My organization is changing rapidly these days. We're selling our key technology in several global markets, and we're looking for ways to improve the way we work. One avenue is through outsourcing.
After an internal debate about outsourcing our security monitoring work, we concluded that the time wasn't yet right. However, we are ready to outsource other technologies. These aren't core to our business, and they're expensive and difficult to do properly. One such technology is our outward-facing Web site.
It sounds like a very simple task, outsourcing a straightforward service. But the use of an outside vendor raises a range of security concerns that need to be addressed in service-level agreements (SLA) and legal contracts. Before we can deal with those problems, however, we have to select a supplier, which leads to more legal issues.
Before I specialized in security, my professional background was dark and mysterious. I used to be heavily involved in network provision to the academic community, and as part of this, I was once very senior in the world of domain-name services. This experience encouraged my naturally strong cynicism, as I could have domain-squatted on some now very high-value domains but instead kept the spirit of the early Internet and left them for others to profit from.
Years after leaving the academic world, I became a hard-nosed operations manager at a large retail Internet service provider. This experience has made me the Internet expert at several companies, including my current employer.
So not only am I reviewing the security of external providers as the security manager, but I'm also busy measuring them against our service requirements and helping in the design of the outsourced servers and network. Or I would be, if we and the service provider could agree on an appropriate nondisclosure agreement (NDA).
The providers won't tell us anything about their services unless a bit of paper is signed by both sides. This is ludicrous.
On their side, the suppliers are only telling us information that's freely available on their Web sites. I understand security and know the value of keeping quiet, but I also know that everyone gossips.
The financial services business is very incestuous whatever the teams involved learn about one another will inevitably be discussed in bars and used on future projects. We all know this, yet, nonsensically, we all still demand the signed agreements.
I can only think that this requirement originated externally do shareholders demand this sort of thing? Maybe the regulators investigate to ensure this kind of protection is in place. Or it could even be that this kind of documentation has become fashionable. Whatever the reason, if one side asks for it, you have to ask for one in return. It's part of the negotiation dance.
Unfortunately, we've managed to get into a tricky position. Our first project manager pulled some NDA agreements from somewhere and sent them to the suppliers. Then he left the company. Normally, that wouldn't delay a project, but he sent out the NDAs before getting them signed by our directors. When the NDAs came back with the suppliers' signatures, our legal team promptly rejected them, because they hadn't originated in the legal department.
So now we have a handful of annoyed vendors who, after signing the agreements we sent them, are wondering why we're now approaching them with a different set of documentation.
Financial services firms are under weird restrictions regarding their customer data, so we demand that everyone who receives our confidential information protect it forever. This is unreasonable, since I really don't think anyone is going to care what operating system we want for our Web servers.
Dances With Lawyers
Once we make it through the NDA minefield, we enter the twilight world of legal negotiations for the contracts and SLAs. A master of the field taught me a few tricks of commercial negotiations about which I feel confident, but the legal details just don't make sense.
On the commercial side, other than the list price nonsense, both sides seem to approach negotiations with good sense. One vendor's representatives quote a price, and we reach a consensus. We don't offend them by suggesting that we should get it for free, and they don't offend us by trying to rip us off. However, legal negotiations seem to begin with everyone doing their best to offend the opposing side.
The vendor wants to have our business but always proposes a laughable starting point. For example, it asks us to indemnify it from any losses for use of the service, while warranting nothing about the service. And then we respond with our opening position: We offer no indemnity and demand extreme and unrealistic warranties about the service. Starting with such unreasonable positions, it takes a long time to reach a mutual agreement.
Maybe the problem is that we bother to read and check these details; we regularly find typos and sections that just don't make sense because vendors have reversed the wording. Do they never correct their template, or are we the only people who check these things?
I realize that we all have to protect ourselves from unreasonable actions. I realize that the dance of legal negotiations has evolved into its current state, which works for the lawyers involved. But from a business perspective, assuming that everyone is going to be unreasonable while trying to behave unreasonably ourselves and hoping we can get away with it makes little sense.