Andrew DeBratto, Chief Information Security Officer at Hunton Andrews Kurth LLP, leads cybersecurity strategy for one of the world’s top 100 law firms. With more than 25 years in IT and two decades in the legal sector, Andrew combines operational discipline with forward-thinking innovation. His leadership at Hunton Andrews Kurth emphasizes cybersecurity as both a client obligation and a business enabler. Guiding a global IT team of more than 90 professionals, he champions “operational excellence” as the foundation for secure innovation. His practical insights reveal how large legal organizations can maintain stability while exploring emerging technologies like AI, automation, and micro-segmentation.

Here’s a glimpse of what you’ll learn: 

• Why operational excellence is the foundation of every successful IT department
• How Hunton Andrews Kurth builds trust through proactive cybersecurity practices
• The role of ethical AI use in the legal industry
• Why attitude and aptitude outweigh certifications in IT hiring
• How the firm applies micro-segmentation and zero trust principles effectively
• Why lawyers must remain human-in-the-loop when using AI tools
• How innovation and practicality coexist in modern law firms

In this episode…

Sponsor for this episode...

This episode is brought to you by CyberLynx.com  

CyberL-Y-N-X.com.

CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.

The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.

Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied. 

To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.

Transcript:

Cyber Business Podcast – Andrew DeBratto, CIO at Hunton Andrews Kurth LLP

Matthew: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Andrew DeBratto, CIO at Hunton Andrews Kurth LLP. Andrew, welcome to the show.

Andrew: Matt, thanks for having me.

Matthew: Thanks for being on. Before we get too far in, a quick word from our sponsors.

[SPONSOR READ: This episode is brought to you by CyberLynx.com. Do you know if a hacker is in your system? Most people and most companies don't — until it's too late and the hacker has already done damage. A hacker's job is to bypass your security, so companies need a way of knowing when someone has gotten past their defenses. That's where CyberLynx comes in. We've partnered with the best cybersecurity companies in the world to provide our clients with the best solutions at the best prices — whether it's managed SIEM, SOC, EDR, MDR, or XDR. We'll help you find the right solution at the right price. Find out more at CyberLynx.com.]

And now back to our show. Andrew, for those who aren't familiar, can you tell us about Hunton and your role there as CIO?

Andrew: Sure. Hunton is what's known as an Am Law 100 firm — meaning we're among the 100 largest law firms in the country. We have 20 offices around the world and we're a full-service corporate firm. We do litigation and transactional work, with a lot of strength in the security and privacy space. It's a great organization.

Matthew: My wife and I are now empty nesters — our youngest just went off to college with her sights set on Harvard Law and big law. So what's your take on that world, specifically from an IT and technology perspective? Because big law is such a different environment.

Andrew: It really is. I always scratch my head at how some of the smaller firms manage it — the cybersecurity requirements, the software costs, just the run rate of operating this business month in and month out. I've spent about 20 of my 25-year career in the legal space across four different firms. As much as I thought legal was unique in many ways, I did have a stint with a large mechanical, electrical, and plumbing organization and was surprised to find it was structured almost identically — different trades, each with their partners and associates and summer hires. So the model transfers. But legal is where most of my career has been, and likely where I'll finish it. You work with highly educated, highly motivated people who have real passion for serving their clients — and our IT team tries hard to match that passion. I preach operational excellence constantly, probably to the point where the team gets tired of hearing it. But if we nail the blocking and tackling — keep the lights on, keep attorneys billing, keep things running smoothly — we earn the credibility and the political capital to then go pursue larger innovative initiatives like everything happening with generative AI right now.

Matthew: I think the pursuit of operational excellence is so important and so often overlooked. People hear "don't be a perfectionist" and interpret it as an excuse to just pump things out. There's a real difference between chasing perfection for its own sake and genuinely pursuing excellence. You're living that with your team. How do you keep that culture alive?

Andrew: We talk about it quite a bit. My team and I are working managers — we're in the weeds every day. We do daily standup calls. We look at systemic issues. If Outlook is crashing 20% of the time throughout the day, that's a problem we need to address. I genuinely credit our team for buying into that premise.

There's a book I read recently that really reinforced a lot of this thinking — Fostering Innovation: How to Build a Great Technology Team by Andrew Ladado, who I believe is now the Chief Operating Officer at The Vitamin Shoppe. He was kind enough to come speak to our team. He frames it as a pyramid: keeping the lights on is the base, then doing it efficiently, then innovation at the top. I was shipping copies out to people across our team. It really affirmed that operational excellence isn't just good discipline — it's what earns you the right to innovate. That's always the North Star we're driving toward: we exist to service the business and keep it running efficiently.

Matthew: Law firms aren't exactly known for innovation. How do you balance security, innovation, and keeping attorneys productive?

Andrew: On security — law firms are a treasure trove of information. There have been well-documented campaigns from threat groups like Luna Moth specifically targeting the legal industry. Fortunately, we have one of the leading security and privacy practices in the world within our own firm, so we eat our own dog food. Our penetration tests and tabletop exercises aren't vanity projects to check compliance boxes — I tell the people we bring in: I want you to find the flaws, because that makes us better. We take a best-of-breed approach rather than buying a single platform that does a lot of things adequately but nothing exceptionally.

At the same time, we can't all be wearing tinfoil hats. Not everything is a nation-state attack. The practicality is in finding the right amount of friction — how much are we asking of our people versus what's actually necessary. We've invested heavily in the endpoint, which is especially important given work-from-home culture and attorneys visiting clients constantly. It's the hotel analogy rather than the castle analogy: you need your key card to get into the gym, the pool, the room. We're probably one of few firms that does true micro-segmentation at the endpoint and server level — what process, port, and protocol is allowed to communicate with what. That comes with significant operational overhead, but it's a necessary investment for what we do.

On innovation — we try to look 1,000 yards down the field. We've had forward thinkers on the team who were ahead of the curve on things like Power BI and the Power Platform. Our AI program is trying to stay on the forefront of what's available and workable — not necessarily the tip of the spear, but forward enough. And we're doing it fiscally responsibly. The burn rate on some of these AI platforms can get eye-watering very quickly, so we're deliberate.

On productivity — the goal is to give our lawyers the best tools, the best data, and the best security so that all they're thinking about is serving their clients.

Matthew: Speaking of AI and law — there have been some high-profile stories about attorneys citing fabricated cases in filings. How do you navigate that? How do you supercharge attorneys with tools that aren't perfect when attorneys need to be?

Andrew: You hit the nail on the head — the tools aren't perfect. And we're very upfront about that with our attorneys and staff. Before anyone gets access to any of our sanctioned AI tools, they have to complete an ethical and responsible use training module we put together in combination with our general counsel. It covers hallucinations, but at the core, the message is: you are responsible for your work. You must have a human in the loop throughout the process. I equate it to going to Google, pulling something off Reddit, and treating it as gospel — that's just not reasonable. The same standard applies here.

There's a researcher I believe based in France who's tracking every court case where a sanction has been issued against an attorney for AI-related issues. A few months ago I pulled this for our managing partner — at that point there were around 116 instances. When I checked recently, it was over 300. So the problem is not slowing down — it's arguably accelerating. About half of those are people representing themselves, which you can largely set aside. But you still have 150 to 160 instances involving actual attorneys.

The Avianca Airlines case is one of the first that got real national attention — counsel cited 12 cases as the basis of their claim, and all of them were fabricated. Now, to be fair, the tools have gotten better at pure hallucination — just making up facts. Legal vendors have done a solid job building guardrails against that. What's more common now is misrepresentation: conflating information to make it sound on point when it isn't. That's where the human in the loop matters. I was having this conversation just yesterday with one of our attorneys who runs into this regularly. He challenges the AI, sparring with it, iterating his prompts as he goes to ultimately reach his own interpretation of what the right answer is.

Matthew: How does that actually play out? Does the sparring produce something better in the end, or is it a frustrated lawyer who concludes the AI is useless?

Andrew: In this particular case, this attorney is one of our power users. He understands the limitations and knows that through the sparring process, he's the one making the final interpretation. From my own experience — I was recently researching token expiration behavior in Microsoft 365, specifically around Power BI. What Grok and Gemini were bringing back were answers that sounded reasonable, but the specific steps and modules they were referencing either didn't exist, were in preview, or weren't configured the way the tool was describing. You hit a moment where you ask yourself: am I heading down a bad path?

We had a similar situation coming out of a pen test. We had a finding to work through, and what we were looking for was how machines are joined to the domain and a specific attribute that needed to be changed. The AI answers looked good, but I wasn't fully confident in them — so we took a low-risk machine and tested it. Proved the AI was right, and by doing that we saved ourselves a lot of time and headache compared to dropping and re-adding machines from the domain at scale. The point is: you make your best educated interpretation and then validate it in a low-risk environment before going wide. That's a luxury a courtroom doesn't give you.

Matthew: And that's exactly why it's so tempting and also so dangerous. The output from these tools is so convincing and so polished that it looks like gospel. And I've been guilty of the same thing — I can interpret code and scripts, massage them, make them do what I want. But I'm no gifted programmer. With AI, I can now produce a PowerShell script that I'd never have been able to write from scratch. But if I'm going to run that on a network, I better know what it does.

Andrew: Absolutely. This is something we hammer on pre-AI and post-AI equally — if you are going to run a script on our network, whether you wrote it yourself, copied it from Reddit, or generated it from an AI tool, you are responsible for knowing what it does. You flip a switch, you turn a toggle, you better understand what that means. And you're right about vibe coders — the temptation to just copy-paste code without reading it is significant. We saw this with GitHub not long ago, where there was a proliferation of weaponized projects that led us to just shut down and block access. People don't want to read through the code, but they have to.

Matthew: That leads to a natural question about hiring. As AI makes people more capable — even people who aren't traditionally strong coders — what are you actually looking for when you bring someone onto your team?

Andrew: Attitude and aptitude. Those are the two most important things. We want someone coming in with the right attitude and an aptitude to learn. We can teach you the technical stuff — this is not rocket science, and I'm not the smartest person in any room I'm in on any given day. But I have a good attitude and the aptitude to pick things up, and that's what we look for. We just hired two new team members and it came down entirely to attitude and aptitude.

Everything else — certifications, specialized skills — those are force multipliers. If I'm looking at two candidates with great attitudes and great aptitudes and one has invested the time to get a CISSP, a CISM, a CISA, and a Certified Ethical Hacker while hiring for a security role, that's probably going to tip the scales. That person has shown they invest in their career. But attitude comes first every time. The last thing you want is someone who becomes a cancer and eats your team from the inside out. We've built a strong team with strong working managers, and we have daily standups where everyone is aligned on what we're working on. We can teach you almost anything. We just need you to show up with the right attitude.

Matthew: So where is all of this AI innovation taking law firms specifically? Where do you see it going?

Andrew: When ChatGPT launched, the conversation in the legal industry was effectively "generative AI is going to replace lawyers." That narrative has shifted significantly. What we're seeing in reality is that it's a productivity tool — and I believe that's what it will continue to be. It's great at moving through information quickly, getting to answers faster, helping attorneys start formulating legal opinions more efficiently. Legal research, large-scale document review, e-discovery — the AI can work 24/7 without getting tired, while your associate needs to leave by 6:00 because his son has a ball game. Using it as a sparring partner to formulate arguments, test counterarguments, stress-test a position — that's real and valuable.

The way I think about it — and I'll credit this framing to others — is that we need people in a few different verticals right now. First, everyone should be an explorer: playing with the tools, understanding their strengths and weaknesses, finding where specific tools add value to specific workflows. Some of those tools are legal-specific; some are Gemini, Grok, and ChatGPT. The goal is eventually for everyone to move to a power user state where using these tools is as natural as using Outlook or Excel. And then there's a third silo — builders and developers — where you're seeing agentic AI and tools being used as functional engines behind the scenes. That's more the IT and citizen developer space.

Internally we've taken two parallel approaches under a "buffet" mantra: we're building our own tools internally on top of Microsoft Azure OpenAI, and we're evaluating best-of-breed legal industry tools off the shelf. We give our people the ability to explore a range of options. Some are practice-specific; others are general platforms for document review, summarization, legal research.

One thing we're onboarding right now benchmarks deal terms — you put a term into the tool and it compares it against millions of public finance deals in the EDGAR database. Is this term market? Is it off-market? How often does it get accepted? That's a genuine force multiplier for our transactional attorneys.

Matthew: Honest question — are you seeing meaningful productivity gains yet?

Andrew: Honestly, we're not there yet in a meaningful way. I'd be lying if I said the tools were delivering 20% efficiency gains. We're still in that exploratory phase, figuring out what tools make sense for which use cases — because a litigator's workflow is different from a transactional attorney's, which is different from finance or marketing on the staff side. Everyone is getting value from the research use case today — you can get to information faster without wading through 30 Google links. That's real. What we haven't cracked yet is the higher-value automation: I have 10 standard clauses, fill in a couple of variables, generate my contract. That's where the significant efficiency gains will come from. But do I think we'll get there? Yes. We're just in the learning curve right now.

And part of the adoption challenge is tool sprawl — right now it's go to this tool for this, go to that tool for that. Constant context-switching between interfaces is draining for very busy people. I think over time we'll see consolidation in the legal technology market the same way we've already seen it in document management and financial systems. The large players will absorb and integrate, and you'll have a few dominant platforms with some specialized point solutions filling niche needs.

Matthew: And the cost question — how do you manage the burn rate while still investing responsibly?

Andrew: We're not giving everyone every tool. The only thing available to everyone across the board is our internal ChatGPT-like tool — it's economical and everyone can access it. Everything else we're selective about. We're trying to pick the winners, identify where we're finding real value — is it Microsoft Copilot? Is it this specific legal AI platform? — and make educated decisions rather than throwing millions against the wall hoping something sticks. And on the security side, the guardrails are clear: firm-sensitive data and client data do not go into ChatGPT or Gemini. We have clients whose outside counsel guidelines explicitly prohibit putting their data into any generative AI tool. So people need to understand that even as we want them using and exploring these tools, there's a defined secure sandbox they need to work within.

Matthew: Andrew, this has been an absolute blast. Before we go — where can everyone find out more about you and about Hunton?

Andrew: The firm's website is hunton.com — if you're looking for legal representation, that's the place to start. And you can find me on LinkedIn — Andrew DeBratto. I'm not hard to find. Feel free to reach out. I've had people randomly connect who just wanted to talk about working in the legal industry as they're exploring their careers, and I genuinely enjoy those conversations.

Matthew: Fantastic. Andrew, until next time — thanks!

Andrew: Thanks, Matthew.