IT Shouldn’t Decide Security Policy

IT Shouldn’t Decide Security Policy

Should outsourced IT determine your firm’s security policies?
Only if …

someone specifically trained can review your “risks” based off an actual risk assessment.

Most IT guys are not trained this way.

IT should have input and be the mechanism that implements the technology aspects of policies.

Your risk consultant should continually work with your firm much like a CPA would to regularly evaluate changes and compliances.

The days of set it and forget it are gone.

#cybersecurity #lawyers #lawfirms