Building a Legal Career in SecurityAttorney Ron Raether Offers Insights on the Necessary Skills
When attorney Ronald Raether started his career, he was breaking new legal ground in technology and security. But today, with so much case law and so many regulations in these sectors, the demands for legal pros are significantly greater, and the bar is high, he notes.
"You have to be more specialized; you have to be thinking about what area of technology or information security you're really interested in," Raether says. "Is it retail? Is it hospitals? Is it doctors? Is it big data? Which of those areas are you really interested in developing skill sets so you can market and provide services to those specific industries?"
In an interview with Information Security Media Group (transcript below), Raether discusses his career path and the necessary skills for those entering the field today.
Raether began his legal career by indulging his personal interest in emerging technology. That led him to litigate Y2K cases at the turn of the century. In 2005, he took on his first work in breach response. Since then, he's become a prominent expert on information security and breach matters.
But as much as security threats and technology solutions have evolved, the fundamental skills of his profession remain much the same.
"When my kids were young, they would ask me what I do for a living," says Raether, a partner with the Ohio law firm of Faruki Ireland and Cox PLL. "The answer is: I solve people's problems. If you think about solving people's problems in the technology arena, first of all I have to be a good listener, and I also have to learn."
In an interview about career opportunities in law, Raether discusses:
- His own career path;
- Necessary skills for attorneys in security;
- Qualities he seeks in emerging legal pros.
Raether is a partner at the law firm Faruki Ireland & Cox P.L.L. in Dayton, Ohio. He has handled numerous matters involving technology-related issues in areas including antitrust, contracts, employment, trademark, domain name disputes and federal and state privacy statutes. He has addressed compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has worked as a data breach resolution coach for companies that have experienced unauthorized access to consumer data and also has advised organizations about developing their breach response.
TOM FIELD: What was your path to becoming an attorney and focusing on information security and breach response?
RON RAETHER: Well like many of us, I didn't know what I wanted to be when I grew up. Sometimes I ask myself that question today. Back when I was a young attorney, I was in a business litigation boutique, so doing a lot of different litigation matters and looking at some of the possibilities in the mid 1990s. Technology really attracted me. I was interested in it. Not only because when I was young I spent a lot of time on an Apple PC and a Commodore 364, and then obviously some of the Microsoft machines later on, but also the fact that a lot of the law in this area was yet to be developed. It was extremely intriguing for me and interesting to be engaged both on the business issues for information technology as well as cutting edge legal issues.
I volunteered and got involved in any case that came in the door that had any inclination to technology, and one case led to another. I did a large point-of-sale computer application, a breach of contract case in the mid-1990s, and then some Y2K class actions. I built up a repertoire of knowledge and skills around technology and the law. In 2005, I got an opportunity to assist a company with a relatively new phenomenon, data breaches, and really ushered that company through some unchartered waters, developed more skills and more expertise, and eventually found a practice that fits both my intellectual intrigue as well as my interest from a recreational hobby perspective.
FIELD: What were your essential skills and experiences you needed to put to use, and in the role you have today?
RAETHER: When my kids were young they would ask me what I do for a living. And the answer is, I solve people's problems. So if you think about solving people's problems in the technology arena, first of all I have to be a good listener. I also had to learn. One of the intriguing things about my job, and that I really enjoy, is that I deal with a lot of different companies, technologies, and market verticals from retail to healthcare to data aggregators, and each of those have different approaches to technology. So the ability to listen and learn was essential. Likewise, being a good communicator. So that really, in this field, starts with being able to understand the technology to understand the language that is used by people in information technology. But importantly, being able to take that terminology and translate it and use it in the board room with judges. Ultimately, the best case is whether I'm able to be a good translator in whether I can explain sometimes complicated scenarios to a jury. And so being able to listen, learn, problem solve, and having the technical expertise and being able to communicate that all to a jury is an important skill set.
Starting a Career Today
FIELD: What might you have to do differently if you started your career today?
RAETHER: Back in the mid-90's, and even at each point in my career where I was dealing with different information technology issues, I was plowing new ground. There weren't a lot of attorneys out there that were dealing with these issues. There wasn't a lot of law. There were a few statutes, a few regulations, and over time I've been able to be part of helping to develop those laws, helping to developing the techniques and the like. Today it's much different. There has been a lot more discussion and conversation. There are more regulators, more regulation, there's more case law. There is a lot more specialization then there was when I started.
So I think because of that difference in the environment, rather than being somebody who is intrigued about an issue and delves into it and finds creative responses to those new and evolving issues, I think today you have to be more specialized. You have to be thinking about what area of information technology or information security you're really interested in. Is it retail, hospitals, doctors, data, big data information gatherers; which of those areas are you really interested in? Then, develop skill sets so that you can market and provide services to those specific industries.
Keeping Current on Laws
FIELD: How are you able to keep current on the ever-changing threats and vulnerabilities in technology and information security?
RAETHER: It starts with having a great team around me, given how broad the issue has become. As I mentioned before, some of that specialization ... I cannot have expertise in every single area, but I can certainly put people around me that have those skills and intimate knowledge with all of those variations that exist in the market today. What I am able to do is to have that broad perspective, both as a litigator as well as somebody who's dealt with these issues as they've emerged, and be able to graft that experience and marry it with the specialized knowledge of the people that I have on my team. And it helps to have friends in the industry that I have known for a long time who can provide me inside knowledge in terms of what's happening from a technology perspective, especially the information security perspective. Knowing what the buzz issues are as well as going to conferences, and not just networking with those people at the conferences, but sometimes admitting that I don't know everything about a particular area and being able to go in and get that cross-discipline training is key. So what is the hot topic on training? What are the leading edge techniques in terms of defense in depth? So being able to listen to those individuals and learning from them and trying to build the knowledge base that hopefully will provide the best solution for my clients.
Expanding the Team
FIELD: When you look to expand your team, what are the qualities you seek today?
RAETHER: Primarily someone who is a good listener and is intelligent and can solve problems on the fly. Even though there is a lot more development in this area, there are still a lot of cutting-edge issues. I think I've heard recently that technology is in its teens. I still think it's in its pre-pubescent teens in terms of where it's going. There are a lot of interesting developments that are going to happen in technology that are going to in turn have impacts on society and how we interrelate with each other. It's important to have people that are good problem solvers, can organize themselves, be creative, and then ultimately as an attorney, have effective communication skills. My job, in the end, is to communicate to those who aren't as knowledgeable, or have the depth of knowledge in technologies, so that they can understand the effect of those issues on their day to day life and their businesses.
Entering the InfoSec Field
FIELD: What do you see as the essential elements today for an attorney that is in the information security field?
RAETHER: We have to start with a good foundation, and for a lawyer, that is the technical legal skills. So being able to interpret the law, and for technology, being able to see around the corners. Often times, you're having to deal with law and legal issues that were developed in the bricks-and-mortar world, and then trying to figure out how those concepts, the general legal concepts, would apply in a virtual or information technology world. Once you pass those fundamental issues, it's really understanding the technology.
I'm not saying necessarily being a programmer or having a computer science background, but you have to be able to listen and understand what the CISO or IT staff are telling you about the situation that you're advising on or having to react to. You need that technical expertise. You also need to understand strategy and tactics and the governance issues. I'm not going to go in and advise a company whether they need better intrusion detection devices. That's not my role as an attorney. But my role as an attorney is to help them understand what would be a reasonable standard should there be IDS technology in place, should there be defense in depth.
Ultimately, if you think about what that means, it really comes down to governance, and I think that is the attorney's role. InfoSec is making sure that the right governance principle is in place. So an attorney, to be successful, needs to understand the structural and organizational issues, as well as the technical issues, and marry those all up to provide an effective governance program for entering into the organization.
FIELD: What fundamental piece of advice would you offer someone starting, or restarting, their career in this field?
RAETHER: I think first and foremost is find your passion. Do something that you love and that you enjoy as opposed to doing something that you believe will earn you a lot of money or give you status or prestige. Rather, find your passion, do what you love and then build your skills in order to achieve your goals around that passion. You asked me earlier about information security; in order to explore those issues, you have to understand the technical aspects of information security. You need to understand within an organization where does information security sit, and that requires you to understand compliance and information technology generally. And if you haven't explored those areas, if you don't know the issues you're going to be dealing with, if you don't know the types of personalities you're going to be dealing with, it is difficult to know that you found your passion. Likewise, you have to be someone who enjoys not knowing the answer, because as I mentioned earlier, there is not a lot of developed law. It is still evolving and emerging. Some individuals and attorneys don't like having so much gray. They like to be able to go and find a definitive answer, and if that is what you prefer, this is not the area for you. Instead, if you like being curious, if you like being challenged and providing creative solutions, taking risks, doing it in a measured way and coming up with an effective means to navigate those risks, then I think this is the right profession for that person.