Your Security Posture: How to Ask, And Answer Questions About It



Top of mind for most organizations in 2021 has been cybersecurity. This isn’t surprising given two concurrent trends: the rise in high-profile ransomware attacks and the continuation of work-from-home models that were necessitated by the pandemic. Cybercriminals have increasingly used third-party vendors as entry-points to access the sensitive data of both large and small organizations, leading law firm clients to question their law firm partners about their security posture. In turn, law firms are seeking similar answers regarding security from their technology vendors. 

The bulk of these questions seem to dive straight into specifics about the tools and technology used or the specifics behind policies. While these lines of questioning will reveal important elements of a security posture, neither touch on the most important element. 

The question asked most infrequently is the most important—what are the underlying guiding principles that define your approach to security? 

Tools and technologies leveraged today might be different than those employed in the future as the landscape evolves. Information security policies will shift with the needs of an organization as it expands or contracts. Security principles will not change—they are the bedrock for your security posture and guide all decisions being made to secure your environment and mitigate risk. Security principles do far more to increase an organization’s security than any specific product or policy taken individually. 

Start with Principles 

When asking your technology vendors questions regarding their security posture, and answering questions from current and potential clients regarding your own, security principles provide context into how seriously an organization takes security. Some organizations will simply talk through the tools they use, while others will showcase how their security principles permeate not just their technology, but also their processes, policies, and employee attitudes.  

In this article, we give an overview of three critical security principles you should require from your vendors and adopt at your firm. 

From a high-level, these principles will institute a defense-in-depth approach to security that involves multiple layers of protection, combining technologies, controls, policies, and human expertise across a myriad of vectors to help prevent attacks, compress detection time, minimize the attack surface, and increase resiliency and data protection. 

Security by Design 

At its core, security by design means that security considerations are addressed throughout both technical architecture and organizational operations, from planning and design through to execution and remediation.  

This approach is a significant departure from industry norms that often attempt to retrofit security around pre-designed architecture and processes. 

Security by design will translate to: 

  • Architecting or, if necessary, rearchitecting computer networks with security as the foremost priority 
  • Continuously training and educating staff to identify and avoid cybersecurity risks 
  • Calibrating all key operational processes through a security lens, such as information access and sharing, client communications, document management, change management, etc. 
  • Continuously reviewing the cybersecurity landscape to identify new threats and threat techniques and evaluating the next generation of security tooling to enhance defense and prevention capabilities 

Security by design ensures that all elements of an organization are evaluated from a security perspective, including technology, processes, and people. 

Zero-trust Architecture 

As defined by the National Institute of Standards and Technology (NIST): 

“Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.” 

Zero-trust Architecture informs the decisions to: 

  • Enforce multi-factor authentication to access critical applications, explicitly requiring users to validate their authorization before getting access into distinct environments or different areas of that environment 
  • Structure permission levels using the Principle of Least Privilege, which gives users the minimum level of access needed to perform their job functions. One example of how the Principle of Least Privilege might manifest within a law firm is to ensure that even managing partners cannot access case files for any case they aren’t actively working on.   
  • Inspect and log all activity across a computer network and environment to monitor for threats and reduce response times 

This approach minimizes the ability of an attacker to gain traction in an organization’s environment, as there is no presumed permission level from one access point to another.  

The Human Firewall 

The vast majority of cybersecurity incidents involve human error, such as clicking on malicious links or not securing login credentials. While technology can and does prevent some of these missteps, the best prevention is educating and training employees to avoid the situation altogether. 

Employees remain a critical component of a security posture by acting as:

  • A human firewall and line of defense against sophisticated attacks
  • The key participants in defined processes to mitigate risk and increase security

Maintaining a human firewall means investing in employee awareness and training programs to educate and continually reinforce security processes. In a spear phishing attack, for example, a human firewall involves both an employee recognizing a cleverly crafted phishing attack as being fake, but also a policy that requires verbal confirmation from an authorized firm leader prior to a wire transfer being executed.

Training helps the employee question the phishing email, while the established finance process provides a second layer of defense if the email isn’t flagged. This arms your workforce to more quickly recognize potential risks and practice good security hygiene. 

Combining these Principles 

Ultimately, these three principles coalesce into a unified, multi-layered defense framework that interweaves people, process, and technology together for improved protection. They provide context to the decisions made, and provide guidance for future decisions, regarding the specific tools, technologies, and processes employed by an organization.

Brand names of tools used or lists of processes will not give you the full picture of an organization’s security posture. Starting with understanding the principles that constitute your own and a vendor’s approach to security will help you gain a better realization of the true nature of the security.