From Zero Trust to Vendor Vetting

At ILTACON 2025, security stood out as one of the conference’s most urgent themes. Over the past two decades, technology has expanded in power and complexity, and so have the risks that come with it. For law firms, protecting client data now requires far more than solid IT systems; it requires building and maintaining trust. According to the American Bar Association’s Cybersecurity Tech Report, nearly three in ten law firms reported experiencing a security breach in 2023. Against this backdrop, ILTACON panelists highlighted a new reality: clients expect proof, not just a promise, that their data is safe.

Know Your Requirements Before You Buy

When it comes to third-party risk management (TPRM) tools, panelists stressed the need to know before you buy. Too many firms rush to buy and implement tools without truly grasping what’s needed to ensure security. Before investing in any TPRM solution, firms must understand these key fundamentals:

• Your firm’s requirements. Understand the risks you are trying to manage.
• Your clients’ requirements. Understand the standards and assurances clients expect you to meet.
• Your users. Understand who needs to use the tool and their respective responsibilities within the tool.

Clients are increasingly evaluating firms through a security lens. A well-defined approach to TPRM signals that a firm can be trusted with sensitive, regulated, and high-stakes data. As panelists stressed, firms that can answer these questions with evidence hold a significant competitive edge.

Zero Trust is Non-Negotiable

“Trust but verify” is no longer enough. Law firms must now embrace Zero Trust, a model built on the assumption that no user, device, or system is inherently safe. Every access request must be verified, every privilege must be limited, and every breach must be assumed. Core elements of Zero Trust include:

• Identity verification
• Least-privilege access
• Continuous monitoring
• Assumption-of-breach mindset

Operating a Zero Trust environment is imperative for winning new matters, as corporate clients now weigh firms’ security frameworks just as heavily as the caliber of their lawyers.

Every Vendor is a Point of Exposure 

Even the strongest firewall can’t close every gap. Each document management system, cloud provider, and AI tool introduces new points of exposure. That’s why vendor vetting was a focal point at ILTACON. Clients now expect rigorous due diligence, structured risk scoring, contractual safeguards, and continuous monitoring. To meet such expectations, firms must:

• Be audit-ready. Demonstrate evidence of continuous monitoring and vendor vetting.
• Score vendors. Use a structured risk-rating system to help prioritize oversight and prove accountability.
• Build security into contracts. Embed clear security obligations and incident response protocols into every agreement.
• Make oversight continuous. Ongoing monitoring, not just annual reviews, is critical.

With the rapid adoption of AI and cloud, the bar for security has only risen. Firms that can show apparent, consistent vendor oversight in client audits and RFPs will distinguish themselves as truly trustworthy partners.

Cloud Sprawl Requires Governance

Cloud sprawl has become one of the most pressing security challenges for law firms. ILTA’s 2025 Tech Survey found that 88% of firms are now “mostly in the cloud,” reflecting how fast adoption has accelerated. With such growth, though, comes complexity. According to Flexera’s 2024 State of the Cloud Report (https://www.flexera.com/blog/finops/cloud-computing-trends-flexera-2024-state-of-the-cloud-report/), 89% of organizations already run workloads across more than one cloud, and law firms are no exception. Many firms are juggling multiple document management systems, collaboration platforms, and AI tools without a clear governance strategy, leading to fragmented data stores, inconsistent retention policies, and new points of cyber risk. Clients are now asking firms, “Do you know exactly where my data is and how it’s being protected?”

At ILTACON, panelists laid out what’s next for securing multi-cloud environments:

• Governance that scales: frameworks to keep sprawl and costs under control.
• Automation and orchestration: reducing manual effort while tightening security controls.
• Security and resilience: encryption, zero-trust access, and live threat detection.
• High-performing cloud teams: building teams that understand the realities of multi-cloud environments.

For law firms, the message is clear: cloud isn’t the risk. Poor governance is.

The Human Firewall Still Matters

No matter how advanced the technology, people remain one of the most significant risks. Panelists emphasized that security must be embedded into firm culture rather than treated as an annual training exercise. Regular phishing simulations, role-specific protocols, and leaders who model the right behaviors all help shift employees from being a liability to becoming a reliable line of defense.

The Value of Security

Today, security is a business imperative and a core part of the client value proposition. Firms that build layered defenses, scrutinize vendors as rigorously as new hires, and govern their cloud environments with discipline will earn the trust that wins and keeps clients.