Editor’s Note: This article, co-authored by teams at Relativity and Array, was first published on Array’s blog in April 2021. The tips shared remain relevant and helpful, so we’re republishing this content to help you prepare your tech procurement strategy for 2024.
When law firms or legal teams decide to integrate a new SaaS platform into their workflow, there’s oftentimes a lengthy procurement process. Some of the most important questions to ask during that process are about security, but many organizations—especially those who may not have their own robust security teams—may not know where to start.
Any questions for legal tech SaaS vendors on cloud security should cover three main areas: technology, process, and people.
- Technology: When it comes to building a security program, it’s important the provider starts with implementing technology; this is the foundational element that any security-minded vendor will invest in.
- Process: Then comes process, meaning that they have created guidelines and processes for teams to follow to keep the product secure.
- People: Most importantly, the people element comes in. Everyone on the vendor’s security team needs to be extremely well-versed in the protocols set forth to keep the product and customer data safe.
A SaaS vendor simply won’t be successful in providing adequate security in the cloud if they don’t focus on those three elements, so it’s crucial to ask questions that touch on them.
To check for comprehensive strategies in these areas, ask future vendors the following key questions. Doing so will help you avoid any major pitfalls and ensure that your partnership provides the level of security that you’re looking for.
1. Is the technology well-known and widely used?
When evaluating a SaaS platform, it is important to consider its adoption rate within the industry. There is no better indication that a SaaS provider has a strong security framework in place than when other corporations and law firms trust them with their most sensitive data.
Also, take note how many of their clients are large players, such as Fortune 500 companies or AmLaw 100 law firms. These organizations typically have sophisticated cybersecurity evaluation processes in place that can only be met with an equally sophisticated and strong security program.
2. How well trained are your employees when it comes to security?
Security awareness training is crucial. One accidentally clicked link in a phishing email could have major consequences for an entire organization, affecting its product, communications mechanisms, and, ultimately, its customers. While many organizations install effective spam filters, you cannot rely on those alone to prevent incidents.
Trained employees make a massive difference. Even with the sophisticated, AI-powered email filters on the market today, nefarious notes make their way to real inboxes from time to time. At the end of the day, technology cannot replicate gut instinct. Employees are ultimately the first and last line of defense against phishing and social engineering. They must be informed and aware of how to stop phishing in its tracks.
Don’t forget to ask about whether or not the vendor has a formal security awareness program and if/how they measure its efficacy (see question #5 for more advice on that).
3. How do you handle third parties who have access to the SaaS platform or the data?
It’s important to remember that when you bring on a SaaS platform, you’re relying on the team behind it to keep your environment up and running. Make sure that they require your explicit authorization for access to your production environment, and any data stored for their purposes should be purged as soon as it’s no longer required.
4. What access controls do you have in place for the day-to-day users in the platform?
You want to ensure that the people who are using the product day in and day out are only accessing what they need to have access to in order to complete their job. Users shouldn’t have access to sensitive or private data for a matter that they’re not involved in, nor should they want others to have access to what they’re working on.
5. Do you have any measurement around the efficacy of your security program?
This is an area where many have tried to institute some guidelines. What makes a program strong versus the baseline? What is the baseline? Is there a simple scale to say, “Our program tests at 4.5/5?”
The answer can be simplified by asking what maturity models or measurements the vendor uses and asking questions. For example, Relativity aligns with NIST Cybersecurity Framework as well as several others. This provides common ground for speaking with customers who also align to or are familiar with this assessment. Other measurements can be found around audit findings, penetration test results, SOC II:II reports, and additional home-grown maturity measurements. Ask about how they measure themselves, how they move the needle, and what areas they are focusing on to grow in the year ahead.
Seeking Harmony in a SaaS Provider
When the responses to these questions begin coming in, it is important to look for an aspect of technology, process, and people within each response and not just sprinkled throughout them. While each element is extremely important on its own, individually they cannot function at full capacity without the presence of the other two.
There is a reason most of us started out first riding a tricycle and not a unicycle or bicycle. The three wheels working together gave us the most secure option with the least risk of falling, especially on rough terrain.
When it comes to cybersecurity, the same principle applies. In today’s ever-changing threat landscape, a SaaS provider who is only scattering the use of technology, process, and people individually or even in twos around their overall security framework is not enough. The most secure provider who offers the least risk will have them working together in harmony at every step.
Knowing that your vendor is spending time planning for various scenarios can make all the difference, and as President Dwight D. Eisenhower once advised: “In preparing for battle I have always found that plans are useless, but planning is indispensable.”
Julia Helmer is director of client solutions at Array, a RelativityOne Certified Partner. Julia has more than a decade of experience in e-discovery.
