Legal Careers for Security ProsLooking for a Good Next Step? Consider Law School
By transitioning from security into law, Mueller took advantage of an opportunity many information security professionals now see: The chance to leverage practical experience in a growing legal field.
"There were significant regulations and laws pertaining to the field of information security that needed legal requirements, and most of these underlying issues are technical by nature, requiring an in-depth understanding of the subject to translate into law," Mueller says. "I wanted to understand and deal with information security issues from a higher level, as well as use my security background."
Early on in his information security career, Mueller saw security issues becoming more and more important and dominating the minds of business leaders and law makers.
Pain and Gain
Soon after making his career choice, Mueller confronted reality: To become a lawyer needs significant investment in time and money: Formal requirements usually include a four-year college degree, three years of law school, and then passing a written bar examination. There also are some requirements that may vary by state. Federal courts and agencies set their own qualifications for those practicing before or in them. Law school fees vary from $16,000-$40,000 for full time students and $13,000-$26,000 for part- time classes.
But despite the expense, there are great rewards for information security professionals who make the transition to legal careers, say those who have made the move.
"It is a lot easier for information security professionals to become lawyers than for traditional lawyers to be self-trained in this growing discipline," says Michael Aisenberg, a principal on the staff of the director of homeland and defense security of MITRE, as well as a member of its privacy practice. Many lawyers are now taking up security and privacy certifications like the certified information systems security professional (CISSP) or the certified information privacy professional (CIPP) for basic security awareness and qualification. "However, there are gaps in their understanding from the application perspective," Aisenberg says.
On the flip side, though, adding a legal dimension today to information security and technology credentials is a very lucrative career choice and offers a myriad range of job opportunities both in the private and public sector.
For information security professionals looking to get a law degree, Muller advises them to- actively be engaged in writing papers and submitting articles in relevant security and privacy associations, analyze trends and the impact of different laws and regulations on the profession as well as be an avid speaker on information security topics at major conferences and events. He also advises them to know which area they want to specialize in, as each job role has a specific niche.
A legal career for information security professionals may include such roles as:
Corporate Attorneys: Companies such as Google, IBM, Microsoft, Verizon all need to hire corporate attorneys who can provide legal counsel on "how organizations should protect data, how they can use that data, how they can disclose that data and the exchanges of that type of information with third parties," says David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's information security committee. Another main role involves writing and drawing contractual agreements with third-party service providers regarding the implementation, maintenance, enhancement and enforcement of information security and privacy measures. The corporate attorney also works closely with the organizations client's to ensure compliance with security and privacy regulations.
Private Practice: A growing number of law firms look for attorneys with information security and privacy focus to:
- Counsel clients in the event of data breaches and security incidents;
- Ensure that they know the adequate steps to protect data and understand requirements of regulations;
- Contractually ensure that vendors and third parties are aligned with client's incident response strategy and security and privacy requirements;
- Coordinate preservation and collection of relevant data, and manage forensic team efforts for gathering relevant data in the event of a security incident.
Customer Engagement: Many information security attorneys join organizations within their marketing and advertising departments to develop appropriate communication strategies requiring interaction with stakeholders and clients, as well as ensure advertising issues are legally compliant with the Federal Trade Commission requirements.
Consulting: Companies such as Booz Allen Hamilton, SAIC, and Lockheed Martin "are all very hungry for people with applied experience in information security and who understand the law," says Aisenberg. These individuals perform research and develop policies on critical infrastructure, advise companies on how to acquire appropriate software, develop practices for secure applications and other wide range of products and systems.
Government: Attorneys are in demand within the federal agencies and state governments to be employed in a range of roles. Some may be managers, general counsel, legal officers, legal policy officers, legal research officers, in-house attorney or policy officers. Some work for state attorneys general, prosecutors, and public defenders in courts. At the federal level, attorneys investigate cases for the U.S. Department of Justice and other agencies. Government lawyers also help develop programs, draft and interpret laws and legislation, establish enforcement procedures, and argue relevant security and privacy cases on behalf of the government.
4 Key Skills
To be successful as attorneys, information security professions need four key skills:
- Ability to translate the importance of information security and privacy to the clients, and how the law and regulations impact their practical running of the business. "Attorneys need to wear several different hats," says Navetta. They need to understand the points of interaction between security, privacy and compliance internally in an organization to be able to provide legal counsel on issues regarding outsourcing, vendor relationships and incident response plan and policies.
- Interest in technology i.e., the curiosity to read, absorb and research new technologies impacting the security and privacy laws and regulations, says Alysa Hutnik, a security and privacy attorney with Kelley Drye in Washington, D.C. Attorneys need to have strong understanding and knowledge to be an expert in order to provide informed legal advice to their clients on where the possible gaps are in meeting regulatory compliance and addressing their existing risks and vulnerabilities.
- Clarity of thinking, as in being able to express themselves well both in written and oral communication. The ability to draft and write effective documents and contracts with the conviction "I'll never fail you, "is a huge factor to success as an attorney, says Aisenberg.
- Research oriented: Attorneys need to have the ability to research and distill information based on client and firm requirements, for example- How does HIPPA regulation help in safeguarding the privacy and security of health information? What are the mandates involved? Under the law, how can patients establish ownership of the health care record? "A good lawyer ought to be able to find information on any profession," says Hutnik.
Starting salaries for information security attorneys range from $80,000-200,000 annually, says Aisenberg, depending on the type, size and location of the employer. Usually big law firms start with a package of above $150,000 annually and then based on their client acquisition/retention rate, this drastically increases to $200,000-250,000 a year. The government usually offers a starting salary of $70,000-80,000 for a security and privacy attorney role.
"Think about your career path as a re-invention," says Aisenberg to information security professionals and get qualified and skilled in the legal career to truly create a distinction as a practitioner.
Mueller encourages security professionals to invest in a legal degree if they share the passion for writing, technology and research. "Being an information security professional is very valuable in the legal field, as we get to be experts and create a unique position in this niche job market."