Outsourcing vs DIY, is there an industry preference for policy development?
My perspective and limited experience is that there is no preference. However, as deadlines shrink for getting security programs compliant with commercially reasonable postures and client expectations, law firms with fewer than 2 IT people or with IT people who do not have interdisciplinary legal or technical writing experience will trend toward at least partial outsourcing. The concept of "commercial reasonableness" will drive this – gleaning that industry understanding is easier done by an outside party.
Is there more value than just freeing up time?
Absolutely. Our engagement of an outside party to supplement our limited internal resources to develop policies will have these benefits:
1. Free up time (or add time to the project that just plain didn't exist internally);
2. Use time more efficiently by allocating rough drafting and survey of de facto internal policies and practices to a third party who has done this task many times before;
3. Uniformity: we are paying for the use of a policy manual template to aid in drafting policies that do not conflict and that read as a unified and comprehensive whole. The templates will also ensure that we are not failing to address policy issues considered commercially reasonable and that we are not merely hodge-podging all of the things our clients have asked for/about into some Frankenstein's monster of a policy manual. We hope that use of the outside vendor's templates will speed up comprehension by the partnership when it comes time to further refine, discuss and adopt our initial formally-documented security policies. While we might use any number of "off-the-shelf" policy templates, the outside vendor is representing themselves as focused particularly on law firms and will start with a clearer focus on what is necessary and important to our firm.
4. Weight: because of our firm's size (30 attorneys, 50 total employees), our internal security people wear many hats (litigation support, internal technology and security contact, firm administrator) and thus are not readily considered security experts by the firm partners. Our outsourced IT/managed services provider is not recognized as an expert in security policy drafting though they are required to identify risks and implement solutions to risks. Therefore, outsourcing the policy development will bring the value of bolstering the authority and expertise of the firm's internal resources (even when we know and would say the exact same things we will be hearing from our outside policy development people).
X is the cost for us to do it vs X cost for a consultant; a comparison.
For us to do it: After 18 months, we have multiple and conflicting rough drafts of interim and "working" policies, no officially adopted policies, and partners who are not even aware we have so much as rough draft policies or why we would need them. And we have spent at least 10 hours of internal time and at least 4 hours of our managed IT services company's time on each of 8 client security audit responses. Have I done the math to put a dollar value on this? No. Does the value of that time vastly outweigh the $7,500 we will pay for 4-6 weeks of work with an outside vendor to get formal policies documented and ready to submit to the partnership for adoption – and then have ready responses and an efficient process in place for the next client security audit? YOU BET.
How do we deal with that portion of the law firm partnership that is still not aware of the need for security policies and formal documentation of them?
We have a broad spectrum of understanding among our firm’s decision makers. I am still learning what will work and how we will to move from ad hoc practices to draft policies to fully-adopted formal policies and uniformly implemented practices. One thing I have learned is that having one or more partners on the firm's technology committee is critical so that the confluence of security with IT is "previewed" at periodic firm IT assessments.
NOTE WELL: "IT" is not the same thing as "security" (even though IT is integral in maintaining cybersecurity). But, IT typically does not train users how to recognize key content in documents, explain why personnel must maintain a clean desk, or encourage all employees including attorneys to greet strangers in the hallway.
NOTE ALSO: Security Awareness and Training are two separate (though overlapping) things. It isn't "Security Awareness Training." Training could cover only those topics intended to engender essential cyber and physical security awareness, but a better training program will also incorporate the firm's best practices and teach employees how to use office systems and tools better in general. By training more broadly, a law firm will be spending its money not on mere compliance with client demands or insurance prerequisites, but will instead end up with more alert and competent employees for whom security is an innate component of the work day. Security Awareness should be measured not only by training participation but also by intermittent testing such as having a stranger wander the halls, placing an apparently HIPAA-protected paper document in a public/inappropriate office location, or setting up a fake phishing email to see who bites and needs more training.
It is essential to have a partner who will take the lead with the rest of the partnership on presenting why the firm must have documented security policies. This partner will most credibly articulate the risks of not having formally adopted policies (e.g., turning away or ending client relationships, audit by OHS for HIPAA compliance, actual breach by poorly trained personnel, and actual breach from malicious internal or external actors, bad press, and inability to obtain cyber liability insurance to help with the cost of recovery from a breach). Internal firm security resources should give the lead partner a checklist of talking points along with supporting detail: references to statutes/regulations/rules/current commentary on same; business value of the clients who have already presented us with security audits and requirements; and selected press clippings that relate to our practice or our clients.