April 22, 2025 • 14 mins
I spoke with Ciprian Şaramet, Managing Director of Modular Services, a Romanian company focused on providing technical support and business services to global law firms. We discussed how law firms can strengthen their cybersecurity posture, the influence of AI on law firm security, vulnerability management, and the value of continuous education for safeguarding client data and firm operations.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Reinventing Professionals, a podcast hosted by industry analyst Ari Kaplan,
(00:07):
which shares ideas, guidance and perspectives from market leaders shaping the next generation
of legal and professional services.
This is Ari Kaplan and I'm speaking today with Chipprian Charmet.
The managing director of modular services, a Romanian company focused on providing technical
support and business services to global law firms.
(00:30):
Hi, Chipprian. How are you?
Hi, Ari. Thanks for having me.
It's my privilege and I'm looking forward to this conversation.
Tell us about your background and the genesis of modular services.
I have about 13 years in legal, started off as a systems engineer, then moved on to project
management and then created a small outsourcing setup for a law firm back in 2013.
(00:57):
I was supposed to roll off that project and move on.
I've been brought back to Managing Growit and over time it developed into a massive business
unit which we then put into modular services.
We created a full delivery center based on that team and we've been expanding it since
(01:21):
2021 with new and improved services in our portfolio.
We started off with a team of 13 people in 2013.
We opened our office on the 1st of April in 2021.
We were one of the first firms to open a new office in middle of a pandemic when everybody
(01:43):
else was downsizing.
What types of business services and technical support do you provide for global offerings?
We started with 24/7 IT support, our bread and butter for the past 12 years and since
we've assembled under the brand of modular services, we've added finance operations to
(02:07):
our portfolio.
We have accounts payable, e-billing, matter admin.
We do some of the data entity and risk elements of the client matter opening form.
We do specialized reporting so that lawyers can see their web and they can see their KPIs
and performance compared to the other teams and tied into the firm targets.
(02:32):
We even cover the core systems development around various finance tools that we use.
We have elite three developers in our team.
Apart from the finance operations, we've launched the cybersecurity service in 2019 and we've
been growing it ever since.
We now have nine big clients in our cybersecurity portfolio.
(02:56):
For that, we offer end-to-end cybersecurity services from assessments to running audits
of your cybersecurity controls to web penetration testing, application testing and the 24/7
SOC service and vulnerability management that's your day-to-day go-to services in terms
(03:20):
of cyber.
We also have other niche services related to business development.
We have people working on CRM systems and developing solutions in that area.
We do poll stack application development and recently developed a dockering system for
(03:41):
one of our clients.
We've started developing some AI solutions as well for our law firm clients.
That's an area that we see growing.
Also design pitch templates.
It's quite diverse.
We say this guy is the limit and because we've been serving global law firms for so long,
(04:01):
our team has managed to acquire a lot of experience in to the various niche areas of law firms
that you will simply not find with large managed services suppliers.
How can law firm leaders strengthen their cybersecurity efforts in the current climate?
Continuing investing and strengthening their proactive thread detection capabilities and
(04:28):
investing as much into tools and also into people skills.
It's important to have CISOs up to date with the latest security threats and the latest trends
in cybersecurity because it's very rapidly changing globally.
(04:50):
The AI just accelerated the number of attack vectors and boosted the creative ways of hackers
to find new holds into the law firm defenses.
At the same time, AI lowered the required skill levels to be a hacker because a couple of
(05:14):
years ago, you needed to know some scripting.
You needed to know a bit of programming, a bit of bash.
Now you just need to be very clever with a couple of prompts and you have yourself an attack
payload on your hands which you can deploy and scale out with a number of cloud solutions
(05:36):
available to you and just launch an attack somewhere.
How did the pandemic affect the way law firms leverage outsourced business and technical
services?
It opened up a lot of possibilities and it shifted a lot of the attention to the people that
(05:59):
were successfully supporting their task force.
The more traditional law firms struggled to get their people working from home because
they were dependent on the technology they had in the office.
The simplest example is the lefany.
I remember there were still people on legacy, the lefany solutions that they just couldn't
(06:23):
operate from home.
They just didn't have the required hardware to work from home.
At the same time, we were one of the first teams to implement all of our teams.
Simulously, people could go and work from home and the clients couldn't tell the difference.
(06:44):
Apart from the fact that they couldn't visit the law firm offices, the lawyers couldn't
tell the difference either.
What effect does education have on a law firm's security posture and what recommendations
do you have for those lessons?
In the cybersecurity space, we say your systems are as secure as your weakest link, which
(07:07):
is the user.
You can have all the systems in place, all your endpoint detection and your latest anti-spam
filtering and your real-time detection tools for malicious activity within the network.
It all comes down to the user clicks a link.
(07:28):
You put external flags on the email, you do all sorts of stuff to highlight the email,
you may be potentially malicious, you publish lots of trainings on your LMS and it's up to
the user to actually go and pay attention to the training and spot the signs that an email
(07:54):
message can be malicious.
And with AI, the level of craftiness that polymorphic, phishing, email campaign look like, it's just
scary because it used to be a single spam email sent to, I don't know, 10,000 users, over
(08:17):
the best, if one in 10,000 clicks on it, then we're in.
And by chance, one in 10,000 would click on it.
And it's now very adapted to the department.
It's sent.
It comes with a little changes in terms of who it's being sent from.
It comes with the language in the email is carefully curated and it's crafted using AI tools.
(08:48):
And hackers go to the length of actually getting somebody and studying his method of writing
and impersonating him and emailing as if it was the actual person.
So it's very hard to tell now.
But if you pay attention to the email headers, it's a lot harder to fall for that.
(09:14):
What is vulnerability management and why should law firms prioritize it?
Vulnerability management is basically a continuous assessment of your systems weaknesses or unpatched
issues that may be exploited by a malicious actor where the purpose of escalating their privileges
(09:42):
and gaining access to your data.
So law firms should place a lot of importance on protecting their clients data and should
prioritize fixing vulnerabilities and going through zero-day patching exercises when vulnerability
(10:02):
scans uncover critical vulnerabilities, there should be a prioritization of fixing those
vulnerabilities within the shortest amount of days possible.
Cybersecurity, Cybercentials Plus requires you to fix criticals in less than 10 days.
(10:23):
I think that's 10 days is even a stretch because with the way researchers are working now
with the compute power that is available on the market now, it's very easy to test and
find exploits on commonly disclosed vulnerabilities.
Think of it as brushing your teeth.
If you have a cavity and if you don't brush your teeth every night, the cavity only expands.
(10:47):
What types of policies should law firm leaders implement to drive their firms into the future?
There should be policies aimed at protecting client data.
So conditional access policies, data classification, remote access governance, just in time access
for administration, identity lifecycle management, bring your own device policies and the goal
(11:13):
should be to go to a zero trust model where you assume compromise and remove as much unnecessary
hardware from your infrastructure as possible.
You stay as lean as you can be with the data, you keep it in-sass with cryptographic secrets,
(11:37):
protecting it, and you try to let go of the heavy on premises, infrastructures with lots
of servers that are vulnerable and can provide a pathway into your client's data as they get breached.
(11:58):
It should also align with client increasing needs for security and standards like ISO 27001,
GDPR, etc.
How do you see outsourced law firm support evolving?
It's currently now still at a break fix level with some AI on top of it, with some automation,
(12:27):
which should evolve law firms need to understand that they need to have support frameworks in
place and they need to increase their level of maturity into how they treat information
governance and the IT part securing that information governance.
We need to shift into defining a security framework, a set of rules that they should follow
(12:55):
in terms of security policies and security controls that they should be implementing to guarantee
as much as they can that their client data is protected.
The good thing is that insurers are driving a lot of innovation in that area and many firms are
increasing their security posture and are reassessing their support models.
(13:21):
Over the next few years we're going to see more and more integration of automation and AI.
And to most of the support processes we're going to see predictive analytics on when the next system
is going to break or when are the next group of users going to call about problem X in a month.
(13:44):
You already have advanced analytics in month ends.
You're going to have the entire finance team calling you to make sure they have enough ram on
their PMS system servers. It's that kind of stuff that is going to be more and more AI embedded.
And in the future you're going to have self-healing systems to give you enough capacity
(14:12):
and real-time fixes for issues like this in production.
This is Ari Kaplan speaking with Chipprian Sharamett, the managing director of modular services,
a Romanian company focused on providing technical support and business services to global
firms. Thanks a very much.
Welcome to Reinventing Professionals, a podcast hosted by industry analyst Ari Kaplan,
(00:07):
which shares ideas, guidance and perspectives from market leaders shaping the next generation
of legal and professional services.
This is Ari Kaplan and I'm speaking today with Chipprian Charmet.
The managing director of modular services, a Romanian company focused on providing technical
support and business services to global law firms.
(00:30):
Hi, Chipprian. How are you?
Hi, Ari. Thanks for having me.
It's my privilege and I'm looking forward to this conversation.
Tell us about your background and the genesis of modular services.
I have about 13 years in legal, started off as a systems engineer, then moved on to project
management and then created a small outsourcing setup for a law firm back in 2013.
(00:57):
I was supposed to roll off that project and move on.
I've been brought back to Managing Growit and over time it developed into a massive business
unit which we then put into modular services.
We created a full delivery center based on that team and we've been expanding it since
(01:21):
2021 with new and improved services in our portfolio.
We started off with a team of 13 people in 2013.
We opened our office on the 1st of April in 2021.
We were one of the first firms to open a new office in middle of a pandemic when everybody
(01:43):
else was downsizing.
What types of business services and technical support do you provide for global offerings?
We started with 24/7 IT support, our bread and butter for the past 12 years and since
we've assembled under the brand of modular services, we've added finance operations to
(02:07):
our portfolio.
We have accounts payable, e-billing, matter admin.
We do some of the data entity and risk elements of the client matter opening form.
We do specialized reporting so that lawyers can see their web and they can see their KPIs
and performance compared to the other teams and tied into the firm targets.
(02:32):
We even cover the core systems development around various finance tools that we use.
We have elite three developers in our team.
Apart from the finance operations, we've launched the cybersecurity service in 2019 and we've
been growing it ever since.
We now have nine big clients in our cybersecurity portfolio.
(02:56):
For that, we offer end-to-end cybersecurity services from assessments to running audits
of your cybersecurity controls to web penetration testing, application testing and the 24/7
SOC service and vulnerability management that's your day-to-day go-to services in terms
(03:20):
of cyber.
We also have other niche services related to business development.
We have people working on CRM systems and developing solutions in that area.
We do poll stack application development and recently developed a dockering system for
(03:41):
one of our clients.
We've started developing some AI solutions as well for our law firm clients.
That's an area that we see growing.
Also design pitch templates.
It's quite diverse.
We say this guy is the limit and because we've been serving global law firms for so long,
(04:01):
our team has managed to acquire a lot of experience in to the various niche areas of law firms
that you will simply not find with large managed services suppliers.
How can law firm leaders strengthen their cybersecurity efforts in the current climate?
Continuing investing and strengthening their proactive thread detection capabilities and
(04:28):
investing as much into tools and also into people skills.
It's important to have CISOs up to date with the latest security threats and the latest trends
in cybersecurity because it's very rapidly changing globally.
(04:50):
The AI just accelerated the number of attack vectors and boosted the creative ways of hackers
to find new holds into the law firm defenses.
At the same time, AI lowered the required skill levels to be a hacker because a couple of
(05:14):
years ago, you needed to know some scripting.
You needed to know a bit of programming, a bit of bash.
Now you just need to be very clever with a couple of prompts and you have yourself an attack
payload on your hands which you can deploy and scale out with a number of cloud solutions
(05:36):
available to you and just launch an attack somewhere.
How did the pandemic affect the way law firms leverage outsourced business and technical
services?
It opened up a lot of possibilities and it shifted a lot of the attention to the people that
(05:59):
were successfully supporting their task force.
The more traditional law firms struggled to get their people working from home because
they were dependent on the technology they had in the office.
The simplest example is the lefany.
I remember there were still people on legacy, the lefany solutions that they just couldn't
(06:23):
operate from home.
They just didn't have the required hardware to work from home.
At the same time, we were one of the first teams to implement all of our teams.
Simulously, people could go and work from home and the clients couldn't tell the difference.
(06:44):
Apart from the fact that they couldn't visit the law firm offices, the lawyers couldn't
tell the difference either.
What effect does education have on a law firm's security posture and what recommendations
do you have for those lessons?
In the cybersecurity space, we say your systems are as secure as your weakest link, which
(07:07):
is the user.
You can have all the systems in place, all your endpoint detection and your latest anti-spam
filtering and your real-time detection tools for malicious activity within the network.
It all comes down to the user clicks a link.
(07:28):
You put external flags on the email, you do all sorts of stuff to highlight the email,
you may be potentially malicious, you publish lots of trainings on your LMS and it's up to
the user to actually go and pay attention to the training and spot the signs that an email
(07:54):
message can be malicious.
And with AI, the level of craftiness that polymorphic, phishing, email campaign look like, it's just
scary because it used to be a single spam email sent to, I don't know, 10,000 users, over
(08:17):
the best, if one in 10,000 clicks on it, then we're in.
And by chance, one in 10,000 would click on it.
And it's now very adapted to the department.
It's sent.
It comes with a little changes in terms of who it's being sent from.
It comes with the language in the email is carefully curated and it's crafted using AI tools.
(08:48):
And hackers go to the length of actually getting somebody and studying his method of writing
and impersonating him and emailing as if it was the actual person.
So it's very hard to tell now.
But if you pay attention to the email headers, it's a lot harder to fall for that.
(09:14):
What is vulnerability management and why should law firms prioritize it?
Vulnerability management is basically a continuous assessment of your systems weaknesses or unpatched
issues that may be exploited by a malicious actor where the purpose of escalating their privileges
(09:42):
and gaining access to your data.
So law firms should place a lot of importance on protecting their clients data and should
prioritize fixing vulnerabilities and going through zero-day patching exercises when vulnerability
(10:02):
scans uncover critical vulnerabilities, there should be a prioritization of fixing those
vulnerabilities within the shortest amount of days possible.
Cybersecurity, Cybercentials Plus requires you to fix criticals in less than 10 days.
(10:23):
I think that's 10 days is even a stretch because with the way researchers are working now
with the compute power that is available on the market now, it's very easy to test and
find exploits on commonly disclosed vulnerabilities.
Think of it as brushing your teeth.
If you have a cavity and if you don't brush your teeth every night, the cavity only expands.
(10:47):
What types of policies should law firm leaders implement to drive their firms into the future?
There should be policies aimed at protecting client data.
So conditional access policies, data classification, remote access governance, just in time access
for administration, identity lifecycle management, bring your own device policies and the goal
(11:13):
should be to go to a zero trust model where you assume compromise and remove as much unnecessary
hardware from your infrastructure as possible.
You stay as lean as you can be with the data, you keep it in-sass with cryptographic secrets,
(11:37):
protecting it, and you try to let go of the heavy on premises, infrastructures with lots
of servers that are vulnerable and can provide a pathway into your client's data as they get breached.
(11:58):
It should also align with client increasing needs for security and standards like ISO 27001,
GDPR, etc.
How do you see outsourced law firm support evolving?
It's currently now still at a break fix level with some AI on top of it, with some automation,
(12:27):
which should evolve law firms need to understand that they need to have support frameworks in
place and they need to increase their level of maturity into how they treat information
governance and the IT part securing that information governance.
We need to shift into defining a security framework, a set of rules that they should follow
(12:55):
in terms of security policies and security controls that they should be implementing to guarantee
as much as they can that their client data is protected.
The good thing is that insurers are driving a lot of innovation in that area and many firms are
increasing their security posture and are reassessing their support models.
(13:21):
Over the next few years we're going to see more and more integration of automation and AI.
And to most of the support processes we're going to see predictive analytics on when the next system
is going to break or when are the next group of users going to call about problem X in a month.
(13:44):
You already have advanced analytics in month ends.
You're going to have the entire finance team calling you to make sure they have enough ram on
their PMS system servers. It's that kind of stuff that is going to be more and more AI embedded.
And in the future you're going to have self-healing systems to give you enough capacity
(14:12):
and real-time fixes for issues like this in production.
This is Ari Kaplan speaking with Chipprian Sharamett, the managing director of modular services,
a Romanian company focused on providing technical support and business services to global
firms. Thanks a very much.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!