The Value of Visualization
One of the powerful ambitions we have in creating RitterMaps is to enable the legal professional to be more effective in communicating with the digital world about the legal requirements that exist, and how those requirements can be met through the effective design and management of IT. Visualization is critical, not only to enabling the power of p
ictures to communicate to be harnessed to the challenge, but also enabling facts, events, and information of legal significance to be mapped against the legal requirements.
While lawyers are beginning to migrate toward the use of visual tools in the courtroom to communicate the stories they are presenting, they continue to lag behind the world in which their clients exist in using visual tools to perform the rest of the work that precedes the trial. A big part of that work is mapping real statistics of how the e-discovery process is moving forward against the requirements and the overall project plan.
My thanks to Jeff Brandt, who identified this useful blog post on the value of visualization to IT executives. I strongly endorse a quick read so that lawyers can better understand the power of RitterMaps to managing the complexity of e-discovery.
Automating the Management of Legal Risk: A Four-Part Briefing Series for In-house Counsel
Beginning March 29, 2012, I will be joining 1SecureAudit in a new four part briefing series designed for in-house counsel on automating the management of legal risk. This series focuses on four risk areas where technology and best practices in managing risk can be innovatively applied to reduce the likelihood of adverse events. The remaining briefings are scheduled once per month during the next quarter. Together, these briefings will introduce a model for building a legal risk management program that works in the 21st century.
The first briefing is Managing the Legal Risks of Outside Counsel. Many corporate lawyers presume that their law firms know how to manage and protect digital information, including the sensitive records that may serve as evidence in lawsuits and government investigations. But do law firms really do the right thing? How can corporations better address the legal and business risks that exist when outside counsel is entrusted with valuable corporate records?
Those attending this webinar will walk away with a detailed RitterMap™ that presents a structure for conducting a dialogue with outside law firms on how the firms implement modern information security management practices, as well as a detailed checklist of issues to be addressed in the engagement letters under which a law firm is employed. Attendees will also receive a discount coupon for a future 1SecureAudit eDiscovery Survival Executive Briefing and Workshop.
Registration for each webinar and access to further information about the series can be done here.
Visual Information Maps—Digital Knowledge Strategies for X, Y and Other Generations
For some time, RitterMaps have received very different reactions from the professionals that have seen how I converge legal information into the power and flexibility of mind maps. Generally, those who are older or more experienced in their careers hesitate, or pause, or simply express a disfavor for visual tools. There is a strong preference for information to be presented in text format, perhaps in spreadsheets, but without the structure, context, color and visual architecture that RitterMaps enable. Of course, for those who are "born digital", there is a much more comfortable and positive response. Nearly 5 years ago, during my first training of Associates in a major law firm, one of the newer lawyers concluded the program by walking up and sharing reviewed that, "your maps are like gold!". That enthusiasm has continued, and nearly anyone who has been raised with a mouse beneath their fingertips has been comfortable with the visual information maps.
Last week, something happened that was truly noteworthy. The 25-year-old son of one of my good friends was visiting for dinner. My friend encouraged me to show his son, an aspiring lawyer, the RitterMaps and how we are developing these tools to support the performance of legal services, and the collaborative, team management of digital information. We’re – located to my office and, sitting side–by–side, I began to show him how the mind mapping function worked, and some of the features and capabilities of the RitterMaps. Then, it happened. While my own hand was gesturing in the air, the aspiring lawyer simply reached for and took control of the mouse. No permission was requested, nor expected. Instead, acting nearly on instinct, and eager to explore the further depth and complexity of the content, he took over.
Now, the dynamics changed entirely. My guest was asking questions, opening and closing topics, experimenting with restructuring and re-organizing the content, engaging and interacting with the RitterMaps naturally and without any training, instruction, or guidance on how to do things. Reflecting later that night on the moment, I remembered the scientist who is playing the keyboard for the visiting alien spaceship in Close Encounters of the Third Kind. The scientist removed his hands from the keyboard and the spacecraft took over, playing the music on its own. I felt much the same as the scientist – awed and humbled.
The singular incident underscored that the challenges of trying to reorganize legal content in order to be more accessible to those responsible for managing the digital record is worth all of the effort, false starts, and resistance from the status quo. We run out of alphabet letters– and it’s difficult to keep track of whether anyone of us belongs in the X, Y, or other generations. But the current and future generations are simply being wired differently to interact with, explore, acquire and apply information. The inherent presence of the digital screen, and the near-infinite accessibility of information that can be transformed into knowledge, empowers individuals to point, click, explore, defy structure, and fearlessly persist in shaping the information into the knowledge structures they require to learn, work, and even play.
Traditional publication formats–most notably hardcover textbooks, three-ring notebooks, and the ubiquitous slide deck– simply no longer work as effective tools to organize, present, and deliver knowledge that enriches, informs and empowers each of us. In developing RitterMaps, unique in their integration of legal and technology content into unified presentations, I was trying to solve a simple problem: to equip both legal and IT professionals with a resource that enables them to work better, collaborate, and reduce the risks of not understanding each other’s business languages, cultures, and performance objectives. But it turns out that we may be doing something much more important and provocative.
By taking the first steps to present legal and technology content together, and using visual information mind maps as the publication structure, we are building tools that enable those "born digital" to explore faster, to learn better, and ultimately communicate with one another in a visual space that requires no training to navigate. Yesterday, an adjunct professor at Columbia University introduced me to their masters’ program on Information and Knowledge Strategy. It’s a very cool new program. In our conversation, she pointed out that RitterMaps have another purpose. They accelerate the capability of the learner to transform and share the information they have learned with others. A RitterMap, or any mind map, allows the learner to immediately take the instrument from which they have acquired the knowledge, and present that same content to someone else-other team members, supervisors, or perhaps even judges. It turns out this is one of the most important "knowledge strategies"– to design and implement the means to share knowledge above the din of endless digital information.
It is clear that our strategy must embrace giving the X, Y, and younger generations hands – on experience with RitterMaps. If they can touch, edit, modify and adapt the content, each user becomes an owner of both the information and the knowledge they are experiencing. This control enables the user to construct their own architecture and, in the final analysis, use the knowledge to their best advantage. And isn’t that essential if effective information governance in a digital world is to be achieved?
I will long remember the evening when I lost control of my mouse. It was one of the best experiences of this journey.
Building and Securing Digital Trust in Law Firms
On Tuesday, January 31, 2012, I will be speaking at the ALM Law Firm CIO/CTO Forum, held in conjunction with LegalTech in New York City.. It is a pleasure to be the featured speaker following the legendary Don Tapscott. My topic—“Building and Securing Digital Trust”—represents the first time I have presented my argument for trust as an economic asset to law firm executives. I am looking forward to it. If you will be at LegalTech in New York, and are a CIO/CTO type, please be sure to join us. If you cannot join us, drop me a note at jeffrey@jeffreyritter.com and I will be sure to send along an executive summary of my remarks.
Following a break, I will also be the facilitator for a panel on “Navigating the Rapids—Delivering on Mobility, Security, and Privacy”. The Ritter Academy has been invited to set up a table—our first appearance at LegalTech. All in all, it should be a great experience.
Trust and Disclosures—New Rules for Customer Decisions
There is a quiet revolution occurring in how we evaluate whether companies can be trusted. After all, whether buying widgets or the securities of a company, the purchase decision involves a calculation of confidence that we will get what we believe we are purchasing. Indeed, much of the modern legal framework regulates what information is required to be disclosed to make the commercial transaction acceptable: financial statements, food product content, drug warning labels, new car purchase stickers, contractual warranties, etc. All of these exist to enable informed decisions, but somehow we have made little progress in terms of our ability-as consumers-to obtain insights as to the digital trust a seller or supplier can demonstrate.
Whether looking to make stock investments or obtain Internet-based services from “cloud providers”, a growing momentum exists to demand increased transparency regarding how well companies manage their digital infrastructure. On different fronts, companies are facing new formal legal requirements and the pressure of voluntary compliance with mechanisms to report and disclose information about how they create and manage their information systems.
Public Company Disclosures
In October, 2011, the U.S. Securities and Exchange Commission published a Guidance on the obligations of registered companies to disclose cybersecurity risks and cyber incidents. The Guidance is available here. The Guidance examines different types of disclosures that are to be made in order that a reasonable investor making an investment decision does not rely on disclosures which would be otherwise misleading. Here are some examples:
· If an investment would be speculative or risky because of the risk of cyber incidents, those risks should be disclosed if they would be among the significant risk factors. Risk factors that are disclosed need to describe the nature of the risks and their impact on the company.
· Actual cyber incidents that have a material impact on the company (an example given by the SEC is a cyber attack embedding malware that compromises customer data) may also require disclosure.
· The financial impact of specific attacks may also require discussion in the “Management’s Discussion and Analysis”.
· Material pending legal proceedings involving a cyber incident may be appropriate for disclosure.
· Financial statements can take into account both investments in prevent cyber incidents, as well as their impact on diminished cash flows, customer goodwill, and customer-related intangible assets.
There is no question that this guidance will provoke considerable discussions in corporate board rooms regarding whether any real cyber security risks exist. But the SEC has taken an important step forward—it has empowered investors to have (a) a legitimate basis of inquiry regarding the information systems of a company, and (b) a basis to ask questions regarding the security and integrity with which those systems are maintained which are no different in their value to the investment decision than questions regarding the physical facilities, human resources, intellectual property, and other assets of a company.
In doing so, the SEC has also put into motion a further dimension of the dialogue that occurs between public companies and their service providers regarding cyber security and cyber incidents. Now, addressing information security, system security risks, and the security controls that are required by commercial contracts is no longer a discretionary item. Far too often, these topics are minimized in the contracting process, addressed with general, non-binding language, or avoided completely.
Now, the public companies have the incentive to demand a quality of security across their entire operations (including those that engage cloud-based service providers) that enables (a) material cyber risks and the potential for adverse incidents to be controlled (thereby avoiding the public disclosure of those risks), and (b) remedial and corrective action plans to be in place to assure that any incident, if it does occur, is less likely to create a reportable event.
Disclosing Cybersecurity Controls
The Cloud Security Alliance (CSA) has taken a different, and perhaps more influential step. Many lawyers and information security managers have been frustrated by the inflexibility of cloud service providers in addressing security concerns substantively in the related commercial contracts. Often, the service providers, whether providing software, platform, or infrastructure as a service, oppose making contractual undertakings that enable their customers better confidence the customers are able to meet increasingly complex legal rules for maintaining information security controls.
CAS has announced a free and publicly accessible registry that allows service providers to file and document the security controls they offer. The service is called the Security, Trust and Assurance Registry (STAR). Detailed information on STAR is available here. The service was launched with the initial filings of Google, Microsoft, Verizon, Intel and McAfee. Vendors may submit either one of two types of reports, each of which requires detailed disclosures regarding their security practices, and the alignment of those practices with published CSA best practices.
STAR is an important innovation because it sets a standard of care in place for how vendors earn the confidence and trust of their customers, as well as the larger ecosystem a specific customer may support. For example, ABC Manufacturing selects Vendor X to host in the cloud various services that provide data and reporting on 6,500 distributors of ABC products. Those distributors now have greater visibility into the security controls that enable the data services, and in turn, should have better ability to address their own compliance mandates.
Clearly, competitive advantage is going to be realized by those who understand, and do not try to deny, the importance of transparency. Those vendors who decline to participate face two new hurdles. First, customers will make competitive peer-to-peer comparisons between vendors who participate in STAR and those that do not. Second, the SEC guidance, which will surely be copied over time by other national agencies, creates regulatory demands that make it difficult for any public company (or their providers) to do business with a cloud vendor that cannot offer the transparency required to document cyber incident risks are controlled and not reportable.
Where does this lead?
As consumers and customers, and as vendors and sellers, all of us see both sides of the process through which trust is secured that enables a transaction to be executed. Working for our company, we often try to secure the sale with our smiles, great pricing, and advertising. But, in the evening, as consumers and investors, we aggressively investigate any seller, blowing past smiles, pricing and advertising to seek knowledge that informs our decision: crowd-sourcing (such as eBay merchant evaluations), investment analyses, product reviews, etc. It is an essential truth in an open, competitive digital market that the vendor that does not provide comparable information, both in the types of information and quality, will be dis-favored by the consumer.
Technology enables transparency, but it also enables us to express and incorporate into our purchasing our own criteria and preferences. There is no barrier today that precludes customers from demanding transparency on security controls, as well as the effectiveness of those controls. Nor is there any barrier to expanding the criteria on which we seek information until, for any single transaction, we reach a point of indifference. I believe this drive toward transparency will continue and gain momentum across a much larger catalog of criteria than security controls. Each additional object of information allows us to lower our risk that a decision to trust a vendor is subsequently voided by performance failures on which we could have asked better questions.
Companies must anticipate this level of disclosure and build into their system designs the expectation that their controls, their performance, and their failings, will be reportable events, not just internally but to external audiences (such as regulators or customers). It will no longer be sufficient to offer that “we employ commercially reasonable information security procedures”; instead, transparency will be competitively required to enable the trust decisions a customer must make.
