There are few sectors where the role of chief information security officer (CISO) is as critical as law. The sobering reality is that legal firms are prominent targets for cyberattack. An experienced CISO can provide technical guidance on security concerns and advocate for strategies to minimise risks. In fact, security savvy clients are demanding a comprehensive information security strategy, spearheaded by strong and visible leadership.
And yet, the role of CISO is not clear cut. There is no single career path that leads there, and the skills required are constantly evolving. Freshfields Bruckhaus Deringer CISO, Mark Walmsley, points out that the role didn’t even exist when he joined the firm 18 years ago.
Walmsley’s own journey to CISO began in project management. “I worked in project management and then moved to security in 2010, promoted to CISO in 2013,” he told Legal IT Insider at the Cyber Security Connect UK conference in Monaco. “I worked across, then up, moving away from the legal environment to where the complex projects were. I then got involved in client audit, introducing basic security programmes eight years ago.”
Indeed, the position of CISO is shifting from a highly technical role to an advisory board-level role and that is impacting the types of people suitable for the job. Historically, CISOs have come up through the IT security ranks, but these days, Walmsley believes, a wider range of experience can be appropriate.
“Typically, people would say you need to be an IT security person who has experience with the nuts and bolts. Then you become a manager and look at risk that way. That’s the traditional route. But I don’t think it allows for enough diversity,” he says.
“If you look at Freshfields’ information security, we offer 12 different services including physical security, supplier assurance work, network design, breach management, penetration testing, training awareness and more – that’s a real range. If you come from an IT background and that’s the only exposure you have had, you’re delivering 40% of that. You can’t become a CISO
if you are only qualified for 40% of the role. You have to have broader experience.”
It is also vital that a CISO is able to distil technical information into accessible language and communicate effectively at a board level. “Our CIO said to me, your number one skill needs to be the ability to bridge the gap, the ability to understand the technical side of things as well as how to articulate problems, conversing in simple terms,” Walmsley says. “You don’t need to talk about firewalls and AV.”
The next generation of CISOs
Walmsley practices what he preaches when it comes to hiring from diverse backgrounds. His own team is made up of people with technical, project management and HR experience, as well as a former police officer. Having experience of the legal industry is not a prerequisite. But it can be useful.
“Typically, we look for someone who comes from a business background. That doesn’t have to be legal. But it really helps to have experience with legal because of the complex decision making involved,” Walmsley says. “Unlike other industries where there’s just a board with three or four people making a decision, in a firm like ours there are partners, all of whom have a say. Being
familiar with a partnership environment is great.”
Increasingly, Walmsley is seeing people transition from legal to cyber. “They spend five to 10 years doing hardcore legal advice and then they contemplate their skills and see they are transferable – particularly attention to detail,” he explains.
While this is helping to solve the much-talked about cyber skills gap, for law firms at least, Walmsley says that more needs to be done at an early age to encourage people into the cyber security sector in general.
“You have to take a step back and consider where the next generation of CISOs are going to come from,” he says, adding that nascent government schemes to develop cyber security skills are encouraging but that more is required.
And the sooner you reach young people, the better, Walmsley believes. “Right now we need people and therefore all CISOs have a responsibility to go into their local schools, have those conversations, and really explain what cyber security looks like.”
By Sooraj Shah