Tim Lupinacci on Leadership and Why Cybersecurity Is Essential for Law Firms

Tim Lupinacci

Tim Lupinacci is the Chairman and CEO at Baker Donelson, one of the largest US law firms — composed of 650 attorneys and public policy advisors — representing over 30 practice areas. Under his tutelage, Tim led the firm through organizational reconstruction, growth, and the COVID-19 pandemic. He chaired the Financial Services Department and the Women’s Pathways to Leadership Committee and was a Diversity & Inclusion Committee board member. A self-professed “leadership junkie,” Tim continuously elevates his leadership skills through studying, reading, and learning from his failures. His passion for leadership inspired him to launch Everybody Leads, a nonprofit dedicated to empowering individuals in underserved communities with essential leadership skills and confidence.

Available_Black copy
Tunein
Available_Black copy
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg

Here’s a glimpse of what you’ll learn:

  • Tim Lupinacci shares his legal career journey
  • Insight into leadership and strategic planning regarding technology
  • How does Baker Donelson manage cyber risk?
  • Why it’s imperative for Baker Donelson’s security team to understand the firm’s goals
  • Tim discusses his experience with having his social media hacked

In this episode…

Cybercriminals target law firms because they store valuable and sensitive information. In a security breach, ransomware could lock down the office’s files for an extended period, making it impossible to perform routine operations. So, how can law firms protect themselves from cyberattacks?

Regardless of a firm’s size, all law offices are vulnerable. Tim Lupinacci, a chief leader at one of the most prominent legal firms in the US, advises implementing a strategic cybersecurity plan. Hiring a full-time CISO and security team could spearhead the program and strictly focus on managing cyber risks. Preventive measures like phishing simulations can prevent their colleagues from falling victim to cyberattacks. If a cohort fails the designated tests, they must attend additional training to protect themselves and the office’s devices. Tim advises that the best protection is to be vigilant, have mitigation plans, inform staff members of the latest cyber threats, and educate them on “cybersecurity hygiene.”

On today’s She Said Privacy/He Said Security Podcast, Jodi and Justin Daniels interview Tim Lupinacci, Chairman and CEO at Baker Donelson, about Baker Donelson’s strategic cybersecurity planning, the importance of forging relationships between the C-suite and the firm’s security team, and his personal experience with being hacked.

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media.

To learn more, and to check out their Wall Street Journal best-selling book, Data Reimagined: Building Trust One Byte At a Time, visit www.redcloveradvisors.com.

Episode Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36  

Hello, Justin Daniels here. I am a shareholder at the law firm Baker Donelson, and I am a technology transaction and M&A attorney. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:58  

And this episode is brought to you by Red Clover Advisors. We could start a band, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our best-selling book Data Reimagined: Building Trust One Byte at a Tme. Visit redcloveradvisors.com.

Justin Daniels  1:36  

You’re very smirky today. I guess it’s because you’re very purple today.

Jodi Daniels  1:40  

I like purple. You’re very blue. Indeed. Yes, today’s gonna be fun. It will be very fun special guests. You have to be on your best behavior.

Justin Daniels  1:49  

I know because I’m sitting next to one boss. And we’re about to interview the big boss at Baker Donelson. So our guest today is Tim Lupin Archie who is the CEO of Baker Donelson for the last four years. And as a self-professed leadership junkie term Tim’s journey to stepping up as a leader began 30 years ago as a young lawyer after disappointing a boss with an epic failure. The boss challenged him after significant yelling and tough love by saying he saw Tim as a strong young leader who needed to recognize that he was a leader and step up to his own work his career and his ambitions. In the three decades since Tim has studied, read and grown his leadership skills through hard work, being curious, trying novel ideas, failing, learning from the failures and getting better every day. Well, Tim,

Jodi Daniels  2:40  

it’s a pleasure to have you on the show today.

Tim Lupinacci  2:44  

Well, Jodi, and Justin, thank you so much for doing this. I’ve been really looking forward to this. And I’ll put a plug in I really love your book. So great job on that.

Jodi Daniels  2:52  

Thank you. Thank you. Well, as Justin just shared, you’ve been CEO of Baker Donelson for the last four years. But before that, you’ve been practicing law for a number of decades. So we would love to hear more about your career from that. It sounds like very interesting experience with a boss all the way to the leadership that you have today.

Tim Lupinacci  3:14  

Yeah, well, thank you, Jodi. I’ll do a quick overview. So it was interesting, because I was a Mass Comm major in undergrad, I thought I wanted to go into radio and television, then I realized, well, maybe that’s not quite as glamorous as I thought. And I had immediate law course that I took and the law thing seemed interesting. So I’ve took the LSAT and just started, I really like stumbled into law school because I really didn’t know what I want to do and didn’t know how many lawyers in the family. So when I came out and was practicing early on, I was really it’s very transactional, I got a project, I did it, I turned it in, hope I wouldn’t lose my job and then just kept doing it because I didn’t have a real context for it. And I was working on a big project as Justin read with another like five or six year lawyer, and we were doing it for our boss very gruff man. And I did my part gave it to the senior lawyer and the senior associate, Pete gave it up. And then we got called into the boss’s office, he was on the phone call with about a dozen other lawyers from around the country. And he starts yelling at us saying that these idiots have it wrong. They’re gonna stay here all night, to get it fixed. And it was a lot of financial data type information. It was in a bankruptcy case, which was a practice has been in. So we stayed all night, got it done. And I had drawn the short straw to drive him, my boss to court the next morning, it was about an hour and a half drive. Very awkward, very silent. And then he apologized for yelling at us in front of other people, which was a thought that was a step up for him. But then he made those comments that just read it said, You’re such a see you as a leader. You can really do this. And it really was the first time people somebody I remember speaking into me as a leader. And I thought, well, if I’m a leader, what does that mean? How do I get better at this? And so that’s what led to a lot of the journey that Justin read about, and it really just started Getting better about myself. That was the first place I started then over time I grew in my practice and I had an associate and a paralegal. So now it’s a couple people I’m leaving, and I’m learning and trying to help them get better at leader, you know, leading, and leadership and, and then I guess I don’t know, 1516 years ago, I was given the opportunity to lead the office at Baker Donelson here in Birmingham, enjoyed that and did some other opportunities leading a department. And then when the opening arose for CEO or my predecessor had been in the role, 20 years. I thought, I’ll heart long and hard about it. Because I love practicing law. I love my clients, I love fixing things, which is a lot of what bankruptcy is all about corporate bankruptcy. But I decided I would put my name in the hat and I’ve really loved it. It’s been challenging. It’s been stressful. But in all the way along the way, I’ve got to keep growing and keep elevating my skills even today, right? I get better every day. So it’s a little bit of a journey of how I got to where I am.

Jodi Daniels  5:56  

Well, fun fact is I actually I didn’t end up doing the media come major, but that’s what I always wanted to do my whole life until I went to college and then said, I don’t know if I want to go that narrow. So I wasn’t sure about that. It was really interesting to hear your path, my little ears perked up at that original piece and that we’re always have to keep learning. We believe in that we always say we are trying to raise our kids to be lifelong learners. Yeah, we’re in fields that didn’t exist when we went to school.

Tim Lupinacci  6:25  

Right? Well, and there may or may not be video of me doing anchoring the campus news had a little small Woodward school, I went to, you know, 35 years ago, and I made the right choice change not pursuing that career. But

Justin Daniels  6:39  

that’s okay. Well, Tim, with deep fake, we can make that happen.

Tim Lupinacci  6:46  

Well, that’s right. Although that may have Yeah, anyway, that may be like just those old what are those reel to reel type tapes? That’s what I think we were doing.

Justin Daniels  6:54  

Anyway, so Tim, the legal profession, as you and I both know, is going through some real profound change due to technology. So how do you think about leadership and strategic planning when we’re in such a fluid environment in this particular industry?

Tim Lupinacci  7:09  

Yeah, it’s a great question, Justin, it is something that keeps a lot of us up at night, because it’s it’s a constantly evolving, the speed of change is pretty remarkable. When you look back, you know, even, you know, four or five, pre pandemic, right? I mean, even since that point, you know, when I was in, I was at, I had a six month transition into the role of CEO. And during that time, a great piece of advice I got was that the best law firms that are really being the most successful in that point in time 2018 2019 are really the ones that think like a best run business like our clients do. And so that’s really been a mindset shift that has really guided me because I think a lot of times, law firms, maybe professional services firm generally, had not historically thought like that it was more of the partnership, the you know, I don’t want to say congeniality, because I do think there’s a way that you miss best mesh, best run business with culture. I’m a firm believer, they come together. But going back to your question, I think, how I manage and lead with the rapid change is, I want experts, the best run businesses have experts in various areas of the running operation, with a seat at the table and a voice at the table that they’re listened to, may not mean that the there isn’t pushback, there’s accountability there. But I want the best folks leading our firm, it’s not me, I don’t know everything. I know, very little pieces I can, there’s things that I have some strengths, and there’s others I don’t. So I’ve got to have the best and the brightest all around the table to help lead as a as an organization, including IT and security and privacy, because that’s something that I certainly am not an expert in. And the change as you said, you all’s careers didn’t exist when you were in college. And it’s changing a new every day. So anyway, that’s kind of how I think about it that I want to keep learning, but also want the experts to help me know, help guide us.

Jodi Daniels  9:06  

It’s like your situations, Justin, where you bring in different experts to help on different parts of, you know, a data breach exercise, there’s different forensic experts we might bring in and others to be able to complement what you’re working on.

Justin Daniels  9:19  

Was I like to say I’m the conductor of the symphony sometimes and everybody has their role

Jodi Daniels  9:24  

to play. That was my analogy that you stole

Tim Lupinacci  9:27  

but you’re the quarterback, the quarterback, Justin and it’s the same thing. I mean, you gotta tell the all the players where they’re going right? I mean, they may or may not listen to you, hopefully they do and then you’re going to succeed. It’s the same thing. I mean, it’s a condition like the conductor of the orchestra because it all everything we try to accomplish everything we try to achieve is all is only when the whole orchestra is performing in their highest function and has very little to do with me other than just getting ready and let’s go do this right so

Jodi Daniels  9:57  

well as the CEO of Baker Donelson, which is the major law firms strategic planning also means managing organizational risk. And so on that note, how does the firm prioritize and manage cybersecurity risk?

Tim Lupinacci  10:13  

Right? Well, it does tie into what I mentioned about that is certainly an area that I would view in my weakness category of actual expertise in this area. So it was very critical to me that we had a professional that really could help guide and lead and counsel me, but lead our organization. And we had an opportunity within my transition time, where we had a CISO, who had left. And so we really wanted to elevate that role in that function to really have like I said, have a voice and that we would guide us and protect us because of the increasing change. And so we went out and did a national search and landed on our currency. So who was really amazing came out of corporate America, a really a large company that was headquartered here in Birmingham, that is headquartered here in Birmingham, and, and he’s really led us through that. But, but then it’s not just the hiring of someone who’s great. It’s also like I said, listening to them and allow I mean, having his name’s Tim, also having Tim participate in board meetings. He we had a in-person board meeting last week, and he came and did a presentation to make sure that we’re the board fully understood how we’re doing, what he’s doing. And then what needs he had resource wise, was he getting everything he needed support team, the team that he has built out, does he need more bandwidth. So that’s one thing is not just being in the role, but coming in presenting at the highest level, so we can all feel confident to be able to sleep at night, because I know Tim and his team are driving forward. Another thing they do is they do annual strategic planning. And they invite me into that. So I participate in the sense of mostly listening, but also seeing there’s opportunities where they may have a need somewhere, and I can help fast track getting something done. To help with them. You know, another thing that they do is they really have a proactive ability to just test our colleagues right to make sure that we don’t fall prey to the latest scam. And so they’ve got a robust program to do that. And I have violated I’ve, I’ve clicked on some wrong things and gotten sent into training. So it goes all the way up to top to the first, you know, first person who starts their first day, we can all get better. And so I’ve recently clicked on one had to do some training. So we kind of do that. And then the other thing, what we think has been really beneficial that Tim brought to the table is and you’ve right one of you referenced a little while ago as these tabletop exercises, we get our executive team together. Tim and his team has put together a scenario. And he presents it and then what do you do? And then there’s the next step. And we’ve done it a couple times. Now we have another one coming up in a couple of weeks, which was very enlightening to me, because a lot of it was, you know, well, we really don’t know what we would do immediately. In that instance, like, do we have to when do we have to notify our carrier, you know, how you know, and all those type of things, that having us who are not the experts walk through a real time scenario. And of course, we have Tim’s involved their general counsel involved and made news pieces, but it was just very helpful. So really trying to take it very serious, because we’ve seen in the legal industry, as I know, you all have seen also and in other industries. I mean, if you’re not on top of this 24/7 or whatever, it could even be more than 24/7. I’ve seen law firms, companies even shut down because of attacks, and things that they couldn’t come out of the out of the cycle. So anyway, rambling a little bit there. But there’s a lot of things we’re trying to do.

Justin Daniels  14:00  

And, Tim, I don’t want you to feel bad because in the last 18 months, I also clicked on one of those emails. And I also wanted the penalty box and coming from me.

Jodi Daniels  14:12  

So they’re very clever. They’re very, very cunning. I mean, you really have to look for at some minutiae level of detail. And sometimes even the best of those who are trained, they continue to evolve all the time.

Justin Daniels  14:26  

Particularly when you’re in the middle of some m&a deal. You’re working on multiple matters, you’re really being stretched in a lot of directions. And that’s what the phishing emails prey on and that’s why the testing is so helpful. So, yeah, I agree. Totally agree. So, Tim, when you meet with security personnel, like when they come in to present to the C suite and board meetings, what is critical to you, when professionals explain cyber and privacy risk in the overall context of managing a law firm?

Tim Lupinacci  14:56  

It’s great question. Well, one of the things that him does a really good job at is. I mean, I want to, I mean, I’m called dumbing it down so that I can really follow, you know what they’re doing, and then how it’s protecting us. And even when somebody clicks on a, you know, a bad link, how we’ve got all these systems in place to send up the alerts and cut it off right away, you know, and really explain it in layman’s terms, I guess, is the best way to understand it. And so I think that’s helpful. I think the fact that Tim knows also, our strategic goals as a firm, I mean, he’s right in those in the mix of that mix of that, that he knows what we’re trying to accomplish. And he knows where we’re trying to go as an organization. And so that helps him really connect up. We want to be, you know, a best run business, we want to be a trusted adviser to all of our clients. Well, in order to do that we’ve got to excel in privacy, security, I mean, we’ve got to lead the charge on that. And so we really connect set up really well. And then it’s helpful for me that what Tim does is he compares us to industry average, and I know, you know, that can be a sometimes people rely on that to say, Oh, well, we’re not that bad. Because we’re right at the Internet industry average, right? So I think I don’t, it’s not because I want to beat the industry average, I want to be the best below, you know, the best hire or below the industry average, whichever way is good, you know, in that, and so but that helps me to see areas where we can still continue to improve. Right. So I think that that’s another thing that I do. And as I said, one of those things that he does is he reports to us about those phishing alerts, and how many of our colleagues click on it, and we have tracking to see how we’re doing it and then compare it to the industry. And that’s just helpful for I think the board members to see that we’ve got a handle on that Tim and his team have a handle on everything. But then yet, there’s still ways that we can get better, right, and the next thing coming down the pike. So

Jodi Daniels  17:03  

I want to really highlight that you have elevated this conversation at the board level. Because there are so many organizations who don’t appreciate the need to do that. And to help all of those members understand the risk and how it is a business risk. And to figure out what else it is that you all need to do.

Tim Lupinacci  17:25  

I totally agree. And it’s been something that, again, it just fits into what the strategy of what we’re doing. And it’s about having the professionals who know that are the experts in the field coming and reporting to the board. And I think that’s vital for any board to really do the function of what a board is supposed to be doing needs to understand that. And particularly with the security privacy and security area, as you said, it’s it’s it’s a foundational risk management, proactive risk management, because it can literally sink the ship, you know, you talk about Jim Collins always talked about, you know, sometimes you take some risks, and as long and you as an organization, I’m driving forward, but you want to shoot like What is he talking about, you want to shoot bullet hole risks, where like, if you miss, it’s a bullet hole, you don’t want to shoot cannonball risk where it hits, if you miss wildly, then it sinks the ship. Well, if you’re not being serious, and having the right CISO in place and reporting to the board and being accountable, holding the board accountable and holding the seaso accountable. You’ve got the risk of that that cannonball is going to come and sink your company ships. So it’s it’s vital. And it’s been invaluable to us.

Jodi Daniels  18:41  

Thank you for sharing your perspective. It’s really, really helpful.

Justin Daniels  18:44  

So Tim, as we talked about, in the pre show, we appreciate We congratulated you that because of who you are, you are a target out on social media and various other places. So I was wondering if you could share a recent experience you had with your LinkedIn account?

Tim Lupinacci  18:59  

Well, yeah, it’s funny talking about being a target. Tim, our CISO says that our CFO and myself are the most widely spoofed people in the whole firm to all of our colleagues, if I’m not sure I use that term, right. But then like they get texts from us do this immediately or come with and of course, most of you know now most of our colleagues are trained like, they reset. Hey, are you really trying to reach me and anyway, but so yeah, I kind of had been kind of just going along. I know this is critical for the organization, but not I haven’t really thought about it as much in my own personal context. And all of a sudden, my LinkedIn account was hacked. And it was a little bit odd because, as best I could tell, and best we could tell or people got involved and looked at it. The change the name, if still my picture, but it was a woman’s name now and they followed some sites that I hadn’t followed. But that was about it. And so it took about a week to have worked with LinkedIn where our colleagues work with blinking. We got it all in, I had to make sure who I was and get everything re authenticated. But it did. It led number one for me to say I gotta get more serious about this and multifactor vectorial authentication on all my stuff. And just to be really cautious about it, and uh, well going back to the clicking on the spam email that they send around, to try to get us to learn and get better. But they’re also tricky sometimes. I thought that was a little unfair, because one I clicked on recently was the LinkedIn thing happened on like, a Monday. And unlike Wednesday, this email came about Facebook, from Facebook, about some kind of spam thing. And I said, Oh, no, there’s more. And I clicked in and it’s like, ha, ha, ha, you gotta go to training. But I talked to Tim. I mean, I thought was unfair. It was smart, though. Right? Because that can really happen. I mean, that’s the neck. Of course that could happen. I think it would have been preset up, but I still think it was a little

Justin Daniels  20:54  

dumb was playing a joke. Yeah. Okay.

Tim Lupinacci  20:57  

Anyway, but I have a tight right

Jodi Daniels  20:58  

now, that really could happen. And someone might have gotten to all the accounts. So Right. Oh, no. worries, obviously. So we might need to give him some extra props.

Tim Lupinacci  21:09  

Yeah, no, no, it’s true. And it will. And it really did. Because I immediately went to I mean, that. And I first I was just thinking, well, this is frustrating, right? I mean, I don’t do much on LinkedIn as well. It’s just frustrating. And then somebody, I think, I think Tim reached out and said, Well, you know, you really need to be thinking about all your passwords everywhere, because and so I did, I spent hours now, doing all that and doing the, you know, multi factor authentication, just because I just hadn’t thought about it. So it’s good lesson for me.

Jodi Daniels  21:41  

It is tedious, but it’s very worthwhile for sure. So with all of this knowledge that you have, I’m sure you’re very popular at cocktail parties, backyard barbecues, maybe coming up this weekend, what is the best privacy or security tip that you might offer? From a CEO perspective?

Tim Lupinacci  21:58  

Yeah, that’s great. I do love people. So I don’t know if I’m a good I don’t know if I’m a fun guest. But I do like go into him because I just like hanging out with people and talking. But um, so I think it goes back to what the first thing I kind of mentioned a little bit about, you know, I’m not an expert in everything. I mean, some CEOs are expert in privacy, data security, and that’s great. But like, that’s not one of my strong background areas. And so when it comes to cybersecurity, to Tim, as a CEO, I need to make sure I’ve got somebody in that role. who absolutely is, you know, top of the game, right, because I need that expert at the table to guide us. And then I need to give them the authority to let them manage cyber risk. With my, you know, I got their back, we got them the resources. And so I think that’s the big thing. But you know, one of the ways as Justin knows, and Jody, you probably experienced this, too, you know, lawyers are always the smartest people in the room. And sometimes they don’t like to listen to experts to don’t have a law degree. And so and that doesn’t happen at Baker Donaldson, I just in some firms I hear that happens. But but there is that thing. So I wanted to do a visual statement about what I was just saying, like, I want to Tim to make sure that he felt supported. And I had his back. And so I did. It’s kind of a little silly thing. But we had a leaders meeting. And I had the leaders of like, technology and seaso and marketing business development come up. And I gave him this little baton, like a running baton. And it says, says I’m passing the baton and it has my name on it. And I handed it to him in front of all the lawyer leaders so that they could say that, yes, we need to listen to these experts. So the short answer of the the cocktail party thing is answer would be just hire the right person who’s an expert to lead in that area.

Jodi Daniels  23:55  

I like that baton idea that is really, really clever and very cool. Yeah, I like that.

Justin Daniels  24:01  

It’s even red.

Jodi Daniels  24:02  

It is even red.

Justin Daniels  24:08  

So Tim, when you’re not busy being a CEO of a major law firm, what do you like to do for fun?

Tim Lupinacci  24:17  

Well, I mean, I certainly do like, just because it’s my main time running in the morning and everything. And I’d certainly love travel. We’ve talked about that. But I guess the one thing that I’ve been working on the last couple of years is writing. I’ve got a manuscript of a leadership book that’s been through three edits. And, you know, looking at what I do with that, and then, and it’s called everybody leads, but it’s also the concept built into a nonprofit that I started called everybody leads, which is really basically bringing basic leadership skills into underserved communities. So I’ve been partnering with some local nonprofits to kind of test and see is it a value to folks in their cohort that they’re serving like, folks, reentering society from prison or some disadvantaged youth who are now getting some job skill training. And I think it’s like coming alongside those organizations to do a little basic leadership skill training to help them once they get a job. So I’m become more interested in passionate about that in my free time, which is, you know, far and few between, but I do enjoy working on that.

Jodi Daniels  25:22  

Well, Tim, we’re so grateful that you shared so much with us today. If people would like to learn more, of course, we will send them to Baker donaldson.com. But if there is anything about, for example, the everybody leads that you want to send anyone to or you’re very well secured LinkedIn now. Please feel free to share how people can connect with you and learn more.

Tim Lupinacci  25:42  

Now, you hit real, basically hit it bakerdonelson.com. I’m on there. I’m on LinkedIn. And everybodyleads.org is a website that we’re starting to build out. It’s got some content, more to come. We’re working on that.

Jodi Daniels  25:55  

So wonderful. Well, thank you again, we really appreciate it.

Tim Lupinacci  26:00  

It was a joy to be here and just learn from you all. So thank you very much.

Justin Daniels  26:04  

Thanks, Tim.

Outro  26:10  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

ure episodes and check us out on LinkedIn. See you next time.