I ran a panel session last week at the Legal Week Strategic Technology Forum on ‘Information Governance Best Practice’. I wanted to explore how concerned legal CIOs are about security threats and spear phishing in particular.
Also, how on top of compliance they are in terms of managing the huge amount of data they have and applying policies to it; and finally how predisposed they are to the idea of retaining more, rather than less, so they can apply business intelligence technology to deliver insights to the business.
On security, the reaction was unsurprising but also gratifying. No law firm wants to be the first to suffer a major breach, so there was a great deal of concern about the growing threat of spear phishing, as well as more mundane things like new strains of nasty viruses hovering at the gateway. But – and I have to declare that my panel consisted of three Mimecast customers – it was quite clear that these guys were happy to entrust the job of keeping out bad stuff, and bad people, to us. I talked about the fact that the Snowden/NSA saga seems to have created something of a cloud backlash, but most of the CIOs I spoke to here said that they felt sure that their data was safer in the cloud than it would be if they held it on-premise. This had a caveat – provided you choose the right cloud vendor. This was music to my ears, because we’ve heard a lot about companies insisting on holding encryption keys on-premise because they don’t want the cloud vendor to have theoretical access to it. And it’s ironic to hear this view touted as part of the post-Snowden paranoia, since Snowden created this furor by leaking documents from within.
On compliance, it’s quite clear that legal CIOs have their hands full getting a handle on the data management. And it’s not just data in digital form. Rooms full of files, CDs lying unencrypted in drawers. Lawyers who don’t want to listen to new ideas on good practice for managing data (and not leaving it on buses, or dictating loudly into machines whilst on trains). There’s a lot of cooperation going on between IT and risk and compliance teams, and that would seem to be a very good thing. But getting the information under control, perhaps into a single repository as opposed to multiple siloes, is a long and painful task.
By the time I got to the idea of ‘digital preservation’ vs. ‘defensible deletion’ it was pretty obvious that these firms, on the whole, have enough on their plates without entertaining ideas like ‘corporate memory’ and the suggestion that all data is useful, and it should be kept in perpetuity! Of course, it’s not that simple in the legal sector. Much of the data in the archive belongs to the law firm’s clients, rather than the law firm itself. So keeping it – and worse yet – analyzing it, could cause all sorts of complications.
They will get there, though. There was a presentation at the conference about the use of business intelligence tools to analyse data – albeit mostly financial data – to help the law firm get a handle on how much profit each lawyer is contributing to the business, and how well managed each case is from a commercial point of view. This may seem like baby steps, but if analysis of data in its early iteration can contribute directly to bottom line performance, then we’ll see more and more of it being deployed.
And I fully expect next year to be a different story altogether.