because of the content of that email.
We all want to take the convenient path, but it’s the responsibility of a security team to manage and, if necessary, plug holes in those workflows that increase risk. Email is one of the most heavily used tools in any law firm, alongside document management systems.
Human error is always one of the big factors in any data breach report. Lawyers send and receive a lot of email, so in a sense it’s natural that they may be more likely to misdirect an email, for instance. Even IT teams are not immune to these pressures!
Is it the case that email is just an inherently risky mode of communication?
At Kelley Drye, our ‘Defense in Depth’ strategy tackles security concerns at every layer of the stack, from our perimeter down to individual devices, and people too. As a security team, we have established a number of risk management and training programs to help us avoid any sleepless nights. Email security is a critically important part of this mix.
As technologists, we have to make sure that all our communications channels allow business to function without any hindrance. If people don’t have a seamless experience in an enterprise, that actually raises the likelihood of people trying to evade those systems by, for instance, sending an email to their personal address so they can work on something at home. They’re not trying to be malicious, but they are putting data at risk.
That’s why when we’re thinking about bringing in a new security tool, we take into account not only how robust the product is but how it impacts the team’s work. Ease of use is incredibly important to us, and that’s actually what Tessian does very well.
How does Tessian make it easier for you to learn about and act on potentially risky behaviors?
It was really important to us that Tessian would improve our knowledge as a security team. The market for security products is incredibly saturated, and not every product is able to offer a rich level of detail to its administrators.
Not only did Tessian give us valuable historical analysis, working retroactively, it was very easy to start using it. Out of all the security products we’ve invested in, Tessian has had the lowest amount of up-front work to do to get set up. This meant we could get started analyzing the results straight away.
We are now able to have a better dialogue with legal professionals and other end users, because rather than just being blocked from doing certain things, people know why an action could be problematic thanks to the insights Tessian displays within the email client.
So do tech products like Tessian help you drive cultural change within the firm?
Implementing change is only easy when it’s a team effort. When I’m making a business case for why a tool will help the firm, having productive discussions around the business – not just with the management team – is paramount. You can’t drive real cultural change with just a couple of people: it doesn’t happen overnight.
In general, when we’re implementing a new piece of technology, the fewer complaints we get the better, and we haven’t had a single complaint or unhappy query about Tessian. In the long run, this makes it easier for me to bring the next security project to the board and justify investment, which makes my job easier.
Finally, looking a few years ahead, where would you like to see the legal sector progress?
I think the legal sector is in a really interesting period as far as technology is concerned. Every time I go to a conference there are new and innovative solutions targeted at helping law firms succeed.
At the same time, the business of law firms is changing. We have to evolve at the same pace as other industries, moving with the times. We’re seeing big shifts towards agile and remote working, for instance. How are legal security teams going to deal with this new dynamic, securing client data while giving professionals more flexible ways to get work done? For us, investments in products like Tessian are a great example of how much the firm values technological innovation.
*Interview condensed from Modern Law Magazine supplement, May 2019.