Protecting organizations from cyberattack is not just the responsibility of the IT security team. Shared responsibility is key.


The changing nature of cyberattacks, and the significant damage they are now causing, means the executive leadership of every law firm, private or public organization, big or small, needs to take the threat seriously.

I bet if you asked the CEOs or CFOs of the many companies that have suffered a high-profile attack – Sony Pictures, Target, SnapChat, etc. they would all agree that a hack, data breach, ransomware or whaling attack is a big deal. They cost money to fix. They damage reputations. They disable organizations. Employees care, shareholders don’t like them and regulators or law enforcement are very concerned. Nobody wants to be the next CIO reporting a breach to their board.

But, amazingly, our own research shows that despite the high-profile damage attacks are causing, a surprisingly small number of executives are taking IT security seriously. According to IT pros surveyed, only 15 percent of C-level executives are extremely engaged in email security, and 30 percent are somewhat engaged. Confidence plays a major role in this equation: confident IT security managers are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security; they are also 1.6 times more likely to see C-suite involvement in email security as extremely or very appropriate.What makes for a confident IT security manager? When asked, they say good security resources. It is no surprise that executive support also leads to the proper investment. If the problem is understood and taken seriously, money and resources will follow.

But, it’s not just about how much the C-suite is involved in email security decision-making, it’s also about how they prioritize it in the broader business strategy. According to research from ISACA and RSA, 63 percent of respondents say their cybersecurity function (CISO) reports to the CIO and not the CEO. They argue that this can create a conflict of interest, as the CIO is balancing a diverse range of priorities and may inappropriately deprioritize security in an effort to balance the books. The engaged CEO will consider IT security a risk management issue while the CIO will see it as a technology problem. Who the CISO reports to could make all the difference to the level of protection and cultural focus cybersecurity has in a law firm or other organization.

So, it’s time for both sides to get together and recognize email security is a shared responsibility. The organizations and law firms that work together and see the relationship between IT security and firm-wide risks are better placed to protect themselves from the worst effects of an attack. The problem is part technology, but also commercial, cultural, human and process.

Here’s some advice: On the IT side, learn to speak the language of the boardroom and show in real terms the risk and cost of the problem. This is not a technology conversation, it is a risk management discussion. On the executive side, take the time to understand the exposure and risk your law firm or organization is facing and put IT security higher on the risk management priorities. If you are a law firm client, next time you get the opportunity, ask the managing partner, legal administrator, CEO or CFO about their IT security strategy. If their answer is ill informed, you might want to reconsider your legal options.

Email security is not the responsibility of just the IT team. Everyone across the organization needs to play a role in protecting mission-critical data. It’s up to IT and the C-suite to work together to make email security part of the broader business strategy.

Check out our new infographic with tips on restoring information technology cybersecurity confidence.