How Irwin Mitchell Developed a Robust Cybersecurity Strategy
Based in the UK but with a global reach, Irwin Mitchell is truly dedicated to its core mission: helping clients navigate all of life’s ups and downs.
This full-service law firm offers no fewer than 180 unique legal and financial services across numerous different areas, protecting both families and businesses in the process.
With more than 3,000 staff members covering more than 200 countries worldwide, Irin Mitchell has a truly international presence.
CISO Graham Thomson paints a picture of what makes Irwin Mitchell such a trusted and well-respected organisation.
“Whether clients are moving, planning for retirement or need support after a life-changing injury, we can help,” he explains.
“For businesses, whether it's resolving a dispute, buying or selling a commercial entity or helping protect their people and the planet from an ESG point of view, we offer more than just legal advice.
“Our approach is based on building up long-lasting, trusted relationships and we're also committed to being responsible – which goes further than the law.”
Spearheading transformation
When Graham joined Irwin Mitchell in 2017, the business was primarily reliant on on-premise legacy technologies and had, a few months prior, experienced some operational downtime as a result of a cyber attack that caused an IT outage.
Over the ensuing years, he and his team have been putting in place and implementing a significant technology transformation which has involved migrating to the cloud and replacing outdated systems.
In conjunction with this, Graham has spearheaded a comprehensive security strategy and transformation, not only through advanced technologies but by cultivating a robust security culture across the organisation.
Elsewhere, Irwin Mitchell has navigated the various challenges posed by COVID-19, adapting to new ways of working.
Graham says: “The legal sector had a lot of catching up to do: working from home, digitisation, moving away from what were legally-required paper-based, wet-signature processes.
“The whole culture of the sector and the way it operates was thrown up in the air. We saw a lot of changes and our business had to adapt very quickly, but technology was the key enabler.”
Overall, and from a security perspective, Graham is pleased to report that the Irwin Mitchell of today looks vastly different to the organisation he joined seven years ago.
He adds: “We’re hugely transformed, far more resilient and we have a much stronger posture against cyber threats.”
A phased cybersecurity strategy
Initially, Graham’s focus at Irwin Mitchell was to implement the foundational cyber hygiene controls that mitigate 99% of cyber risk, according to metrics provided by Microsoft.
Security culture was also an issue he was keen to address – not just at lower levels of the organisation, but at the very top.
He says: “We’ve transformed the security culture from security being perceived as an IT issue to it being seen as a business risk – because that’s what it is.”
If that was phase one, phase two involved automating several security processes and integrating advanced, AI-driven solutions.
Now in phase three, Irwin Mitchell – thanks to Graham’s expertise – has established itself as a cybersecurity leader within the legal sector, with particular emphasis on resilience and proactive threat management.
Harnessing the power of AI
Unsurprisingly, AI – both analytical and generative – plays a pivotal role in Irwin Mitchell’s cybersecurity efforts.
Analytical AI is already embedded in some of the security products it uses, such as Extended Detection and Response (XDR), which provides monitoring 24/7, 365 days a year.
The most important thing here, from Graham’s perspective, is generating automated responses to whatever threats come Irwin Mitchell’s way.
“It really does work like a dream,” he enthuses. “You set up the rules and, when it detects a threat, it reacts automatically to prevent an incident from happening.
“It then alerts our SOC team who can triage, but not in the traditional sense. Instead, they’re looking at whether the block was justified or whether it was a false positive. A false positive might have a minor impact but it’s better to be safe than sorry – that’s the approach we take.”
Analytical AI is also enhancing email filtering and phishing alerts, coming in particularly useful when Gen AI is being used to enhance phishing emails and social engineering tactics.
Graham adds: “AI really helps complement that human, educational side of phishing detection and prevention, so we can mitigate threats in a much more efficient, user-friendly way.”
On the Gen AI front, the emerging tech is being used by Irwin Mitchell to automate various previously-lengthy and manual processes, including security document reviews, document creation, writing scripts for security systems and even answering third-party questions when due diligence is taking place.
Graham continues: “What Gen AI really excels at is taking lots of information and extracting the relevant bits that you need. Fair enough, you could do it manually, but Gen AI speeds things up and can be very effective.”
AI a ‘turbo booster’ for Irwin Mitchell
Plenty of conversations since Gen AI’s mainstream breakthrough have revolved around its potential to replace humans in the workplace.
However, Graham perceives the technology as a skills booster, especially for businesses with relatively small teams – complementing their work, acting as a troubleshooter and there to be used as an additional source of research and learning.
“You’ve still got to verify your sources,” Graham emphasises. “Humans are still very much responsible for making sure information is accurate, but Gen AI does speed up these processes.”
At Irwin Mitchell, Graham has been passionate about ensuring widespread utilisation of Gen AI – not just within his security team, but in other IT teams and those across the business.
He recently developed a secure, in-house Gen AI tool and has been involved in a range of additional projects in this area, ensuring employees can understand and tackle use cases.
The security team specifically has been harnessing the power of those same tools, but also more bespoke, security-focused Gen AI solutions that are embedded in products.
These have proved to be a “turbo booster”, Graham says, in areas like troubleshooting issues, reviewing and improving code for security systems and automating processes that were previously carried out manually – such as creating content for user education.
“This frees up time so that teams can focus on more important things,” Graham goes on.
“The human's always going to be the expert. It's not a case of dumbing down on skills – you still need to have the knowledge background even to be able to use the tools for efficiency, but it is like having extra assistance in the team.”
Combatting sophisticated cyber attacks
Combatting increasingly sophisticated cyber attacks is undoubtedly a tough task for Graham and his team members. The trick is staying ahead of bad actors as their tactics evolve.
Irwin Mitchell achieves this by continuously updating security measures, from a technical point of view by investing in advanced technologies, as well as from a policy education and awareness point of view.
“In some cases, it's not just about buying a product and putting it in place,” says Graham. “Once you’ve got those products, how do you best use them? How do you add rules that are tuned for your business? Because every business is different; what works for one might not work for another.
“You have to keep on top of it all the time because it’s a moving target.”
Fostering that strong security culture once again comes to the fore here.
Graham points to the fact that no two people in the business have the exact same understanding of or approach to technology thanks to their different ages, educational experiences and risk appetites.
“You've got generations where technology is still a relatively alien concept and you've got others that have lived and breathed it from day one,” Graham explains. “How they interact with technology is very different.
“We have to cater to everyone and educate people on how they can be secure.”
Wiz: A standout partner
Clearly, Irwin Mitchell can’t go it alone when it comes to security.
The firm has a small number of strategic partners which have become critical to its success in this area – and chief among them is cloud security specialist, Wiz.
“I can genuinely say this has been one of my best security purchases in my 25-year history of doing this,” a buoyant Graham adds.
“Wiz has proven to deliver exactly what they promised and more with agentless ease. Often, deploying a big security change in a business is not a smooth journey and an agentless approach is perfect for dealing with that.”
Wiz connects via API in minutes and provides full coverage across cloud resources, including platform-as-a-service, virtual machines, containers, serverless functions, without disrupting business operations. The agentless approach also means Irwin Mitchell can scale security efforts seamlessly without impacting performance.
Graham says one of Wiz’s standout features is its comprehensive risk assessment capability, which continuously enforces, detects and reports on correct or incorrect configurations, monitors workloads and vulnerabilities, and keeps a vigilant eye on Irwin Mitchell’s most sensitive data.
“What I love about the software is that it can not only tell you what the problem is, but also how to fix it,” he continues. “That really helps to tell the story when you’re working with stakeholders to fix an issue.”
The list of benefits provided by Wiz goes on. From its security graphs and threat centre, to compliance heatmap and advanced controls for cloud detection and response, the business has dramatically enhanced Irwin Mitchell’s cloud security posture and streamlined processes to ensure its operations centre in this area is as efficient and effective as possible.
What next for Irwin Mitchell?
Over the next couple of years, Graham and his team look set to focus on further strengthening automating Irwin Mitchell’s cyber defences, integrating more advanced AI-driven solutions to speed up the SOC and other security processes.
The plan is to embed Gen AI into core security systems, giving it visibility of all security metrics and data points and enhancing the risk management process.
“Having as much automation as possible is really key,” Graham concludes. “We’ll also have a particular focus on securing the cloud as we continue that digital transformation, moving from on-prem to the cloud.
“All this will help us maintain our position as a leader in cybersecurity within the legal industry.”
**************
Make sure you check out the latest edition of AI Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
**************
AI Magazine is a BizClik brand