Digital Discovery & e-evidence

Transcription

1 Digital Discovery & e-evidence Reproduced with permission from Digital Discovery & e-evidence, 19 DDEE 398, 09/17/2015. Copyright 2015 by The Bureau of National Affairs, Inc. ( ) PROFESSIONAL DEVELOPMENT The authors investigate differences in ediscovery and cybersecurity careers and how they expose key variances in the kinds of professionals who will be successful in the long term in both fields. Cybersecurity Jobs: It Feels Like ediscovery All Over Again! (Or Does It?) HOW THEY ARE THE SAME The most important similarity between ediscovery and cybersecurity, one that sets the tone for all the careers available both spaces, is that each discipline revolves around response to urgent, time-sensitive client needs that have legal ramifications. For ediscovery, an entire industry was born from the need to collect, review and produce electronic data in a time- and cost-sensitive way. BY JEFF SCARPITTI AND JARED MICHAEL COSEGLIA T he current demand for cybersecurity professionals remarkably mirrors the demand for ediscovery professionals circa 2002 to While demand for talent is explosive in cybersecurity, the availability of such talent remains scarce. This pattern, one of many that is reminiscent of ediscovery, will create a ripple effect of career opportunities, accelerated salary potential, massive contract opportunities for hiring managers and talent, diverse training and educational offerings and the ability for professionals in secondary disciplines to reinvent themselves into more valuable security-savvy employees. However, some clear differences in the origins and skills required for cybersecurity professionals forecast some very different career trajectories and future availability of talent, making cybersecurity less of a potential long-term commodity. A brief comparison between historical ediscovery staffing trends and emerging cybersecurity hiring trends will help hiring managers and individuals at every level of experience maneuver through the future landscape of the cybersecurity job market. Time Sensitivity. The recent and growing demand for cybersecurity professionals centers on the need to conduct incident responses to data breaches. Although both do have proactivity aspects to their disciplines (legal hold order, information governance, penetration testing and response planning), the bulk of hiring in both industries will come from the need to respond to a specific incident with potentially damaging consequences: litigation and data breach, both involving the analysis of data and document production. The binding compound of urgency and required legal compliance allows for professionals in both cybersecurity and ediscovery to command a premium in compensation for services rendered. Show Us the Money. ediscovery pricing has become more commoditized since 2009, particularly on processing and hosting services, but high-level consulting services still command a healthy premium. The same is true of cybersecurity consultants. The financial incentive of becoming an ediscovery professional has enticed and continues to entice individuals from various disciplines (paralegals, legal information technologists, attorneys, computer science majors) to focus their careers in the ediscovery niche in COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN

2 2 order to reap the salary rewards that come with rapid success in the profession. ediscovery salaries, as for many professions, work on a bell curve. Entry-level hires can command between $35,000 and $55,000 in base compensation, but with the right combination of communication and technical skills can easily ramp to earn $80,000 to $100,000 in base compensation within three to five years. Cybersecurity professionals entering the space now may experience even more accelerated salary increases as they gain invaluable on-the-job experience working directly with consultancies and large corporate clients. Cybersecurity jobs are growing at twice the rate of other IT-related positions and command a 15 percent salary premium, according to the Bureau of Labor & Statistics. Talent Drought. Unfortunately, because of the lack of available talent, open cyber positions take more than 25 percent longer to fill than traditional IT positions. To close that time gap, employers will inevitably pay more money to attract talent more quickly. Just as was the case in ediscovery from 2000 to 2006, high demand/low supply means accelerated industrywide compensation metrics. Cybersecurity professionals who are more seasoned have a limited window of opportunity to capture manager, director, principal and practice group leader positions in the next few years within consultancies, corporations and law firms building cybercentric departments and practice groups for the first time. Such was the case from 2002 to 2006 for ediscovery when the Am Law 200 began aggressively hiring litigation support managers and directors, roles that didn t exist before. Cybersecurity leaders looking to make lucrative moves have great negotiating power now in the Big 12 (Big 4 plus the eight largest non-audit consulting firms), especially if they are bringing an established book of business. Anyone who deals with big data, data collection or forensic analysis will have a place in ediscovery or Cybersecurity. Geographic Desirability. In terms of the geographic location of job demand, as with ediscovery, cybersecurity jobs are abundant in major cities. Big banks, technology companies and large government agencies are generally centralized in New York City, Chicago, Texas, California and Washington, D.C. These cities will be the hotbed of hiring activity in cybersecurity for the next several years with a heavy emphasis on East Coast demand (and availability of talent). ediscovery, as it has matured, has reached widespread geographic demand, including a notable need for talent in areas like Seattle, Kansas City, Florida, Charlotte, Indiana and Ohio in recent years. It remains to be seen whether cybersecurity job demand will become readily available in third-tier markets. Other glaring similarities include both career paths dealing with large volumes of data and data analysis in pursuit of the smallest, most important piece of needed information. This means anyone who deals with big data, data collection or forensic analysis will have a place in both industries. Both disciplines require a blend of written and verbal communication skills coupled with strong technical savvy, ideally at an administrative level. Both rely heavily on the use of third-party consultants and vendors, which means jobs will be abundant in that silo of opportunity. ediscovery has certainly trended toward the increased usage of managed service contracts for law firms and corporations in the last few years, resulting in aggressive staffing in service providers. Cybersecurity currently shares this same trend. Cybersecurity and its value and importance to the health and success of any institution have moved more quickly from social consciousness to corporate consciousness. Following Tech Trends. Both cybersecurity and ediscovery share an evolving technology landscape. It took ediscovery almost a decade to develop clear market leaders in technology, and some would argue that evolution is still a work-in-progress. Few would deny the dominance of tools like Relativity, Nuix, Ringtail and LAW in today s semi-mature ediscovery landscape. Cybersecurity still feels like the Wild West as technology is requiring constant real-time development to protect and defend against the world s latest and greatest malware and hacking community. The cybersecurity technology market today appears more fractured, with a variety of players fighting over supremacy for software (and service). Large malware detection players include Symantec, McAfee, Kaspersky, TrendMicro and Barracuda Networks. Other players in the space to watch for on network traffic analysis or forensics include Arbor Networks, Damballa, Fidelis, Lancope, Sourcefire s AMP, RSA, FireEye and BlueCoat. Expected endpoint behavior analysis leaders include Blue Ridge Networks, Bromium, Invincea, Sandboxie and Trustware. Guidance s EnCase is a skill set for both ediscovery and cybersecurity professionals. This article will explore these specific skill sets later, but first, we will investigate differences in ediscovery and cybersecurity careers and how they expose key variances in the kinds of professionals who will be successful in the long term in both fields. HOW THEY ARE DIFFERENT While ediscovery certainly has it s celebrity cases (Enron, Vioxx, Madoff), never has the word ediscovery been seen in the headlines daily on CNN, FoxNews and MSNBC alongside Sony, North Korea, Target, Home Depot and James Franco the way cybersecurity was in Even with the recent Hillary Clinton debacle, no one is calling it ediscovery on the news. Cybersecurity is arguably a household word around the globe now, while ediscovery remains a term legal COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. DDEE ISSN

3 3 professionals use colloquially. For this reason, cybersecurity and its value and importance to the health and success of any institution have moved more quickly from social consciousness to corporate consciousness. For years ediscovery has fought to gain visibility and priority among its corporate clientele s budgetary spend. It was not until the economic collapse of 2008, which resulted in rapid deceleration in ediscovery processing, hosting and review costs, that most corporations took a meaningful approach to staffing in-house and institutionalizing enterprise software. Mainstream media coverage has propelled cybersecurity viability as a profession and given it credibility, importance and increased demand in the world. Ambitious individuals will capitalize on the timing of the wave of social consciousness shifting to corporate consciousness and cash in on the actual and perceived value of their talents. Compare and Contrast. As a point of comparison, ediscovery processing once commanded $1,500 to $2,000 per GB. Now, processing is often free when bundled, or priced in the $100 to $500 range per GB. It has taken 10 years and the second greatest economic collapse since the Great Depression to shift the pricing of ediscovery services. Cybersecurity, whether reactive or proactive, whether software or service, is not inexpensive. Commanding a premium professionally often equates to intense travel, and this is an important element to consider for any cybersecurity professional. For the most part, ediscovery professionals are not road warriors. Yes, they work long hours, but only the minority of professionals working in the space travel more than 20 percent of the year. Cybersecurity professionals travel constantly. Expect this if you consider transitioning into the field. Since most cybersecurity jobs deal with incident response to data breach or preventative planning, and because the hiring is primarily in the consultancies and vendors, visiting the client site is critical to the work at hand. Aspiring cybersecurity professionals should anticipate a 40 to 80 percent travel lifestyle quite different from ediscovery. Seasoned cybersecurity professionals might score that unique in-house corporate cybersecurity role, keeping them grounded, but the bulk of opportunities will be traveling ones. Educational Opportunities. One stark difference between ediscovery and cybersecurity is that, unlike in ediscovery, you can go to school at many leading institutions across the country and get a bachelor s degree in cybersecurity. Bryan University has a fantastic ediscovery graduate certificate program that is soon to mature to the one-and-only ediscovery bachelor s degree in the country, and Barbri s CEDS has quickly become the industry standard in basic ediscovery certification, but numerous established and often Ivy League schools boast cybersecurity undergraduate degrees. The list is long but includes the University of Maryland, Carnegie Mellon, Oklahoma State University, George Mason University, Utica College, Southern New Hampshire University, Colorado Technical University, St. John s University and more. Over the next four years, the availability of education in the cybersecurity industry at the undergraduate level will create a pool of readily available, inexpensive talent. ediscovery did not have this luxury, and therefore salaries for ediscovery professionals increased by 20 to 50 percent annually between 2002 and 2006, causing rapid job hopping, lack of job title and job role standardization, bloated salaries for some and behindmarket compensation for others and a constant musical-chair culture in the Am Law and service provider community. Cybersecurity professionals are scarce right now, but there are hundreds of young, hungry up-and-comers making their way into the market looking for opportunities. While talent coming directly from educational institutions will eventually saturate the market, it will take years for those young professionals to gain the experience needed to address the cybersecurity needs of clients arising in the next 24 months or more. This, coupled with the immediate need for talent to conduct audits on data breaches, will create a robust market for contract cybersecurity staffing in the coming years. Grooming undergrads to transition from educational experience to professional experience takes time, so cybersecurity professionals with one to three years are highly sought after for short periods of time. Most of the companies hiring contractors will be the big consultancies adding bandwidth to their more seasoned consultants. ediscovery did not have this unique abundance of contract opportunities when the industry began, but now a career as a contracting ediscovery professional, traveling from project to project, much like audit to audit, is very viable. Contractors in cybersecurity, however, must be extremely technical. There is no such thing as a hacking hold order; hackers do not stop and do not sleep. Neither must cybersecurity professionals. Data Differences. Another key difference between ediscovery and cybersecurity aimed at the more technical professional revolves around live data versus dead data. ediscovery has the luxury of legal hold orders, which means at a court-appointed date and time, data cannot be deleted and must be collected in preparation for discovery and examination. But there is no such thing as a hacking hold order. Hackers do not stop and do not sleep. Neither must cybersecurity professionals. Some ediscovery pros (and rightfully so) would quickly argue that they never sleep either, but cases do come to a close. A network is, for the purpose of this analogy, an organism. ediscovery is focused on dead data while cybersecurity is focused on live data, the behavior of data, anomalies in data usage and access, and at no point does the pursuit of additional information to help protect a network ever stop. If ediscovery is an autopsy, cybersecurity is invasive and investigative surgery. This means the level of analytical thinking in cybersecurity is intense and requires a curious mind, one that is constantly learning about the new malware and technology utilized. DIGITAL DISCOVERY & E-EVIDENCE REPORT ISSN BNA

4 4 Timing Differentials. Identification of issues in cybersecurity goes well beyond the key word searches and codification of responsive and nonresponsive documents in ediscovery. New problems happen in real time, not review time. This requires a different level of people management, individual talent and technology aptitude. It will be harder for ediscovery lawyers to become cybersecurity professionals than more technical litigation support counterparts. However, there is a path for practicing cyber attorneys! In the specific vertical of the practice of law, as it relates to cybersecurity and ediscovery, the differences are extreme. For years, many ediscovery professionals expected (hoped) that practice groups would evolve within the Am Law 100 that were specifically focused on ediscovery services. This did not happen in abundance. Most ediscovery work remains under the umbrella of the litigation group. There are exceptions to this rule, notably Scott Carlson s group at Seyfarth, Paul Weiner s at Littler and arguably the edata group at Morgan Lewis. If ediscovery is an autopsy, cybersecurity is invasive and investigative surgery. Niche Practice. Data privacy and protection, however, have begun to evolve into separate, niche practice groups worthy of marketing individually. Major law firms in the Am Law 200 have begun rapidly developing practice groups focused exclusively on data breaches, privacy and cybersecurity. BakerHostetler s Privacy and Data Breach Protection practice group led by Gerald Ferguson and Theodore Kobus III counsels healthcare providers, government entities, financial institutions, data processors, and retailers of all scales [on keeping] information secure, responding quickly when a data breach occurs, and defending in litigation that may arise as a result. The firm even has a Toll Free 24-Hour Data Breach Hotline available to clients and potential clients of the firm. Jones Day has made several recent talent acquisitions in order to grow their burgeoning Cybersecurity, Privacy & Data Protection practice group, including Jeffrey Rabkin. Other notable players in the space include Miriam Wugmeister of MoFo, Christopher Wolf at Hogan Lovells, Mary Ellen Callahan of Jenner & Block and a host of boutiques focusing on the niche including Marc Zwillinger of ZwillGen. If you are a litigation attorney aspiring to practice law around cybersecurity threat and response, now is a great time to seek the education needed to make the transition. FLIPPING YOUR HOUSE: HOW TO BECOME A CYBER PRO For technical professionals in either cybersecurity or ediscovery who are asking themselves, How can I cross train or transition to the other discipline? there is one undeniable binding skill: forensic collection of data. Those professionals who are certified forensic examiners, investigators and data collections experts are well suited to convert into cybersecurity professionals, particularly around incident response audits. EnCase certifications are often required for entrylevel cybersecurity professionals needed to do the basics of collecting data from devices involved in a potential breach. Those leaning toward the forensic side of ediscovery who feel they have no upward mobility beyond collecting data should veer toward cybersecurity for a far more lucrative and challenging career path. In order for an ediscovery professional to begin this career transition, there are two logical routes, which are not mutually exclusive. The first path could be to seek one of the many cybersecurity certifications discussed below. Although certification may not be a listed requirement in the hiring process, it is a barometer of your aptitude in the subject matter and looked upon favorably by hiring managers. The second and lengthier route is the aforementioned pursuit of formalized education in the form of a cybersecurity degree. Both a bachelor s and a master s degree can be pursued. An important note: Make sure the school you choose is accredited and seek out graduates from that program to ask about their experience gaining their degree and post-degree employment. The landscape and value of certifications for both ediscovery and cybersecurity professionals can be confusing as there is no certification that is accepted worldwide as the one in either space. Certification sources fall into four broad categories: schools and universities, vendor/technology-sponsored, association/organization-sponsored and governmentsponsored certifications. For those with existing ediscovery experience who are seeking to repurpose skills, certification is the most direct and cost-effective route to full employment. For the lawyer looking to begin a career in privacy and data security, it is important to be active in the International Association of Privacy Professionals and to achieve the base level CIPP certification. On the more technical side, there is a litany of competing certifying bodies: ISC(2), ISACA, EC-Council, GIAC and ComptTIA. While ISC2 s CISSP and ISACA s CISM certifications have become the de facto standard, neither is an entrylevel certification nor requires a minimum of five years of hands-on security experience. High-quality entrylevel certifications include CompTIA s Security+ and GIAC s Security Essentials (GSEC), requiring little or no practical experience. This could be a perfect starting point for the ediscovery professional. Advanced or niche certification exists for numerous specialties including penetration and ethical hacking, managerial level certifications in the form of CISM and the CRISC for risk management professionals. The CEH (certified ethical hacker) certification seems to be becoming of greatest value and demand. This certification can get a novice to an intermediate position quickly. Practical Experience Required. Gaining hands-on and practical experience is critical to a successful transition into cybersecurity and full-time employment. An ediscovery professional with some of these security certifications is well-positioned to take advantage of the current temporary staffing market for cybersecurity audits, gaining practical experience and carving a pathway to COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. DDEE ISSN

5 5 permanent employment after proving him or herself to be a strong contract asset. Jeff Scarpitti (jeff@trustaffingpartners.com) is one of the premier recruiters in the privacy and cybersecurity industries and the cofounder and president of TRU Cyber. A former practicing attorney, Jeff has more than 20 years of experience in the forensics and legal technology industry. Jeff is a frequent moderator, speaker and author on hiring strategies and development in the privacy and data security space. Jared Michael Coseglia (jared@trustaffingpartners.com) is the founder and president of TRU Staffing Partners ( With more than 12 years of experience representing talent in ediscovery, litigation support, cybersecurity, and broadly throughout legal technology staffing, he has successfully placed over 1800 professionals in full-time and temporary positions at the Am- Law 200, Fortune 1000, and within the consultancy and service provider community. Coseglia is an active speaker and published author on trends in the legal technology job market. Another option is serving an internship, which is often required by cyber degree programs. Another alternative is to participate in any cyber-oriented work or task within your current employment. Nearly every organization/law firm or vendor is forming cyber committees, breach response teams and multidisciplinary groups that are supporting the organization s efforts to achieve ISO certification. Each of these teams can and should have representation from the organization s ediscovery staff. This is an excellent opportunity to volunteer and to expose yourself to critical hands-on knowledge. THE THING WE ALL HAVE IN COMMON The common theme for all aspiring professionals is the need to invest in your career, internally and externally. It is imperative that prospective cybersecurity professionals demonstrate a thirst for knowledge and the ability to self-educate. That thirst has always been the common link between ediscovery professionals who have rapidly risen in the industry. Cybersecurity is no different. The industry is in its infancy and the opportunity to make your mark professionally on the industry is palpable. There is tremendous opportunity for ediscovery talent to transition if they self-invest, stay patient and challenge themselves to go beyond the EDRM and into the bigger picture of big data and legal compliance. DIGITAL DISCOVERY & E-EVIDENCE REPORT ISSN BNA