Comments: Should a security professional have a legal background?

Ian,

I enjoyed meeting you at the recent conference. I have also enjoyed reading your blog. It is a problem that formal courses in law do not treat electronic evidence in depth. It is even more troubling that judges do not have adequate training to understand even the basics of electronic evidence. Consequently, some judges defer to special masters in electronic discovery issues.

In an August 21, 2008, article "Beware Masters in E-Discovery," William McLean cautions that reliance upon masters can, in many instances, exacerbate the problems. Litigation is now more of a discovery battle than a contest upon the merits of a dispute.

The solution will never be to expect or require security professionals to have formal training in law. While security professionals can, in only some instances, benefit from such training, it is far better to have legal professionals provide their insights and advice to security professionals and the public in a more comprehensible manner. As suggested by "Richard Susskind , lawyers can gain a competitive edge by packaging their legal knowledge and information (as opposed to advice) in a more easily digested form (e-books, intelligent agents, etc,). I look forward to the day when I can sell my legal knowledge (information, really) at a reasonable cost to a vast audience. Perhaps a legal information e-book for security professionals would be a good start!

Daniel Perry
US Attorney and Civil-Law Notary

Posted by Daniel Perry at August 26, 2008 07:23 PM

Thought I had correctly submitted the links but here they are:

Law.com: Beware Masters in E-Discovery
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202423930302

Richard Susskind
http://www.susskind.com/

Posted by Daniel Perry at August 26, 2008 07:28 PM

Having worked as an information security professional, gotten a law degree, and done much thinking at the intersection of security and law, I'd say the answer is "yes and no." At a high level view law and security are trying to solve the same problems: fraud, theft, privacy, etc. In this regard much of the law is highly evolved and information security is a neophyte. Much law condenses centuries worth of practical experience about what people tend to do to each other and ways of preventing or redressing it. On the other hand, many security threats are novel and neither the law nor information security deals well with them.

Today, law as well as security professionals and protocols are generally both needed to address major information security problems, such as phishing and identity theft. Often, as Ian suggests, accounting and auditing is also needed.

When security protocol designers invoke imaginary entities such as "trust third parties", usually in practice this means that law, accounting, or both are needed. A security protocol designer who is aware of the strengths and limitations of these traditional methods can do a far better job, for example by using information security to enhance legal enforcement (e.g. through better evidence gathering), or by filling gaps in the law, rather than trying to invent complete solutions from scratch.

As a practical matter, though, people with law degrees tend to get channeled (by guild regulations as well as cultural habit) into doing just law, and security professionals tend to be unaware of most legal issues. As a result, cross-learning and teams involving both lawyers and security professionals are a more practical way to go for solving real-world security problems than trying to find people experienced in both. For information security professionals getting a law degree will probably not substantially advance their careers unless they want to switch entirely to law.


Posted by nick at August 28, 2008 08:24 PM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x5587cb7c8cf8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.