Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Cyber strategy should be ‘a key imperative’ in FY24–25

Being able to “observe, own and overcome” cyber risks can help firms and organisations protect against breaches, according to one BigLaw partner.

user iconLauren Croft 10 July 2024 Big Law
expand image

Brenton Steenkamp is a partner at Clayton Utz, where he heads up the firm’s cyber security practice. He was also a recent panellist at Lawyers Weekly’s Corporate Counsel Summit earlier this year, discussing all things cyber.

Speaking on an episode of the Lawyers Weekly Show, produced in partnership with Clayton Utz, Steenkamp discussed the current state of the cyber market and revealed key headline trends and challenges, as well as how best lawyers in this space can respond to market conditions.

Steenkamp isn’t actually a practising or qualified lawyer – and first encountered cyber-related issues when he was a manager at Ernst & Young within its forensic team, something he said drew him into an “exciting career of cyber”.


“It really keeps you on your feet and on your toes, so to speak, and really to keep on not experiencing new issues. But for me personally, it’s a sense of justice. And when dealing with, be it a person who’s malicious or a threat actor for that matter, you want to bring a sense of normality and justice back to your clients, but also to the organisations you work for,” he said.

“And I think, besides doing the job day to day, we want to also bring some normality back in society. And I think we all are fed up with issues around our emails being phished or having received spams on our phones or mobile devices for that. So, we want to help normalise society, so to speak. And I think all of us are really after that. My team, we’re here to help our clients and our fellow colleagues and people and friends.”

Something that motivated Steenkamp to join Clayton Utz was the firm’s strategy – and cyber and digital being a “key imperative” of that strategy moving forward.

“It’s critical for organisations, particularly on the proactive side, to be well prepared upfront. So, building that resilience within organisations, key aspects of that is also understanding what legal risks are brought to the forefront in that process, but then also subsequently during the event and also the remediation after an event has taken place. I’m always saying and advocating that you can’t bring legal in afterwards. You need to understand what the issues are beforehand,” he said.

“And I think there’s enough instance in terms of local cases now coming to the forefront, showing that legal considerations around risk assessments, the impact around data, and particularly data subscribers or for that matter clients, is a key topic. And class actions, as we’ve seen with Medibank and Optus, are surfacing because of those issues not being looked at. I think it makes sense as a key imperative to take this forward as a valued service offering to our clients.”

In terms of the current state of affairs within the cyber space – and following on from large data breaches over the last few years – Steenkamp said that Australia still has “a long way to go”, both in terms of becoming more resilient around cyber tech and also developing cyber-related processes for increasing risks.

“I’ve always clung on to the words of, ‘observe, own and overcome’. And my point around observers, organisations need to actually understand what are the risks they are dealing with and what is their risk appetite around addressing the issues and what are you going to let go and what are you really going to embed in. So, with data privacy, you can’t really protect if you don’t know what you have in the first instance and what is vulnerable in terms of a cyber threat.

“So, observing the environment is key, but then also taking ownership from that and ownership is more around what are the actions. Am I embedding in the organisation? It’s not a one-tick-box affair, and I’m ready to move on. So, from that perspective, training and owning the issues at hand is key, and then that really empowers organisations to overcome,” Steenkamp said.

“If I know where my data holdings are, what is really key to the organisation from a crown jewels perspective, I know what I can protect, and if I’m breached, which in many instances is the case, I can respond effectively. But I also may respond differently to a ransomware request if I know that the data is not anything imposing to the organisation or to my clients that changes the world you operate in.”

In terms of big issues to be addressed and main opportunities for cyber teams moving into the new financial year, lawyers need to keep their focus on potential risks and how they can be mitigated.

“We have to ask ourselves the question, do I have the right people around the table addressing the issues? Am I asking the right questions? And do I have the right tools and technologies to address these issues? So, it’s a constant area of focus, but it’s also a constant area of asking the right questions. And if you don’t have that in hand to bring it in, in sourcing and or externally addressing that with your technical advisors, your risk advisors and your legal advisors, it’s an area of awareness,” Steenkamp said.

“From an Australian perspective, the changes in our privacy laws that are hoping to come into play in the very near distant future, that is going to change the landscape. So, is being prepared in that regard, setting the tone? How can we be more proactive in minimising risk or mitigating risk from a data privacy perspective? At the end of the day, why do threat actors want to do what they are doing? They are looking for our personal information. Helping our clients mitigate that risk will necessitate us understanding the best ways to mitigate that on the forefront and bringing that to the play.”

Looking ahead, the practice area of cyber is also only going to continue to grow, Steenkamp said, with it likely to become one of the more competitive spaces for BigLaw firms.

“The landscape in terms of how we play in our personal lives, how we interact professionally in our working environments, has changed dramatically since COVID, and that has brought a whole new frontier of issues to relate to. And you would see the spike of just plain fraud in related cases because of people working from home right in the midst of COVID,” he said.

“So, if we look at what the next frontier may bring around AI and quantum computing, that’s even more so going to bring a whole new tsunami of issues. We are going to have a tidal wave of issues to deal with in the future, particularly around risks related to cyber or digital.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Brenton Steenkamp, click below: