“For those of us in contracting, we spend hours crafting clauses and negotiating terms which are mostly of limited honesty or meaning. Is this because we really don’t care, or because we are blissfully unaware of the truth? Companies simply cannot promise complete security of data or information management. It is an area of relative security and safety – and one in which we must become far more expert and knowledgeable.”
The above is an excerpt from a July 6th, 2010 post in Tim Cummins Commitment Matters Blog titled “Security – A Major Contracting Challenge.”
Besides the fact that Cummins is the Founder and CEO of the International Association for Contract and Commercial Management or “IACCM,” I often refer to his perspectives on contracting as he tends to look at the underlying mechanics if you will of a process that in many instances works against itself through the inclusion of onerous clauses that inequitably transfers risk to one party (usually the supplier).
This is why the issue of incorporating clauses into contracts regarding guarantees relative to “data protection, information security and disaster recovery,” may very well be as effective as the famed Maginot Line was in protecting France from invasion by a foreign enemy. We all of course know that the term Maginot Line has come to represent a belief in what is ultimately false security.
I think this is the point that Tim, as well as others have been trying to make. Specifically, by passing what has become a proverbial hot potato in the contracting world to suppliers through the inclusion of clauses does not in any way, shape or form acknowledge nor address the reality of the situation surrounding cyber risk. Even if a supplier were for whatever motivation, willing to promise an unassailable level of security and accept contractual terms in which they were to bear the lions share of responsibility for a security breach, any buyer would be foolhardy to walk away from such a contract in a peaceful state of oblivion.
Furthermore, and by not truly understanding the breadth of the risk with transacting business in an increasingly virtual world, neither the buyer nor for that matter the supplier will ever be able to effectively address the issue and in the process create a fair or balanced risk agreement.
As a means of providing you with some additional perspective on the real issues of information security, I will refer you to a May 7th, 2010 interview I did with Richard Stiennon, whose new book Surviving Cyber War examines in depth the major cyberattacks that have recently taken place around the world, and why the virtual world may very well be a defining global battleground.
Stiennon, who is the founder of IT-Harvest, an independent IT security analyst firm, and the author of the security blog ThreatChaos.com, and is also the holder of Gartner’s Thought Leadership award as well as being named “one of the 50 most powerful people in Networking” by Network World Magazine, shared some startling insights on what has already, and continues to happen on a daily basis while we, in a blissful state of Maginot comfort, toil away with our daily activities. (Note: use the following link to access the on-demand May 7th interview “Surviving Cyber War.”)
In the end, the need to address issues of data protection, information security and yes even disaster recovery when the unthinkable happens, are to be certain key elements of a well structure contract. The emphasis of course is on “well structured contract.”
Expertise in contracting therefore must extend beyond the mere unilateral imposition of terms and conditions on one stakeholder, that do little more than assign blame versus providing any tangible protection in which the risks are both acknowledged, understood and shared.
In short, its time to tell the Emperor (figuratively speaking) that he isn’t wearing any clothes . . . then begin to do something meaningful about it!