Gunderson Dettmer Case Study

Gunderson Dettmer Case Study

Gunderson Dettmer, an international business law firm, provides advisory and legal services to more than 2,500 high-growth and emerging technology and life sciences companies, from startup to maturity. They also provide advisory and legal services to more than 250 global venture capital and private equity firms. Headquartered in Redwood City, CA, and employing more than 200 attorneys in nine offices, Gunderson Dettmer counsels clients on corporate and security law, mergers and acquisitions, intellectual property and commercial agreements, strategic alliances, executive compensation, and more.


The fundamental principles that govern attorney-client relationships center on protection, confidentiality, and trust. Legal advisors are expected to rigorously protect sensitive information they access and store on behalf of their clients. The very nature of these engagements requires unwavering confidence in legal counsel, often privy to an organization’s most valuable and confidential information. Achieving and maintaining this level of trust is increasingly difficult in a digital economy continuously plagued by sophisticated hackers who aggressively target the sensitive data law firms are entrusted with (i.e., patents, trade secrets, financial information, corporate strategies, contracts, etc.) to effectively represent their clients.

Enterprise senior management and boards of directors rely on their legal teams to help them effectively manage and respond to cyber threats. But the reality is that many law firms continue to struggle with establishing and maintaining their own robust cybersecurity defenses. Many firms, for example, conduct point-in-time self-assessments focused primarily on compliance instead of continuously assessing and mitigating security vulnerabilities in real time.

Like many of its industry peers, Gunderson Dettmer’s traditional approach to risk management involved point-in time monthly penetration tests conducted by a third-party vendor, followed by a more comprehensive annual pen test. Both of these assessments typically returned few if any meaningful results and left the law firm with a poor showing for return on investment.

Today, corporate clients are demanding that their legal partners upgrade their cybersecurity capabilities. Firms must proactively respond to increasingly complex and frequent attacks or face inevitable reputational damage and erosion of client confidence. In many cases, law firms are being held accountable for poor cyberhealth.

Solution Overview

Data-driven Security Intelligence

Gunderson Dettmer quickly realized that SecurityScorecard’s ThreatMarket data engine, collecting millions of data points in real time and continuously trolling today’s dynamic attack surface for active exploits, could discover and assess the firm’s vulnerabilities much faster and more effectively than any penetration test. The platform’s comprehensive outside-in threat intelligence capabilities were compelling solution characteristics for the firm. Visibility into significant issues as well as less critical concerns, such as an outdated version of a browser, armed Gunderson Dettmer’s IT team with the information required to identify and remediate system vulnerabilities and breakdowns in internal procedures.

Collaborative Ecosystem Risk Management

The ability to track vendor security posture with SecurityScorecard facilitates collaborative workflows with the law firm’s service providers. Gunderson Dettmer entrusts third parties with the management of HR functions like compensation and benefits. When it was discovered that a vendor storing employee personally identifiable information (PII) like social security numbers had a poor security rating, Gunderson Dettmer immediately invited the partner to collaboratively address and remediate issues.

Instant and Accurate Security Ratings

Law firms face the painstaking task of repeatedly certifying the cyberhealth of their own infrastructure for clients and other business partners in client ecosystems. But now, instead of completing tedious, time-consuming due diligence questionnaires based on disparate security frameworks and guidelines, Gunderson Dettmer provides a snapshot or detailed summary of its SecurityScorecard rating to document its security posture. The firm delivers required information to the client via the SecurityScorecard platform, saving significant time and providing a far more comprehensive yet consolidated scorecard view of security posture versus a subjective point-in-time, check-the box compliance assessment.

Gunderson Dettmer also relies on SecurityScorecard to help clients invest with confidence. SecurityScorecard technologies can be used to quantify risk and potential liability in merger and acquisition targets as part of strategic due diligence processes before any contracts are signed. A comprehensive view of an M&A target’s cyberhealth is a critical component of the vetting process. It’s important to understand risks before inheriting liability. An M&A’s security posture, compliance adherence, and proven ability to quickly and effectively remediate vulnerabilities must be essential elements of the evaluation process. Best practice dictates that any evidence of data breaches should be factored into purchase agreements and integration timelines before closing deals.

Gunderson Dettmer is able to assess the security posture of a client’s M&A target with SecurityScorecard’s risk management platform, which delivers instant and continuous visibility into cyberhealth by analyzing risk across 10 factors. Pinpointing critical vulnerabilities, determining how well prospects have performed over time, and evaluating consistency in meeting regulatory requirements are important considerations.

The SecurityScorecard security ratings platform enables Gunderson Dettmer to benchmark any client M&A target’s cybersecurity performance against industry peers and competitors while uncovering hidden—and potentially costly—security issues. Integrating SecurityScorecard into due diligence processes helps the firm’s clients reduce exposure and make better M&A decisions.

Post-acquisition, SecurityScorecard enables acquirers to continuously monitor the cyberhealth of recently acquired entities as well as assets across the entire portfolio. This gives Gunderson Dettmer clients the ability to manage risk and seamlessly integrate newly acquired assets into their security and risk management frameworks.

Results and Benefits

In addition to continuously identifying cybersecurity risks, Gunderson Dettmer now has the tools to quickly report issues, immediately take action, and continuously improve processes to enhance security posture and maintain client confidence. The firm’s chief risk officer, chief technology officer, and senior system administrator regularly access the user-friendly dashboards on their SecurityScorecard portal. Typically, the team sees one or two medium criticalities, shares the information with IT practitioners, and discusses next steps. This collaborative workflow drives increased cybersecurity awareness and engagement across the firm, as well as informed prioritization and rapid remediation of what matters most.

Gunderson Dettmer’s partnership committee, keenly interested in all things IT, strongly supports the SecurityScorecard platform and anxiously awaits news of the firm’s latest security rating during quarterly meeting kickoffs. This is precisely the kind of information and high-level summary of the firm’s security posture this group of stakeholders and the board of directors require for strategic risk management decisions.


With SecurityScorecard, the firm maintains continuous visibility into the cyberhealth of its IT infrastructure and can easily provide a snapshot of its security posture to elevate awareness among internal stakeholder and instill confidence across the diverse range of companies in its client portfolio.


Request a Demo

Thank you for requesting a demo!