Arrogant lawyers: the greatest threat to your organization

Ira Winkler on e-discovery, corporate counsel and the security pro's real role in risk mitigation

While security professionals typically think of computer hackers, malicious insiders, naive employees, or the like as the greatest threat to an organization, I am quickly learning that arrogant lawyers can be the most devastating threat an organization can face. Frankly, the lawyers should be non-issues, but they can get their companies involved in things that should otherwise be avoided.

Clearly, the underlying threat is e-discovery. Information security staff traditionally look at their role in the e-discovery process as ensuring the integrity of the data, making sure that the data is available, providing tracking of that data, etc. However, there is a more fundamental question that has to be asked, which is whether or not you should be involved in the discovery process to begin with. I know that this sounds simple, and most security professionals take the cliche attitude that, "Theirs is not to reason why, theirs is but to do or die."

Also see Winkler's I Was Wrong; There Probably Will Be an Electronic Pearl Harbor

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

While security professionals typically think of computer hackers, malicious insiders, naive employees, or the like as the greatest threat to an organization, I am quickly learning that arrogant lawyers can be the most devastating threat an organization can face. Frankly, the lawyers should be non-issues, but they can get their companies involved in things that should otherwise be avoided.

Clearly, the underlying threat is e-discovery. Information security staff traditionally look at their role in the e-discovery process as ensuring the integrity of the data, making sure that the data is available, providing tracking of that data, etc. However, there is a more fundamental question that has to be asked, which is whether or not you should be involved in the discovery process to begin with. I know that this sounds simple, and most security professionals take the cliche attitude that, "Theirs is not to reason why, theirs is but to do or die."

Also see Winkler's I Was Wrong; There Probably Will Be an Electronic Pearl Harbor

As a security executive, you have to understand that you are a risk management professional. Risk management implies that you are to attempt to prevent loss, if at all possible. If you are asked to assist in the e-discovery process, at some point before you execute the process, you might want to determine what is there to be exposed in the process. Frequently, the exposing of the data can be devastating to an organization, even if it means that you have to pay someone off that you otherwise wouldn't.

Many people are intimidated by their organization's lawyers. They just want to follow orders and gather the data. However, at some point a responsible executive has to question whether or not the pending lawsuit is worth the potential loss. Once the data is exposed to the legal process, it can be released to the general public. The repercussions of the exposure can be the exposure of data to your competitors, embarrassing information, or potentially exposure to even bigger lawsuits.

Frankly you would expect a responsible legal team to foresee these potential problems. However, that assumes that the lawyers are rational and consider all issues. The reality can be far different. There are the stereotypical arrogant lawyers, who believe that they are invincible. When they work inside of a large corporation, with unlimited financial resources, the arrogance gets even worse. They believe that they can outspend their adversaries and force them into submission. To actually give in and pay people off can be perceived as a sign of weakness, and damage their ego.

I first witnessed this first-hand and watched a large company lose tens of millions of dollars of business from a larger company, because they didn't want to agree to some common legal terms. The quote I was given was, "We're a large company. We don't agree to things like that." It was irrelevant that the potential customer could have swallowed the company whole without thinking about it at the time.