Ari Kaplan recently spoke with Edward Chick, the chief revenue officer at NopalCyber, a managed security services provider that offers outsourced cybersecurity support while seeking to democratize enterprise-level security for law firms and organizations in other sectors.
They discussed best practices to help law firm leaders identify cyber threats, mistakes that they are making with their cybersecurity protocols, how often they should test and update their cybersecurity procedures, and where to leverage artificial intelligence and machine learning to enhance cybersecurity.
Ari Kaplan: Tell us about your background and your role at NopalCyber.
Edward Chick: I have been in high-tech software and services for decades. I’ve worked with SAP, IBM and Oracle. Additionally, I have experience with smaller companies, including startups, and I have successfully helped them establish a stronger presence in the marketplace. I’m passionate about assisting customers in leveraging technology and services to enhance their operations.
Ari Kaplan: What makes NopalCyber’s method of identifying and prioritizing internal and external threats unique?
Edward Chick: Cybersecurity is sometimes not seen as important as it truly is because it operates behind the scenes. Many individuals using technology or engaged in business assume that others are managing these aspects. At NopalCyber, we have observed that a lot of complexity leads organizations and business executives to categorize it as an IT issue. Therefore, our business goal is to democratize cybersecurity, making it more accessible and bringing it to the forefront of business leaders’ awareness. We aim to collaborate with IT professionals to provide them with the support and resources necessary to achieve greater success. We serve multiple industries and possess decades of experience in the legal sector and many others. What we’ve observed is that the battle continues and is becoming more severe. The value we provide is our tech stack neutrality; we work with technologies that organizations have already invested in, often heavily. Many of these technology platforms come with built-in tools, like those from Microsoft or AWS. On average, organizations use about 30 different cybersecurity-related protection tools. These organizations may encounter thousands of alerts and alarms daily, facing a ‘needle-in-a-haystack’ challenge to identify the most critical issues. They must find ways to resolve these problems and take proactive measures to prevent them from occurring. There is enormous pressure on IT, especially in the United States. At NopalCyber, we bring both expertise in the particular industries these companies operate in, such as legal, and the resources to work with all the various technologies they are employing, thereby supplementing and strengthening their security posture.
Ari Kaplan: Which assets are most critical for law firms to protect?
Edward Chick: Absolutely everything. We begin by helping individuals become more savvy in protecting their interactions with technology, such as passwords. However, many bad actors are also targeting website applications or platforms or underlying data to gain access to something valuable. In business, there are two key areas of truth: the accounting systems and the contracts they manage. These represent formal areas of substance, with legal practitioners overseeing one-half of that. The bad actors are aware of this and see legal activities as potential targets. We’ve noticed that midsize law firms often lack sufficient protections. Insurers recognize this and the cost of cyber insurance, especially in the legal field, is quite high while coverage is actually declining, meaning you pay more for less. One of NopalCyber’s added values is our ability to strengthen these companies’ postures, which can help reduce cyber insurance costs and provide better protections from insurers. Another critical factor involves regulators. Even if a specific company is not heavily regulated by, for example, the SEC, the customers they work with may be subject to regulations. Over the past six months, we’ve seen an increasing requirement from the SEC for companies to enhance their compliance. They now have a duty to report any concerns. In the legal field, because lawyers collaborate with other firms, they engage in a community of activity related to specific matters or contracts, potentially involving participants who are heavily regulated. Naturally, insurance companies are aware of this and heighten exposure due to the regulators mandating protections that the insurance companies are then expected to cover. This creates a network of interlocking dependencies, and at NopalCyber, we can significantly assist in strengthening the postures of these companies, allowing them to achieve a more favorable cost structure from their insurers and, of course, adhere better to the regulators’ requirements.
Ari Kaplan: What mistakes are law firm leaders making with their cybersecurity protocols?
Edward Chick: They’re often taking it for granted. These are competent professionals with expertise in their field, and they reasonably assume that IT has this under control. However, the fact is that IT is under tremendous pressure; the bad guys are constantly changing their strategies and tactics. We also often notice that general counsel and legal practitioners don’t offer their assistance frequently enough. They could take a leadership position by regularly reaching out to IT and asking, “How can we help? How can I prioritize the risks associated with the particular tools I’m using? How can I provide you with more information about my business activities to give IT and your chief security officers better visibility into what’s important for the business?” We’ve seen that this leadership fosters prioritization regarding budgets, costs and awareness of regulatory exposures.
Ari Kaplan: How often should law firms test and update their cybersecurity procedures?
Edward Chick: Definitely not once a year. Companies conduct annual penetration tests on their platforms or specific applications, for example, but that’s not really good enough. We’ve seen organizations increase the frequency to quarterly or even monthly. Our position is that all these aspects should be inspected 24/7. The bad guys aren’t waiting for an annual opportunity to act. Consequently, the exposures are permanent and require full-time attention. Legal professionals can play a very helpful role in drawing attention to this issue and ensuring that they stay up to date. They are trained to follow protocols for even simple tasks, like changing passwords. It is extraordinary how people take these matters for granted, and everyone assumes that someone else will be impacted, which is simply not the reality. It’s similar to any good business practice. The teams are in alliance with the rest of the organization they support; if leadership recognizes this and provides support to the individual security teams, then everyone benefits. At NopalCyber, we offer complementary services to organizations. We can manage the entire security environment for an organization or complement and support the various teams they may have in place. We view this as a proactive security posture, enabling us to identify issues before they arise because we can see much more than an individual firm might perceive. We play a critical role in providing early warnings about things they might not be aware of from an offensive security perspective, and we can provide the necessary assistance for defense. Some organizations are uncertain about their security standing, and we help them gain clarity on their position. We conduct something called “attack surface discovery,” which produces an analysis from an outside-in perspective without any privileged access to show what an organization looks like from a potential hacker’s viewpoint. We can share those results, and when we do engage, we leverage the tools they already have while streamlining all the alerts into a single ‘pane of glass.’ With our reporting tool, Nopal360, we make this accessible on desktops and mobile devices 24/7. The best practice is to always have these protections in place, maintain awareness of potential attack sources, and act quickly and effectively. Legal professionals who understand their own personal liability as lawyers, as well as the company’s exposure from a risk management standpoint, can be immensely helpful allies in this overall strengthening of security posture.
Ari Kaplan: How can legal organizations utilize artificial intelligence and machine learning to strengthen their cybersecurity?
Edward Chick: Virtually every law firm and legal practitioner worldwide is now aware of the benefits of various AI tools. I entered this space relatively early at IBM, engaging with legal applications using Watson over a decade ago, and I have seen remarkable results. Major benefits arise from leveraging AI, and the pace of advancement is accelerating; however, it also introduces certain risks. Malicious actors are using AI for hacking and exposing various cyber vulnerabilities. Moreover, employing AI often involves integrating data from large language models or utilizing third-party tools, which may require inputting sensitive information into these external systems that may not be entirely secure. Since lawyers and legal practitioners play an incredibly important role within an organization, they inadvertently raise risks associated with the use of AI, as these systems are often federated and rely on tools and data sources from outside to achieve business results, potentially exposing them to further risks. A key part of our mission at NopalCyber is to strengthen this posture and instill confidence in legal practitioners, so they can reap the benefits of these new tools while ensuring they do not create additional vulnerabilities. Our stance is to engage with these new innovations enthusiastically, embrace the benefits they offer—but with a vigilant awareness of cybersecurity realities.
Ari Kaplan: How does focusing on cybersecurity enable law firms to foster innovation?
Edward Chick: This will enable them to be more experimental and try various approaches. They should view cybersecurity exposure as a crucial aspect of engaging in innovation. Cybersecurity is essential to ensure that you’re prepared to embrace new innovations.
Ari Kaplan: How do you see cybersecurity evolving?
Edward Chick: It’s constantly changing every day, every hour, and trying to handle all this by yourself is truly challenging. The bad actors recognize that midsize firms don’t have the resources to manage this effectively. Our business value proposition is to assist those organizations in achieving a stronger security posture in a cost-effective manner that they would typically be unlikely to accomplish on their own, allowing them to focus on their core business. They should concentrate on what they excel at. Another critical aspect is engaging with their clients. It’s a good practice to initiate discussions with clients by stating that everything they’re going to do for that client incorporates cybersecurity awareness. Legal practitioners often lack knowledge about cybersecurity and don’t address it. However, if they become more informed and bring it up during their client interactions, we’ve seen that it significantly enhances engagement. It fosters trust, which is essential in the legal community. We see our role as helping organizations strengthen their relationships with customers, especially when acquiring new clients, as well as enhancing the existing portfolio of customers, some of whom they’ve served for decades. We’ve observed an engagement model where they reconnect with their clients and present the realities of cybersecurity in a way that they haven’t done before it resonates very well. This is part of a broader customer care journey and is quite powerful.
Listen to the complete interview at Reinventing Professionals.
Ari Kaplan regularly interviews leaders in the legal industry and in the broader professional services community to share perspective, highlight transformative change and introduce new technology at his blog and on iTunes.
This column reflects the opinions of the author and not necessarily the views of the ABA Journal—or the American Bar Association.
