Judith H. Germano is a nationally recognized thought leader on cybersecurity governance and privacy issues and served more than a decade as a federal prosecutor. In addition to founding GermanoLawLLC, she is also a Distinguished Fellow at the New York University Center for Cybersecurity and an Adjunct Professor at NYU School of Law.
First, would you start by describing the work GermanoLaw LLC does?
GermanoLaw is a boutique law firm that specializes in cybersecurity, privacy, securities and other financial fraud, and regulatory-compliance matters. We help companies navigate the significant and diverse challenges of preparing for and responding to cybersecurity incidents; represent companies and individuals who are targets or witnesses of federal investigations; and provide thought leadership through whitepapers, presentations and meetings.
As the founder of GermanoLaw, what does your day-to-day work look like?
Every day is different, which makes it all the more exciting. Some days I am at a corporate client’s office working on cybersecurity issues; advising the executive leadership on cybersecurity policy and strategy; leading a tabletop exercise; or drafting policies, articles, a whitepaper or legal memoranda. Other days I am arguing an issue in court; advising a client on criminal or regulatory-enforcement matters; conducting an internal investigation; preparing a witness for grand jury, civil deposition or other testimony; or negotiating a resolution to an investigation or dispute. I also spend a portion of my time working with NYU as a Distinguished Fellow at the Center for Cybersecurity, an Adjunct Professor of Law at NYU School of Law and a Professor in NYU’s Master of Science in Cybersecurity Risk & Strategy executive education degree program. Also, as part of my work, I do a fair bit of keynote and panel speaking, at professional and academic conferences as well as for internal corporate meetings and trainings.
What made you decide to start your own law firm?
I spent eleven years as a federal prosecutor working on investigations and prosecutions involving securities and other financial fraud, public and private corruption, cybercrime and identity theft, and also matters impacting national security. Before that, I spent a few years at a global law firm based in NYC and, right after law school, I was a law clerk for judges on the U.S. District Court in Connecticut and the U.S. Court of Appeals for the Second Circuit in New York City.
I loved being a federal prosecutor but, after more than a decade in government service, I wanted to return to the private sector where I could use the expertise that I had developed over the years to provide client-focused counsel and representation. I recognized a gap with how the private and public sectors, and academia, were addressing cybersecurity issues, and I wanted to help bridge that divide by fostering greater partnerships, collaboration and research to address the growing concerns regarding cybersecurity governance and regulation. The combination of a small law firm and being academically aligned as a cybersecurity fellow and adjunct professor at NYU gives me the flexibility and platform to nimbly address a variety of corporate, public sector and academic questions, issues and challenges.
What initially sparked your interest in cybersecurity issues?
In retrospect, I might say this interest started a long time ago, since I initially went to law school to develop expertise for helping organizations successfully navigate through crisis. At the time, however, I did not envision that the crisis would be cyber attacks. As a 3L, in 1996, I organized one of the world’s first cybersecurity law conferences. It was called “Cyberspace and the Law” and we addressed issues of First Amendment rights, intellectual property protection and child exploitation – all of which continue to be major concerns now, 22 years later. Although I worked on various technology-related matters in my early law career, it was not quite that intentional a plan. Then, in my last five years as a federal prosecutor, when I was Chief of the Economic Crimes Unit (previously the Commercial Crimes Unit) at the U.S. Attorney’s Office in New Jersey, I oversaw a number of international cybercrime investigations, as well as cases involving securities fraud and other financial fraud. From that position, I could see that cybersecurity was a major and growing problem for U.S. companies, and I also realized there was a lot of confusion and insufficient trust in the private sector regarding whether, and how, to work with the U.S. government to address the growing cybersecurity problem and address economic and national security concerns. I started my law firm in September 2013 to help private and public-sector organizations address this growing cybersecurity crisis. The high-profile Target breach was in November and December 2013, and a number of major, devastating security incidents followed, bringing critical cybersecurity concerns to the headlines on a regular basis, and underscoring the need for proactive efforts to address cybersecurity concerns.
Were you at all concerned about working in the cybersecurity space because of the underrepresentation of women in this field?
No. That did not give me any concern. I did consider that not enough women lead law firms and other organizations, and I would like to see more women on boards and in executive leadership positions generally, as well as more women at all levels of the cybersecurity field more specifically. The fact that women are underrepresented in cybersecurity creates opportunity – there is a lot of room for growth.
Have you found the underrepresentation of women in the cybersecurity space to be very apparent in your past and present positions?
Yes. It is not unusual for me to be the only woman on a panel, or one of only a few women in a leadership meeting, but there are a number of fantastic women in the field. More people need to take an extra step to identify, include and empower women in cybersecurity. To help address the gender deficit, I regularly reach out to include women in the projects and events that I manage and organize. I also chair an annual conference each October, hosted by NYU’s Center for Cybersecurity, called “Women Leaders in Cybersecurity,” where we bring together a number of leading women doing important work in cybersecurity, to discuss substantive cybersecurity issues from an inter-disciplinary perspective with technological, policy, legal and business expertise. This is a great way to show that there are, in fact, many talented women in this field. By giving these strong role models a platform to discuss the critical work they are doing, I hope that will inspire more women and girls to consider cybersecurity careers, and also encourage companies, government, media and academia to recognize, and to better engage, develop and retain, women in cybersecurity positions.
Do you think government and law firms could be doing more to increase the representation of women in the cybersecurity field?
Yes, there is a lot more that can and should be done. This is a growing field and women make up only about 11% of the cybersecurity workforce. Studies show that women hold fewer leadership positions and, regardless of seniority, on average women make significantly less money than men who are at the same level. Government and businesses need to identify women with potential to advance in cybersecurity and provide them with the opportunities, training, salary-motivation, and mentoring to pursue and advance in the field. It is not enough to rely on the default, which has been to fill cybersecurity jobs, meetings and speaking platforms with men, which further promulgates the false perception that all the leaders in the field are men. Also, women should be encouraged to take risks and put in for jobs that may be outside their comfort zone, and to make sure they get the guidance, training and skills they need to perform those jobs well.
Do you have any advice for other women interested in practicing cybersecurity law?
Cybersecurity is a quickly growing field that requires an inter-disciplinary approach and different abilities and expertise. There are great opportunities in cybersecurity and many different ways you can use your talents in this field. Do not be hindered by self-doubt or a concern that you have not mastered the subject; this is an area that continues to evolve, so it is a constant learning process. A good attorney realizes you may not be an expert in every subject, and engages with others when you need to expand your expertise. Do not be afraid to take risks by trying a new subject area, and by asking for help. Also, affirmatively seek out information regarding what you need to do to advance in your organization or career and make a plan for getting it done.