Digital Trust was recently approached by a foreign company asking if they could list us as a partner and use us as overflow on jobs. A few things come to mind here, for professionals in the field as well as for consumers of our services.
First, as consumers, particularly in regulated industries, you need to be certain whom you are dealing with. In pentesting especially, you must be confident that your corporate security secrets are going to be handled in a way that assures you everything is protected. By subcontracting, business consumers end up with twice the headache, because most regulated industries cannot rely on a chain of contractual responsibility. Healthcare in particular requires knowledge of the actual people and business entities in contact with healthcare information.
Companies can get around this limitation by referring the subcontracting company directly to the business consumer. This is, unfortunately, very distasteful to some companies, because they fear they may lose future business. It is, however, the only legitimate way to conduct business like this. If you can’t offer the service yourself, you’ll need to refer security work, not subcontract it. Business consumers, be sure to watch out for this. In the middle of a lawsuit is not the time to find out your favorite systems integrator has been holding out on you.
Furthermore, if you do expert witness work, and most security companies do, affiliating yourself with another company can complicate your testimony options. For all parties. In the same way that experts tell lawyers not to list them without contract, experts and professionals should also remain unaffiliated unless they’ve worked out all the risks and exposures. A hypothetical example: security expert Dosko is affiliated with company EZ Bank Inspection, and EZ has a client, Town-group, that EZ does PCI inspections for. Town-group gets hacked and in the quest for deep pockets, Town-group sues Dosko because he’s affiliated and should have done something about the underlying problem. Dosko has a very unpleasant couple months trying to get out from under the net that Town-group is casting.
If you think you need to protect yourself, insurance is one option. And to be on the safe side, Google your company name once in a while, just to see if someone is capitalizing on your brand.
Digital Trust, LLC
This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.
More details have recently been released regarding the Aurora hacking event in the news recently, and now enough detail has been made public to take some measured steps as responsible corporate citizens. First off, a roadmap can be found here. Any company with an online presence should take this roadmap and compare it to data security practices currently in place, and run a table game if possible to see how they might hold up. Security to be shored up as necessary to support not becoming a victim to this sort of effort. And don’t delay; despite being found out, this activity will hardly cease. If you are a high profile target, then exceeding this level of sophistication is critical for safely conducting your business activities.
Digital Trust, LLC
This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name, link, or this paragraph is removed.