Top-of-Mind: Social Engineering and Shadow IT

Both executives agreed that law firms face a unique set of cybersecurity challenges, especially as they become high-value targets for increasingly sophisticated threat actors. Jason Thelen pointed to email as the persistent entry point for attackers:

“We’ve bolstered our security products on the mail gateway side… but education is what really moves the needle. Users are the first line of defense.” —Jason Thelen

Andrew DeBratto highlighted a related, real-world incident: a paralegal inadvertently downloaded a malicious file from a compromised client SharePoint site, which triggered a firm-wide incident response. While the attack was ultimately thwarted, it underscored the vulnerability of end users and the pressure on security teams to keep pace with change.

Prioritization Over Panic: The Case for CTEM

The conversation turned to Continuous Threat Exposure Management (CTEM), a framework gaining traction for its proactive, ongoing approach to risk reduction. Both CIOs emphasized the importance of prioritization amid overwhelming data volumes.

“We struggled with prioritization for years. We built our own aggregator… but still couldn’t tell what was truly critical. That’s where automation and external context changed the game.” —Andrew DeBratto

Jason echoed the need for automation, especially as firms modernize their environments with DevOps and cloud technologies. Using layered tools, their teams ingest telemetry into centralized dashboards to visualize risks, validate controls, and act fast on critical issues.

Security That Works for Humans

A recurring theme in the discussion was striking a balance between strong controls and a frictionless user experience. Legal professionals work around the clock and across the globe—security has to meet them where they are.

“Security can't just dictate. It has to allow usability. That’s how you avoid shadow IT and gain buy-in from the business.” —Jason Thelen

Andrew added that security must be embedded in the business—not bolted on. His team focuses on hardening endpoints, shrinking patching cycles, and enforcing conditional access, all while keeping the lawyer experience seamless.

AI and What’s Next

The CIOs also touched on the future, including AI’s growing role in both offensive and defensive cyber. Andrew shared how his firm built “Hunton AI,” a GPT-powered internal chatbot, while Jason outlined a methodical process for vetting AI tools in collaboration with clients and internal practice groups.

Both leaders stressed that AI’s value lies not in flashy features, but in accelerating productivity and improving decision-making—especially under pressure.

Final Takeaway: It’s All About Communication

Perhaps the biggest insight? Cybersecurity success depends not just on the right technology stack—but on culture, collaboration, and communication.

“Security exists to support the business. It’s not the other way around. Sometimes we have to take the tinfoil hat off.” —Andrew DeBratto

In the end, both firms agreed that the goal is to protect sensitive data without impeding the business. That means empowering teams, engaging partners, and focusing on what matters most—risk that is real, relevant, and remediable.