Freshfields CISO Mark Walmsley is responsible for all the information security at the oldest member of the Magic Circle of elite British law firms, a task has become more complex as the cyber threat has grown.\nLaw firms are high-priority targets for attackers as they hold extremely sensitive and valuable client data that can be used to reveal trade secrets, business plans, and stock trading purposes. They are also more attractive targets than their clients as the information they store that's of interest to hackers is typically less voluminous.\nTo protect Freshfields, Walmsley spends his days evaluating security across the\u00a0business, responding to audits, talking to partners, training colleagues, supporting clients and\u00a0addressing any alerts of potential threats and developing\u00a0his\u00a0cyber security strategy as the threat landscape changes.\n"The challenge is that there is a much greater group of hackers out there who are really motivated to\u00a0get\u00a0into\u00a0businesses,\u00a0so it's difficult to keep up with the level of threat\u00a0and the number of threat actors. Number two, the threat\u2019s from the inside, not just the outside," Walmsley tells CIO UK at Cyber Security Connect.\n"Businesses throw a lot of\u00a0money\u00a0and\u00a0strategy\u00a0and clever people at protecting the perimeter. Not enough people are doing it on the inside. We need to be\u00a0investing\u00a0there and we need to\u00a0understand the accidental and malicious behaviours that happen there."\nInsider threats have grown as employees have gained more administration provisions. The proportion of staff given local administrative privileges on their work devices jumped from 62% in 2016 to 87% in 2018, according to CyberArk's 2018 Global Advanced Threat Landscape Report.\nTheir threats encompass a wide range of motivations, actions and results, but can be a sensitive subject to address, as the person responsible will be an employee of the target.\n"The zero trust model is the new way of\u00a0thinking, and that's a bit\u00a0emotive,\u00a0particularly\u00a0with your peers and colleagues," Walmsley admits.\nTechnical protection\nWalmsley's mitigation technique is based on the golden triangle of people, processes and technology.\n\u201cYou can't just buy a technology to resolve a problem," he says. "You have\u00a0to say how does my workforce work? What do they need to do? How are they most efficient? That's the people.\n"Then you go to the process and document exactly what you're doing and what's acceptable. What does the road look like? And then the third thing is investing heavily in good technology, and there are a few products on the market at the moment that do very good insider threat technology."\nFreshfields uses the Dtex platform to detect insider threats by\u00a0analysing\u00a0behaviour\u00a0across user groups and point out signs of unusual activity.\nThe system records lightweight user behaviour metadata from the endpoint and analyses it with machine learning to pinpoint any threats. Data is anonymised to protect employee privacy.\nIt provides protection whether user devices are connected to the network or not, by gathering the information and loading it up the next time it\u2019s connected\n"We have a full audit log of everything that's gone on and all of the alerts will trigger as soon as it's got connectivity\u00a0back\u00a0to the network," explains Walmsley.\nProtecting people\nEducating employees is the second barrier of defence. Walmsley reduces\u00a0risk by offering clear guidance to staff about what\u2019s acceptable and then instilling a mentality of joint responsibility.\nHe breaks his training strategy down into three key points.\n"The first one is you can't offer just one way to educate people. Everyone needs a different vector, a different mechanism," he says. "Secondly, a one-time shot is never helpful, so it needs to be continual. Thirdly, you need to do it in a way that's so simple that people understand their obligations."\nFreshfields provides training in a variety of different way. It offers e-learning backed up by communications, marketing materials that contain guidance, threat briefings that illustrate the issue and put the risk in context, phishing prevention tests and presentations.\n\u201cThe more of those that you have it means that one or two will really bed down for different types of people," says Walmsley.\nProtective processes\nThe CISO's day is getting busier as risks grow and threats evolve. Walmsley believes the best of his peers look to the future and create a "roadmap of risk".\nHis own strategy for developing this is talking to clients to find out their concerns, collaborating with other industries whose defences may be more advanced, working with colleagues to build mutual trust and understanding, and discussing his ideas with people who aren't technical experts.\nA cyber-savvy board and line manager ensure Walmsley has the support he needs for his strategy and awareness of cyber threats is growing across the business.\nThe introduction of GDPR has added to the understanding. It will force Freshfields to respond to breaches in a shorter period of time. Organisations that don't have the requisite visibility into what's happening inside their networks could be in big trouble if they don't react quickly.\nThe regulation may have added to his workload, but Walmsley tries to take the positives out of the new requirements.\n"GDPR makes both businesses and their members of staff more accountable. That's really important in\u00a0cyber security and it also means that it is a higher priority,\u201d he says.\n"You can actually use it as a bit of a\u00a0lever,\u00a0because when we're looking at protecting data, we don't necessarily distinguish\u00a0between client\u00a0confidential\u00a0and personal data. It has the same high value to us. If you have a regulation that looks at personal data and requires you to behave in a\u00a0particular\u00a0way, that allows us to leverage that\u00a0behaviour\u00a0against the rest of our datasets and\u00a0processes.\n\u201cA lot of people moan about it. It's finding\u00a0its\u00a0feet. It's aggressive. It's got teeth.\u00a0As an\u00a0industry do we think it helps us?\u00a0Yeah,\u00a0I think so."\nRoutes into security\nWalmsley had a legal background of his own before becoming a CISO. He has a law degree from the University of Derby and worked as a paralegal at Freshfields for three years before moving into the IT department and working his way up the organisation into his current role.\nThis career route gave him a deep understanding of the business and\u00a0an ability to communicate with less technical colleagues.\n"Lawyers work in a very different way to techie people," says Walmsley. "They have a very different level of analysis. They want very clear messages and want them backed up by fact.\n"Over the years,\u00a0having\u00a0worked in one of the big groups, I'd\u00a0learnt\u00a0how lawyers\u00a0wanted\u00a0to work. I understood how the techies were working and\u00a0I've\u00a0been able to bridge that gap.\nThe previous CIO at Freshfields told Walmsley that his greatest skill was his ability to communicate between IT and the rest of the business by distilling a technical\u00a0conversation down into something that's easy for a lawyer to understand.\n"Personally\u00a0speaking, I think the role\u00a0of a really technical-only CISO is dying off," he says. "A CISO is about risk\u00a0management\u00a0and therefore the ability to identify\u00a0risk, analyse\u00a0it and then provide options to the board, means you're becoming\u00a0much more of a trusted advisor. Having a\u00a0background that's\u00a0outside of IT or at least\u00a0exposure\u00a0and\u00a0experience\u00a0outside of IT is going to become\u00a0increasingly\u00a0important."