IT director Nathan Hayes believes IT and infosec have become integral to the business – although he still is not on the company’s executive board
Nathan Hayes is IT director of law firm Osborne Clarke, an organisation with 1,800 employees, with offices across Europe, Asia and North America. The firm was established 250 years ago and has evolved over the years, incorporating both technology and information security as key factors of the business.
As a result, Hayes’ position has also transformed in the six years he has been at the company; he currently reports into the managing partner of the UK business and also to the CEO of the internal business.
“The UK business is the largest business so it traditional sets the tone and it’s where I’m employed but I also have responsibility for IT internationally,” Hayes tells NS Tech at Cyber Security Connect UK in Monaco.
Hayes emphasises that the IT strategy has to be aligned to the business and this means that the IT team is first and foremost supporting the structure of the business. Equally important, is for his team, as well as the business as a whole, to not consider the strategy as ‘static’ – as technology and client demands change, the law firm needs to adapt appropriately.
From a technical perspective, Hayes says that a cloud-based strategy provides the best outcomes.
“It has challenges of course but it is easiest to mitigate these challenges compared to mitigating an on-premise strategy and therefore it’s crucial to have a cloud-first approach,” he says.
To ensure the law firm is consistent globally, Hayes says that the company needs to operate on a single global platform. This drives both efficiency and best practice.
Finally, Hayes explains that the business needs to ensure it is at the forefront of leveraging technology in terms of the way in which it delivers services.
“This means creating a digital world where every aspect of what we do is best enabled by technology,” he states.
CIO-CISO dual role
Hayes has effectively taken on the CIO and CISO roles as IT director, although he has an information security officer that reports into him and a relatively small information security team as well. The company’s software team sits within its operations team, and therefore there are number of employees within that team that have information security responsibilities too. However, this is something that the business is currently assessing, as a result of the swift changes in cyber security in the legal sector.
Osborne Clarke has also undergone a thorough review of its information security arrangements recently.
“This was because of the introduction of GDPR and the potential fines involved – it’s clear with the findings of British Airways and others that the Information Commissioner is really bearing its teeth around GDPR and holding firms to task around information security. We therefore wanted to make sure our information security stance was appropriate but that also ensure that we can achieve what we’re trying to achieve,” Hayes says.
When it comes to juggling his responsibilities of both IT and information security, Hayes says it’s not a matter of spending time on one or the other as security underpins everything that his team does.
“The first question we ask is what we’re trying to do, the second question is how much [will that cost], and the third is how do we keep it secure – it’s a fundamental question that we have to ask whenever there is change. That change can be because of external factors, because the environment you’re operating in has changed, which is outside of your control, or [due to] internal factors in which we’re looking to change the way in which we operate using technologies – every time that happens we have to do the same thing,” he says.
Despite the prominent role cyber security and IT have taken in the legal sector and in businesses overall, Hayes says it is still uncommon for either CIOs or CISOs to be on the board at a law firm. Osborne Clarke has an executive board, a project council and an international board – and while Hayes attends meetings when invited to, he is not a permanent member of the board.
However, he believes this could change in the next few years. “I think it could change depending on the business and this isn’t just limited to information security; as law firms get to grips with and understand the importance in the way they provide their services, their marketing and financial performance becoming critical elements, I think we’ll see [the way the board is structured] changing,” he says.
