Interview: Christian Toon, CISO, Pinsent Masons

Written by

The concept of the information sharing center has seen cases emerge for financial services and retail, whilst other verticals have enjoyed exchanges of advice and information. One sector that has not enjoyed such collaboration is the legal sector, and recently Infosecurity met with Christian Toon, who has been CISO of Pinsent Masons for around eight months, who said he has entered the sector having worked in financial services, and been disappointed by the lack of information and risk sharing.

“My appraisal of the industry in seven months has been that we’re very siloed and set in our ways,” he said, claiming that while there are ethics on behavior, and “a huge element of trust across all law firms because of ethical and confidential bindings with the Solicitor’s Regulatory Authority,” the legal sector is at a ‘tipping point’ where the security team is trying to change an organization’s culture, but he finds himself going against an industry that has operated in a certain way for hundreds of years.

“Coming from financial services where there is knowledge sharing and intelligence collaboration, you could pick up the phone or join a forum and share experience on how things were being dealt with,” he said.

“Financial services was very much a peer led community for sharing ideas, intelligence and responses, and we’re trying to do the same in the legal sector and I don’t know if it is apathy or interest or what, but it is like getting blood out of a stone and nobody wants to talk to you.”

Toon said the first challenge in legal security knowledge exchange is identifying the person to talk to, as not everyone carries an identifiable security moniker as the term ‘CISO’ is relatively new in the sector, and even the top 10 law firms have small security teams within IT.

“Personally I’ve tried to talk to those IT teams and get limited or no response, and I now talk to a handful informally and they are on their own in their organization so bandwidth is limited. Consider how many law firms there are globally, there seems to be small groups who know each other and it is quite hard to break in.”

Toon described it as a kind of “voyeur community of people watching but not taking part” currently, and said in his ambitions to shake up the legal security sector, legal security leaders need to look at how to reinvigorate themselves, as they all work at fast paced and similar organizations. “We need to be doing more to help ourselves.”

One example of how the legal sector came together was when DLA Piper was hit with ransomware; Toon said that this resonated on how the legal sector can come together, but he added that we “shouldn’t have to wait for a big ticket event to disrupt one of us.”

He argued that the legal sector is way off the example set by financial services, but doors need to be opened to help people but there is almost an attitude of “we’re almost too proud to let in the secrets of what we’re doing,” creating a sweeping assumption that no one wants to reveal anything that may come back and bite them in a legal case.

Research released in 2013 claimed that the legal firm was often the weakest leak in the cybercrime supply chain, and despite being five years old, Toon admitted that the sector was not where it needed to be, and the DLA Piper incident “sent shockwaves through the industry as it happened so close to home.” He believed the legal sector has almost felt immune to cyber-attacks as it does not hold the cash, but as the criminal minds evolve they are targeting the supply chain and they would deem that legal firms hold access on IPOs and M&A deals and “the intelligent side of IP” rather than stealing currency, and that is equally concerning.

“So to answer the question, it was probably fair when the research was done as the industry itself was not where it needed to be but I think we are getting better. Are we perfect? No. Is there a still a lot of work to do? Yes. Only time will tell, but for me information security has always been a team sport and that works inside an organization, but externally it has as much validity and we need to do more to get our teams together to tackle this problem together.”

He concluded by saying that the legal security sector is on a journey, but it needs to pick the pace up. “Not all law firms are the same, and will have different operating models and different geographical and demographical spread, but the challenges are the same, it is just the proportionality of the response.”

What’s hot on Infosecurity Magazine?