Industries - Legal Services

Deep experience in assisting legal firms to meet security objectives

Vital Advisory have worked closely with legal firms of all sizes in Australia and New Zealand to achieve information security objectives and simplify the burdens of data privacy and compliance.

Engagements typically begin as consultancies to achieve ISO 27001 certification, but often continue as multi-year partnerships where the client draws upon our experience with similar organisations.

Understanding the Issues

Legal Services Organisations are directly faced by information security, data privacy, regulatory and compliance challenges in every area of their business. Vital Advisory have worked closely with legal clients from the largest to the smallest businesses within Australia and New Zealand. These partnerships have developed a methodology to analyse compliance obligations, security capabilities, and the genuine threats operations face. This builds an accurate picture of the resilience organisations have to privacy and security events.

Industry Challenges

Our clients seek to manage their security and risk capabilities within a context of industry-wide challenges:
+ Regulatory and contractual obligations for protecting very large amounts of extremely sensitive and client information
+ Although good technical controls may be in place, the overall posture and awareness relating to information security and cyber threats is often weak
+ Security blindspots, where large volumes of paper-based documentation lack adequate protection
+ Risks associated with teleworking are poorly understood
+ Insecure document exchanges with clients
+ Security questionnaires are a repetitive and burdensome overhead
+ Increasing regulatory compliance obligations which focus upon not just security implementation, but the entire governance approach to risk and information security
+ Client awareness of security threats has matured, so that demonstrating a proactive security posture is essential

Negative outcomes facing Legal Services Organisations

Potential negative outcomes which our clients have been concerned by include:
+ Exfiltration and exposure of client data
+ Being a high-priority target of sophisticated cyber threat actors
+ Business overheads and security risks of uncoordinated and reactive security measures
+ Snowballing compliance obligations and their related overheads
+ Loss of business from a high-profile data exposure or security incident

Pain Points

Our experience in the field has shown that Legal Services organisations experience common pain points in their risk and security strategies:

High priority targets of phishing and cyber-intrusion attempts

Meeting regulator and contractual data privacy and security obligations

Data exposure events carry significantly greater impacts than other businesses

Unrealised Opportunities

Our clients frequently describe the internal focus of risk management as being upon the negatives of risk – security threats, compliance obligations, implementation costs – rather than seeing the opportunities which can grow from a well structured security strategy:

Focused costs

Coordinated risk response means reduced security spend and overheads. Controls focus upon genuine business requirements

Positive conformance over negative compliance

Compliance activities enhance business, rather than tick boxes. Compliance is streamlined and clearly evidenced

Partnerships simplified

ISO 27001 certification releases staff from security questionnaires when engaging new partners

Vital Advisory’s Approach

After working with multiple clients in the sector, Vital Advisory has developed a key set of approaches to address the security risk and governance challenges clients face:

Security aligned with Business and Compliance

As with any other function within a legal firm, security should be aligned with your business objectives. The first step in any of our engagements is a detailed analysis of your business context. We build a detailed picture of what you do, your client and partner requirements, your IT and security capabilities, what regulatory obligations govern your space. Once we have a constructed a clear and mutual image of your business, we can systematically structure a security response appropriate to your situation.

Structured risk processes

By structuring risk and security governance, we ensure that all the stages of risk management (identification, assessment, treatment, monitoring) are systematically applied across your organisation. We achieve this via recognised security standards, such as ISO 27001, ASD and CPS 234. This method ensures that security is no longer a scattergun approach but targeted at the risks which genuinely threaten your organisation.

Planned and coordinated security effort

Basing your security response on a governing standard, such as ISO 27001, ensures that each key security domain (IT, HR, physical, suppliers, continuity, etc.) is assessed and appropriately defended. Security becomes a whole-of-organisation concern, not just and IT problem. Gap analysis between your capabilities and those applicable from ISO 27001, ASD and other standards provide a multi-year implementation map.

Streamlined Partner & vendor Management

Many of our clients are heavily reliant upon external suppliers for Cloud, IT, and software development, yet they lack depth in being able to assess the security capabilities of these vendors. We work with clients to systematically appraise the security posture of vendors and ensure that regulatory compliance in managing third-parties is accomplished.

Enduring risk and security governance

Our engagements with legal firm clients have typically focused upon achieving ISO 27001 certification. The resultant Information Security Management systems have not been shortsighted tick-a-box exercises unable to see beyond the initial certification. Implementations are designed to manage and improve security across the full three year certification lifecycle. The majority of our legal clients have also adopted ongoing consultancy or as-a-service offerings from Vital Advisory to continue the processes of building cost effective and agile security responses.

Realised Outcomes

Legal firm clients of Vital Advisory have accomplished a range of enduring business benefits – from a more comprehensive security capability to effectively demonstrating regulatory compliance and achieving reduced business overheads.

Partnerships with Vital Advisory can be one-time consultancies or ongoing As-A-Service models.

An Experienced Partner for Security Governance

Vital Advisory’s extensive expertise in security and risk governance provides a partnership which backs your staff and allows IT to focus upon core business.

End-to-End Security Management

Security controls cover the full gamut of relevant risks and are governed and monitored throughout their lifecycle.

Simplified Partner Onboarding

Complex and time consuming security questionnaires are removed from the equation of doing business.

Vital Services

Learn more about our service offerings supporting legal firms:


To discuss how Vital Advisory can assist with your risk, security and compliance goals, phone +61 420 978 258.