For Kirkland & Ellis Chief Information Officer Dan Nottke, cybersecurity comes down to a few very simple rules: Don’t give access to the wrong people, make sure those with access use strong, secure passwords, and keep testing the system for vulnerabilities. Nottke spoke with Big Law Business about his thoughts on technology and security. Below is a lightly edited transcript.
Big Law Business:How do you view your role as a law firm CIO, particularly as it relates to cybersecurity?
Nottke:This is my first law firm. I’ve only been here six years. I was a CIO and CTO at other large consulting companies. The law-firm space is slightly different, with the white-glove approach to everything we do, and trying to minimize the attorneys’ time. I had to learn that when I first came in; I wasn’t thinking about that as much as I was looking at efficiencies and securities.
We created something called TIS, technology invisibility score, which is about how the attorney interacts with their technology, how to make a technology that’s invisible, that anticipates what your next move is, what your workflow is, in whatever you’re doing. My role is to make this simple and highly secure.
Big Law Business:How do you balance invisibility with security?
Nottke: That’s an arm-wrestle. There’s a simple set of finite rules: Only give access to people who should have access; put strong passwords together, and put them in the flavor of a theme — for example, an address that’s easy to remember and long, that you can set as your password for all the sites you use, and you can change one digit each time you have to change your password.
We’re doing phishing attacks on our people, sending them e-mails pretending to be a help-desk person or something, and depending on what they do with that e-mail — ignore it, open it and click on a link, or open and click and enter information — and do targeted training. It just matters if one person clicks on the link.
Big Law Business: How has your department changed since you came in?
Nottke:One of the first things I did was recognize the tech security environment was not where it needed to be, so I built that. Coming into a law firm, everybody thought they were safe. One thing you need to know is, you’re never safe. I put in a complete standards-based approach to our technology and standardized it all around the world.
Now that the infrastructure is sound, safe and secure, we’re getting our heads out of infrastructure and really getting into the knowledge business, figuring how we can give the attorneys invisible technology and put information at their fingertips. We’re currently working on a contact-management system across the firm. We’re at that early, euphoric state of rolling out the technology, which allows attorneys to type in a company name and find partners at the firm that may have relationships with senior management at that company. We’ve had people in training sessions send an e-mail out, and it has come back with a positive response. It’s an amazing thing when you see that happen.
Big Law Business:How do law firms protect sensitive client information against security breaches? Are there tools you see as particularly effective? Or ineffective?
Nottke: Security always comes down to the basics. There’s a plethora of tools out there that do that. Everybody’s now running basically the same tool set. A lot of vendors are out there touting that they have new or better ways of detecting breaches or data losses. When it comes right down to it, it’s about only giving access to the right people, encrypting passwords and testing. We do tests here regularly both against our people and against our systems and networks.