Expert Interviews: Cloud Security and Ethics
This month we interview James Gast, Chief Executive Officer (CEO) of legal IT consultancy SpliceNet and educational tech blog Legaltech180.com.
This month we interview James Gast, Chief Executive Officer (CEO) of legal IT consultancy SpliceNet and educational tech blog Legaltech180.com.
Gast is an experienced and well-regarded speaker, author and university lecturer in all things law office technology, including cloud computing, networks, web applications, and cybersecurity due diligence and best practices. In addition, he will speak on the cloud, related ethics, security and cybersecurity at ALA’s Annual Conference & Expo in Denver next month.
Here’s the highlight reel of our chat:
LM: Little guidance exists on the definition of due diligence with regard to cloud computing. What are the right questions to ask? Who should we be asking? And what should we do with the answers?
JG: First, as most attorneys should be aware, the American Bar Association (ABA) added Comment 8 to Model Rule 1.1 to include technology competency, and at this point, 26 states have adopted it. This no longer makes it “the IT guy’s responsibility” to protect the digital assets of a firm’s client data. It also means that an attorney must understand the risks and benefits of the technology they employ, including cloud application and services.
There are many right questions to ask; however, the simplest ones focus on the cloud provider’s security credentials and how reputable and stable their business is. It’s one thing if you’re dealing with a small IT company and they’re hosting a server, backup or application for you versus trusting Microsoft, Amazon, Rackspace or Google. In either case, you need to know they have privacy policies, security policies and breach response plans. The range of requirements for your assessment will differ greatly depending on your area of practice, since you may be further governed by other regulatory bodies like HIPAA or PCI DSS. However, all should start with a foundational understanding of what services the cloud company is providing. If you can’t get a clear answer on this from your cloud partner, then red flags should go up immediately.
In fact, traditional IT support providers are typically not fully equipped to help firms assess their security risks, since their business model only deals with providing support and/or selling third party cloud solutions. Law firm leadership should seek the guidance of technology and cybersecurity risk specialists whose core competence is focused on security and related best practices.
LM: Increasingly, law firms are prescribing to a “cloud first” approach when it comes to application and technology solution purchases. In legal, much of it is being fueled by Microsoft’s aggressive Office 365 ecosystem strategy, as well as the security-as-a-service advantage provided by native cloud providers. What are your pros and cons for a cloud first approach?
JG: We think the cloud has a place in the legal industry, but not all firms fit the profile for cloud first. This approach ignores the true needs of the firm, how they desire to work, their budgets and level of comfort with the cloud. A true business partner that consults for a law firm should not have a preconceived notion for their customers, so they don’t become merely vendor reps rather than business solution consultants. An attorney should ask themselves, “Are they trying to sell me a product, or are they endeavoring to understand the business needs of my firm in an effort to recommend a solution?” This simple litmus test will help the firm determine if the person they’re dealing with is the right one or not. The same stands true for internal staff that has been assigned the role of evaluator.
LM: What are some of your favorite law firm–appropriate cloud services and products?
JG: “Appropriate” differs from firm to firm and specific needs, regulations and client demands. With that said, we often roll out Microsoft Office 365 and Microsoft Azure solution stacks. Within these stacks, hosted email, calendaring, contact management, intra/extranet firm communications via Skype and SharePoint, and OneDrive for data storage are very popular.
LM: What is the number-one cloud-related issue law firms need help with or think they need help with?
JG: The phrase “we want to go to the cloud” should be stricken from their lexicon. Firm owners should search first for what they are trying to accomplish rather than the platform or technology they should use. “What” could include financials, efficiency, availability or cross-platform access. After these have been defined, then the “how” questions can be investigated and considered. Too many times firm owners, their evaluators and their IT staff (both internal and consultants) put the cloud cart before the horse.
LM: Lastly, in a tweet, why should folks attend your ALA Annual Conference sessions?
JG: Cybersecurity requirements aren’t going away. Leave with solid KM of how to start a cyber eval/plan + get actual tools our customers use.