Not all CIOs come from an engineering background. Kimberly Verska is CIO of Culhane Meadows, an Atlanta-based law firm with offices in nearly a dozen major U.S. cities. She’s also a co-managing partner whose legal practice focuses on privacy and data security, cloud computing services and technology law.
In getting to this unusual dual position, Verska has navigated the often-difficult demands on new mothers, the challenges of building a new company and growing cybersecurity risks. We spoke with Verska about her unique combination of duties, and how one role influences the other.
Culhane Meadows has been ahead of the workplace curve. Tell me about your firm.
Culhane Meadows is an example of a relatively new breed of law firms—we take partner-level lawyers from top law firms and re-create all the useful aspects of these large firms on a cloud-based technology platform. Without office space, associates and other large cost centers, both clients and partners benefit, financially and in terms of flexibility of practice. We take pride in being as “green” and sustainable as a law firm can possibly be, as we have all been working remotely since the early 2000s [at previous firms]. We are also the largest full-service woman-owned law firm in the country.
And your personal story?
As for my trajectory, I do not have the background of a traditional CIO, but arrived in this position thanks to my legal training in combination with my somewhat unique career path. After I had my second child as a senior associate, the large firm that I worked for indicated that my part-time arrangement had gone on longer than the firm’s policy permitted, giving me a choice of returning to a full-time schedule or leaving. I ended up joining forces with someone from law school who had formed an “ultra-low overhead” firm, and together we grew that firm from four attorneys to a large one.
I left that firm to join Culhane Meadows, where I’ve been on the management team since its inception in 2012. I was named CIO because that position is a natural fit given my legal practice as a technology and data privacy attorney. I’ll note also that my CIO title is a subject of shared amusement at home, since my husband, who has an electrical engineering degree and a programming and technology consulting background, has been working as a CIO for large companies for many years.
As the person responsible for the flow of information in the law firm, how are you dealing with many of the most pressing problems that CIOs face, especially cybersecurity?
A partner-only, cloud-based law firm is a very different proposition than a traditional company with offices and an employment-based organizational hierarchy. Fortunately, there is very little regulated data such as credit card data or consumer health data flowing into the firm, but we do have an obligation to secure client confidential information that we take very seriously. Our challenges—like all organizations now allowing remote work—center on ensuring that partners working remotely are continuing to properly implement our policies as they change devices or working environments and are aware of emerging threats such as new phishing schemes.
Given the fast-paced demands of legal practice, all law firms will have the challenge of ensuring that lawyers pay careful attention to any instruction that is not client-driven, and in partner-only firms like ours, there is the added factor that many attorneys are used to “running their own show.” We have found that it is best to address this in a multi-faceted manner.
First, in the hiring process, we strive to weed out those attorneys with “name on the door” syndrome—i.e., those who are unwilling to follow top-driven policies. Secondly, we choose software solutions that are user-friendly and enable administrative audit and control. Finally, we communicate in a collaborative manner to demonstrate the client-driven need for certain actions and set goals with clear timelines—and calendared deadlines!
As a privacy and data security attorney, how are you guiding your clients on best practices and compliance?
Our law firm’s specific data risks and challenges are very different from those of our normal clients, who most often are handling—or trying to avoid handling, where possible—data that is subject to U.S. or foreign legal requirements in terms of its collection, handling and storage. We assist clients in first identifying their key risks, which will vary by business and data type, and then working within their project scopes and budgets to implement measures to address those risks.
As articulated by the National Institute of Science and Technology in its cybersecurity guidance to industry, the best measures are controls that are layered, with technology-based tools coupled with training and clear policies and direction provided to personnel.
Selection of technology is an area that outside counsel is very infrequently called upon to assist with, and that is unfortunate. The U.S., led by California, is moving in the direction of the EU to regulate personal data in a much broader manner. Future-proofing to meet these more stringent data privacy and security laws, even if they don’t currently apply to your company, can give long-term breathing room to implement technology and train staff. But, of course, that has to be balanced with cost and the individual needs of the organization.
What’s the best approach to internal training?
A primary risk that must be addressed for any client is the risk presented by personnel who are unaware of evolving threats to data security presented by phishing and similar attacks from outside the organization. These are becoming more sophisticated by the day and can result in catastrophic situations if successful. We have found that tests using fake phishing messages coupled with anonymous results posted to the whole organization with the headline, “Here’s how many of you fell for this attack,” is an effective way to get personnel to arm themselves against these threats—far more than training sessions where attention levels can dwindle.
As with any endeavor related to data security and privacy, a multi-faceted approach is going to be most effective to protect the organization against this universal risk.
