A Law Firm’s Hiring Strategies for Handling New Security Concerns

As CIO and managing director of Morrison and Foerster—ranked among the 50 largest law firms in the world by revenue—Neeraj Rajpal is responsible for implementing strategic and tactical global IT and for managing records initiatives for the firm’s 1,200 lawyers in 16 global offices.

New regulations, such as the Dodd-Frank Act passed in response to the 2008 recession, have led to more stringent client audits and the need for Rajpal to add a new leader to the IT organization who understands business and technology. In this interview, Rajpal explains what drove the creation of this new role and what his strategy has been for getting it filled.

Morrison and Foerster recently created a new role: privacy, compliance and data security manager. What led to its creation?

We were seeing more stringent client audit requirements. In the past, a simple multiple-choice questionnaire would suffice. Today clients are asking for more—much more. They want to visit our data centers, interview our IT personnel and, in some cases, are asking to perform penetration tests to test the security of our network. They want to evaluate our access-control policy and data-security procedures and see how we protect our data—or, in many cases, their data. So you might say this was actually driven by our clients.

But you already had a privacy council and other governance in place. Why do this now?

With stricter regulations around data privacy, clients are growing more and more concerned about the use of external service providers. They are shortening their list of preferred providers and want to partner not only with those that provide the best legal advice, but also with those that take privacy and risk management seriously. IT is now an enabler to the practice, a true partner in every sense of the word.

What characteristics and experience will you look for in this new hire?

First, this position will report to me. But the skill set is not limited to just IT or an understanding of what is happening on the infrastructure side. The ideal candidate will have experience working with the front office and will understand the regulations and governance issues affecting global businesses.

What was the process you went through internally to get approval for this new position?

I worked with the risk-management committee, the head of the data privacy practice and the privacy council. The firm takes these issues extremely seriously, so this was a relatively easy sell.

What industry experience or personal characteristics are required for this person to be successful?

You have to possess strong relationship management skills, as you will be interfacing with lawyers within the firm and, sometimes, external clients. As we are a partnership, coming from a professional services background will be a plus. [That experience makes it] easier to understand the culture and environment you will be working in.

What experience will you be looking for on the technical side?

It is difficult to find people who understand both technology and what runs the practice. Understanding governance issues and how regulations might affect us are important requirements for this position. An individual must possess IT security management experience and the Certified Information Systems Security Professional or Certified Information Security Manager certification.

Phil Schneidermeyer is a partner in the New York office of Heidrick aanndd Struggles, where he specializes in recruiting CIOs and CTOs for all industries.