Knowledge Management - includes Industry Participants

 View Only

How to Bring Firm Leadership, InfoSec, and IT Together on Data-Sensitive Solutions

By Christiane Matuch posted 10-31-2022 19:01

Please enjoy this blog posted on behalf of Jay Russell, Principal, Lotis Blue Consulting. 

Law firms own a gold mine of data. Their leaders know it. Their attorneys know it. Their business professionals know it. And 3rd party advisors and technology vendors know it.

If these data are so valuable, why not harvest their value and enjoy the benefits? Not so fast. A complicated web of changing business priorities, data sensitivity and privacy issues, layers of leader and InfoSec/IT approvals and requirements have proved to be daunting.

What can this process look like in real life?

  • A “solution leader” introduces an idea that will require leveraging the firm’s data and presents the idea to Leadership
  • Leadership asks a lot of questions and because the idea relates to data they want the solution leader to check with InfoSec/IT on compliance and security
  • InfoSec asks for a lot of additional information/details that the solution leader doesn’t know or requires a lot of effort and time to compile
  • IT gets involved and says it's not compatible with current systems or would take a lot of work to implement
  • Firm leaders get busy or nervous about the idea
  • InfoSec says they are not comfortable with the idea or have modified it so much it’s lost its original value
  • IT says its not a priority with their limited resources
  • Firm leaders do not make definitive decisions to approve (or not) or have changed their business priorities

Frustrating, right? And a shame that the firm cannot leverage the valuable data they collect, store, and manage every day.

What if there were a few way a firm could make this process much less painful and increase the likelihood of action?

 The 6 things needed to create more trust and transparency between Leadership/InfoSec/IT

  1. Clearly identify the problem and develop a solid business case for the solution – articulate an issue or opportunity the firm or clients are facing today and how the benefit of exploring the solution is greater than the inherent risks of collaborative data analysis. The benefit of the business case needs to be simple enough to be understood by many different groups (leaders, attorneys, business professionals, IT, InfoSec) and showcase real business impact
  2. Create a mutually beneficial partnership with InfoSec – Get InfoSec involved early in ideation and design of solutions to reduce friction, increase understanding, and speed up the process. Use this early-stage partnership to understand how InfoSec’s policies, limitations, and capabilities can greatly benefit the solution and the firm
  3. Provide a roadmap and timeline – InfoSec and IT often have limited resources to run daily operations. Help them see the timeline, resources required, and how they can partner on the idea while still accomplishing their day job
  4. Streamline the decision-making process – often large committees or all C-Suite executives are involved in a decision relating to a new solution or the firm’s data. Consolidate decision making into smaller groups or single roles (eg. CIO, CGO, Practice Leaders). Document thresholds and requirements so everyone knows what’s required to make the decision, who’s involved, and who else to involve if it gets too large or complicated
  5. Develop clear accountabilities for data – who owns the intake, management, and use of firm data? What are the boundaries of how data can be used? Confusion often exists between different groups in large firms and non-technical people get confused about InfoSec vs IT. Documenting “who does/owns what” helps streamline and clarify the process and accelerates innovation within a firm
  6. Clarify ownership and process for assessing risk – many of the hesitations for data-related solutions will evolve around risk. While no solutions will be without risk, the way a firm evaluates risk and who is involved can have a significant impact on the ability to move past gridlock. Defining who owns risk, which role, or group, is critical. Developing a process to assess risk that can be deployed broadly and consistently will help to engrain a culture of risk management that balances taking advantage of those data-related opportunities that have a positive risk reward ratio

These steps provide awareness, clarity, and communication to all stakeholders. As firms collect more data and become more sophisticated about data-related solutions, a clear and effective process becomes increasingly important. Documenting this process in a playbook that can be re-used across the firm would streamline development of future analytics solutions.

Ensuring these 6 starter ideas are in place will help firms get to the more complicated data work that drives even more value.