Law firms hold some of the most sensitive information in any industry. M&A deal terms before they are public, litigation strategy, privileged communications between attorneys and clients, and the personal and financial details of individuals and organizations navigating their most consequential legal matters. That makes them attractive targets for adversaries ranging from nation-state actors seeking competitive intelligence to ransomware groups that know a firm cannot afford operational disruption mid-trial. The leaders in this feature are building security programs inside organizations where the attorney-client privilege is a cultural foundation, where resistance to oversight is institutional, and where the security function has to earn its place through trust rather than mandate.
Daniel Melleby — CISO, Davis Wright Tremaine LLP
After September 11, Daniel Melleby went back to school, earned a graduate degree in security policy studies at George Washington University, and entered a fellowship that opened the door to the Department of Defense. What followed was more than a decade of national security work spanning the Pentagon, a sixteen-month deployment to Afghanistan as US policy advisor to NATO, country director roles for Afghanistan and Pakistan policy in the Office of the Secretary of Defense, and director for cybersecurity policy at the National Security Council at the White House. He joined Davis Wright Tremaine as CISO in November 2017, translating that national security background into law firm security governance. His current focus spans three lenses: security of AI, ensuring the firm can adopt and use AI tools confidently; security with AI, using AI to make security operations smarter and faster; and security from AI, staying ahead of adversaries already using it offensively. That framework, built by someone who spent a decade thinking about national security threats at the policy level before moving into private sector security leadership, reflects an unusually grounded approach to the AI risk challenge that law firms are only beginning to grapple with seriously.
Jon Washburn — CISO, Stoel Rives LLP
Jon Washburn has spent nearly fifteen years at Stoel Rives, progressing from national manager of technical operations through director of information security and stepping into the CISO role in March 2018, where he also serves as the firm’s compliance officer with ownership of data governance and records management. Before Stoel Rives, he spent seven years at Cleary Gottlieb Steen and Hamilton in hardware technology and network and communications management roles, and before that held IT leadership roles at Wolters Kluwer, a casino resort, and a network operations firm. He speaks at industry conferences, presents security and risk management webinars, publishes blog posts, records podcasts, and hosts workshops aimed at improving cybersecurity culture across the legal industry. His active community engagement reflects a security leader who understands that law firm security is as much a cultural and educational challenge as it is a technical one.
Kyle Salous — CISO, Williams and Connolly LLP
Kyle Salous has spent more than ten years at Williams and Connolly, one of Washington’s most prominent litigation firms, stepping into the CISO role in January 2024 after nearly nine years as director of cyber security and risk management and a year as senior security architect. He also serves as CISO and board member of the Legal Services Information Sharing and Analysis Organization, managing nearly 200 member firms on threat intelligence sharing, vendor collaboration, and regulatory compliance, growing the subscription base ten percent annually. Before Williams and Connolly, he spent three years as a systems architect at George Washington University and more than three years in security engineering and network security analyst roles at CEB, now Gartner. His dual role at LS-ISAO reflects a security leader whose influence extends well beyond his own firm into the broader legal sector security community.
Brett C. Don — CIO & CISO, Stradley Ronon
Brett C. Don holds the combined CIO and CISO mandate at Stradley Ronon, overseeing a $10 million budget and 22 business and technology professionals across a large multi-office professional services firm. His dual accountability spans strategic alignment of IT, operational excellence, technology modernization, and an end-to-end information security program based on ISO 27001 and 27002 standards calibrated to financial industry client security requirements. Before Stradley Ronon, he ran SDK Risk+IT Advisors, a consulting practice providing fractional CIO and CISO services to law firms, non-profits, and professional services organizations, and before that served as chief information and risk officer at Dickstein Shapiro, where he oversaw a shared COO role across ten administrative departments including IT, information security, records, eDiscovery, and knowledge management for a $300 million firm. His career in law firm technology stretches back to 1989, when he began as manager of information systems at Archer and Greiner, and includes CIO roles at Wiley Rein and senior consulting roles at Altman Weil. More than three decades inside the legal sector gives him an institutional understanding of how law firms operate that most technology and security leaders never develop.
Adriel Camejo — CISO, Gunster
Adriel Camejo joined Gunster as CISO in April 2024, bringing a background built across audit, risk, compliance, and global security management. Before Gunster, he spent nearly five years as manager of global IT security and compliance at Bacardi, reporting directly to the CISO, reducing audit findings by 50 percent in his first year, spearheading a global cybersecurity awareness training program for more than 8,000 employees, and implementing a third-party risk management assessment process integrated into vendor onboarding and procurement. Before Bacardi, he spent nearly six years as manager of IT security, compliance, audit, and risk management at Focal Point Data Risk, delivering assessments ranging from SOX ITGC compliance to PCI DSS and ISO 27001 engagements for organizations from startups to Fortune 10 companies. He holds CISSP, CISA, and CRISC certifications, has taught as adjunct professor at Miami Dade College, and served on the board of the South Florida chapter of PMI. That combination of global consumer goods security governance, consulting depth across diverse regulated industries, and academic engagement reflects a security leader whose breadth of experience informs how he approaches security at a Florida-based full-service law firm.
Michael J. Massey — CISO, Reminger Co. LPA
Michael J. Massey joined Reminger Co. LPA as CISO in June 2025, bringing more than twenty years of IT and security leadership across engineering, healthcare, media, and professional services environments. Before Reminger, he spent more than two and a half years as senior director of enterprise information technology at Schurz Communications, managing vendors, contracts, IT plans, policies, and infrastructure across a media company. Before Schurz, he served as director of information technology at Osborn Engineering, spent a year as senior IT infrastructure project manager at UPMC through Consult USA, and led large-scale IT project implementations at Cleveland Metropolitan School District including fiber optic WAN connectivity, VoIP, and wireless LAN across the district. He has also taught as an adjunct professor of engineering technologies at Lakeland Community College since 2010. His career spans law enforcement roots as an Ohio State Highway Patrol trooper and village chief of police before pivoting to technology leadership, a background that shapes a practical, disciplined approach to security governance at a regional law firm serving clients across Ohio and beyond.
Law Firm Security Is a Cultural Problem as Much as a Technical One
The leaders in this feature work in organizations where partners resist policy mandates, where client-facing confidentiality obligations shape every technology decision, and where the value of the information being protected is measured in deal outcomes, litigation results, and personal legal matters that affect people’s lives. Building security programs in that environment requires something different from the enterprise security playbook. It requires the ability to earn trust from skeptical professionals, communicate risk in business terms, and make security feel like a partner to the legal mission rather than an obstacle to it. The leaders in this feature understand that, and their programs reflect it.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.