Garfinkel on Computer Security – Keep It Simple

Simson Garfinkel’s “Keep It Simple” article on does a nice job of laying out one of the fundamental issues of computer security – how do you balance security against usability.
Garfinkel says:
“If you’re not thoughtful about your approach to balancing computer security with computer usability, you may end up with neither.”
He also notes that a few new developments are helping out us users. “Today, features like file encryption and disk sanitization are built directly into applications and operating systems. The result is that using cryptography to protect a document is now much easier.”
Garfinkel advocates something he calls “secure usability”:
“A good user interface sitting atop a strong security substrate is a good start, but it’s still not enough to create applications where security and usability go hand-in-hand. That extra step?something I call “secure usability”?comes from a user interface that guides the user to secure practices by making other practices difficult or impossible.”
His conclusion is definitely worth spending some time to think about.
“I believe that we can ultimately resolve many of the apparent conflicts between security and usability in a way that addresses both concerns. In the case of passwords, the answer would be to use fairly short passwords but to constantly monitor users’ behavior to see if they do anything out of the ordinary. If a salesman, for instance, starts trying to download secret plans for an unannounced product, I would want that salesman stopped?even if he authenticated using a password, a smart card and an iris scanner. The balance between security and usability should be fluid, not fixed.”
We, the users, have already shown over and over again that we need to be protected against ourselves when it comes to security. I think that Garfinkel may be on to something that will actually work in most situations. As they say, however, the devil will be in th details.

KM in Law Firms – The Cultural Issues

David Maizenberg at has posted “Knowledge Management and Law Firm Cultures,” which makes some good comments about Ron Friedmann and I’s “Strategies for Successful Knowledge Management in Large Law Firms.”
He also says:
“I wish they had gone into some of the cultural issues and challenges, because they are numerous and profound. How does one go about massaging the firm culture toward the kind of KM that we all know is becoming a requirement for efficient practice?”
Good point. Fortunately, I have an answer. Several years ago, I wrote an article called “Creating an Environment in Law Firms Where Artificial Intelligence and Knowledge Management Will Work” in which I tried to address some of the cultural issues. Although Several years have gone by and some of the technological examples might be a little dated, law firm cultures haven’t changed very much.
I like to tell people that if they really want to get a good measure of the level of trust and the general health of a law firm, just check on how willingly lawyers contribute “their knowledge” to KM efforts. For the acid test, though, look at their willingness to contribute their contacts to a Customer Relationship Management (CRM) system.

You Bought It, Now Audit It

Performing IT audits for law firms and corporate legal departments is one of the consulting services that I offer. You would think that this type of service would largely sell itself. However, lawyers are a hard-sell group. In many firms, even an initial assessment will likely help stop the bleeding of cash. I wrote about this topic in “Seven Easy Ways for Law Firms to Throw Away Money on Technology.”
But you don’t have to take my word for it. Bob Violino’s article “You Bought It, Now Audit It” does an excellent job of making the case for IT audits, with some great practical examples and some tips for getting the most benefit from the process.
The money quote:
“IT audits frequently begin with a risk assessment, in which an organization obtains an overview of the major systems and applications used to support critical business processes. The intent is to identify existing or potential areas of risk that should be addressed in future IT audits, says Paul Rozek, director of technology services at Jefferson Wells International, a Brookfield, Wisconsin, consulting firm that has seen its IT-audit work increase by 40 percent between 2002 and 2003. Organizations can then prioritize the audits based on the level of risk. That initial assessment can also give executives a good sense of the systems the organization has in place, and whether the company has sufficient expertise and staff resources to conduct subsequent, more-focused audits.”
The article also notes that audits can cover a variety of specific areas, including the commonly-overlooked area of software license management. Not to belabor the obvious, but I believe that my combination of tech expertise and my law practice that concentrates on software licensing and IT contracts makes a dynamite combination in the IT audit area, especially when you consider that many organizations seem to prefer to cast a blind eye to these issues, at least until they receive a BSA software audit letter.

New Electronic Discovery Column – “There Must Be 50 Ways to Store Your Data

George Socha and I’s new “Electronic Discovers” column has just been published on the excellent website.
The column is called There Must Be Fifty Ways to Store Your Data and focuses on the many devices and media on which data can be stored and the many different considerations litigators need to keep in mind when pursuing electronic discovery.
A great comment from George:
“By focusing on the content rather than the medium, you may increase your changes of getting the data you really care about. This is, after all, what we do when we ask for information memorialized on paper. Rare is the request for all pieces of orange paper kept by a company, no matter what is on the orange paper.”

My New 2 by 4 Feature Will Compete with Matt Homann’s Five by Five

I was talking with Matt “the [non]billable hour” Homann on the phone this morning and congratulating him on the wildly successful “Five by Five” feature that he has developed. I highly recommend the entire collection – Matt has come up with a cool idea and it’s amazing how the simple offer of a “Five by Five” t-shirt has brought out some of the most articulate and thought-provoking ideas about the practice of law you are likely to see outside of Law Practice Today. Sorry, the LPT promos have become a reflex action for me lately. All kidding aside, there is much wisdom in the two Five by Five collections and lots of great ideas that people should implement rather than simply talk about.
By the way, for those playing the game at home, I found myself, like Ernie, wishing that I had written Denise Howell’s response this week and Yvonne Divita’s response in the first week. Unfortunately, I’m far too young to do that “who’s your favorite Beatle?” thing, but I would pick Edge as my favorite U2-er.
Perhaps I digress.
In any event, I suggested several new Five by Five topics to Matt until he caught on that all of my suggestions led inescapably to the conclusions that (1) I was the perfect guest and (2) the questions were so calculated that Matt would have to change the name to One by Five.
By the end of the call, I have to admit that the little jealousy monster had climbed up on my shoulder and was whispering things in my ear. Why indeed have I mentioned Matt’s blog posting more than my own lately? Fortunately, the green guy had a great suggestion that I can’t wait to implement.
See what you think of this one . . . .
“The Two By Four ™.” It’s based on the old mule training proverb that you need to whack a lawyer, er, mule with a two by four just to get the mule’s attention. It will be a weekly collection of of four items from two well-known experts of things that most businesses already know or are already doing that it will take a whack from a two by four to get lawyers and law firms to pay attention to.
Since we’re talking about lawyers, maybe I should call it Four by Four. Let me know.
Unfortunately, I have no ideas yet to match the comedic stylings of Evan “The Funniest Blawger” Schaffer (see, e.g., “Types of Lawyers #4: The Lawyer Who Carries Another Lawyer?s Briefcase“) and Anonymous “Another Pretty Darn Funny Blawger, If Like Me, You Like That Kind of Humor and Spent Most of Your Career in Large-ish Law Firms” Blogger. Anonymous served notice on Evan today that Evan might have a little competition in the comedy category via Anonymous’s “Diary of an Anonymous Lawyer” post. Anonymous also used this post to move way up on the charts in the “blawger most likely to get a book deal out of this blogging thing” list, even though my money is still on the “one of the law professors” betting option.
Note: No mules were injured in the writing of this post.