Skip to content
Legal Technology

Achieving cybersecurity maturity within your law firm

Don Philmlee  Technology Strategist

· 7 minute read

Don Philmlee  Technology Strategist

· 7 minute read

Law firms need to reach a level of cybersecurity maturity that allows them to detect & contain a cyber-threat before it has a chance to disrupt business

Imagine your firm can detect and contain a cybersecurity threat even before it has a chance to disrupt the firm’s business. Threats could be contained in minutes or days rather than weeks or months. This is the goal of cybersecurity maturity.

Today it’s not enough for a law firm to have a cybersecurity plan in place. Firms need to understand how well that plan works and how to improve it. This speaks to the “maturity” of the programs, processes, and procedures used in the firm. Indeed, cybersecurity maturity is a measurement of your firm’s degree of readiness and ability to contain cybersecurity threats. With a high degree of maturity, people, process, and technology all can work together to stop such threats before they become a problem.

How mature is your firm’s cybersecurity?

As a law firm invests in cybersecurity, the process evolves from just a reactive struggle to become a robust and valued business asset for the firm. It is important for any organization to measure the maturity of their cybersecurity to understand how well the firm is using security and to provide a clear path to improve and grow. This progression of maturity can be visualized as five levels:


  • Level 1: Basic — Simple security measures are in place, but no security plan in place. Almost no firms are at this level.
  • Level 2: Reactive — Some security measures in place, but still no security plan. The firm goes from one problem to the next. Relatively few firms are at this level.
  • Level 3: Proactive — Strong security measures are in place coupled with a security plan, and the firm is proactive with security issues. Cybersecurity has recognized value and the firm has achieved a degree of proactive planning and response. Many firms are at or near this level.
  • Levels 4: Optimized — Security is at a high level of function and maturity. And it is measured, well-managed, and funded. Firms strive to reach this level.
  • Levels 5: Resilient — Security is resilient and comprehensive; and it is part of the firm culture. Problems are already anticipated and quickly resolved. This is the highest-level of maturity.

These levels of cybersecurity maturity can be a useful tool to help you conduct an initial estimate of where your firm currently sits on this scale. To get an accurate understanding of a law firm’s cybersecurity maturity, however, it must be assessed and measured in greater detail. The best way to accurately gauge your firm’s maturity level is with a cybersecurity assessment. This assessment will show you where the firm lies on a spectrum of different levels of maturity. A good assessment will also outline an action plan to help the firm improve its cybersecurity maturity.

Typically, a good cybersecurity maturity assessment will review all aspects of your firm and its cybersecurity operations. Typically, the assessment can also draw out important questions about the following areas:

  • Management — How involved is your firm’s management with cybersecurity and how much of management is dedicated to cybersecurity solutions?
  • Policies & procedures — What is the state of your policies, procedures, and processes? What would a gap analysis show?
  • Technology — What sort of technology in in use for cybersecurity controls and how well is it configured and performing?
  • Funding — How much money is dedicated to cybersecurity solutions in your firm and how well is it spent?
  • Cybersecurity posture — What would an overall evaluation of how your firm perceives and mitigates cybersecurity threats show?
  • Organizational awareness — Is there an awareness of the quality of your firm’s cybersecurity response? Has there been a security audit to determine how well the firm tracks software, equipment, and users?
  • User Awareness — What would an evaluation of how well users are aware of cybersecurity in the firm demonstrate? What is the quality of users’ cybersecurity training?

There are a variety of cybersecurity maturity frameworks that can be used to guide a cybersecurity maturity assessment, including:

  • Cybersecurity Capabilities Maturity Model (C2M2) — Developed by the U.S. Department of Energy for critical infrastructure, C2M2 was updated to be applied to all sectors with information and operations technology.
  • Cybersecurity Maturity Model Institute (CMMI) — Originally developed by the U.S. Department of Defense to assess the quality and capability of their software contractors, CMMI models have expanded beyond software contracting to help organizations in any industry understand their current level of capability and performance.
  • Cybersecurity framework — Developed by the National Institute of Standards and Technology to improve cybersecurity risk management for critical infrastructure, these frameworks can now be used by any sector or community.

Building maturity

Cybersecurity maturity doesn’t happen quickly. Typically, it happens over time as your firm gains experience managing and growing its cybersecurity apparatus with measurable and realistic goals. Below are some tips to improve your firm’s cybersecurity maturity:

  1. Adopt a cybersecurity maturity model — Use an existing model or tailor one that fits your needs.
  2. Do a cybersecurity maturity assessment — Self-assess or hire an expert to perform a cybersecurity assessment to determine your firm’s maturity. Your budget and time will dictate your choice. A good assessment will provide a solid game plan for how your firm can move ahead and get you started building a plan to follow.
  3. Plan first, before you buy software or hardware — Good technology investments are the cornerstone of any cybersecurity plan, but don’t start there. Buying the latest AI-enhanced cybersecurity tool does not mean all your problems are solved. Make any purchases only after the firm has a solid cybersecurity strategy in place.
  4. Focus on the fundamentals — Security breaches most often happen when organizations fail to understand the fundamental aspects of their security practices. It pays to perfect the existing security practices already in place.
  5. Go for low-hanging fruit — Most likely you already know the shortcomings of your cybersecurity. Some may be difficult to get done, while others may be easy. Knock off the simple ones and your firm will be in better shape before proceeding with an assessment.
  6. Reduce risk – Every business has different needs. Spend some time understanding what is important to your firm, whether it’s business goals, critical information and data, essential software tools, crucial access points, or something else. Then, figure out how to protect what you’ve prioritized to reduce risk.
  7. Focus on the firm’s vendors, suppliers, or business partners — If hackers are stopped from getting into your system, they may be quick to focus on an indirect attack through the firm’s outside relationships. This is an area of growing concern that needs to be reviewed and secured.
  8. Invest in your firm’s users and their endpoints — Technology alone can’t improve your cybersecurity. Make certain your users are not only well trained but engaged. Also, secure your firm’s endpoints — the users’ laptops, mobile devices, printers, servers, etc. Consider investing in an endpoint security management solution that will provide an enterprise approach to identify, secure, and manage the users’ endpoints on your network.
  9. Consider new technologies to help build resilience — Explore and deploy competitive new technologies such as artificial intelligence and machine learning to automate cybersecurity tasks. These technologies can help to quickly identify potential threats, detect unauthorized access, and stop attacks before they happen.
  10. Embed cybersecurity throughout your business culture — Executive oversight is critical for achieving a high level of maturity. A cybersecurity incident certainly can have a negative impact on operations, but it can also significantly impact the firm’s finances and reputation in the market. Management must be engaged in order to have a mature cybersecurity program that effectively addresses critical business needs.

Cybersecurity maturity is a long road that requires firms to focus and cultivate their people, processes, and technology to best protect their assets. Once a firm has achieved a mature and resilient cybersecurity program it will be equipped with the knowledge and power it needs to quickly adapt to an ever-changing threat landscape.

More insights