Partnering & Subcontracting (for peers and customers)

Digital Trust was recently approached by a foreign company asking if they could list us as a partner and use us as overflow on jobs. A few things come to mind here, for professionals in the field as well as for consumers of our services.
First, as consumers, particularly in regulated industries, you need to be certain whom you are dealing with. In pentesting especially, you must be confident that your corporate security secrets are going to be handled in a way that assures you everything is protected. By subcontracting, business consumers end up with twice the headache, because most regulated industries cannot rely on a chain of contractual responsibility. Healthcare in particular requires knowledge of the actual people and business entities in contact with healthcare information.
Companies can get around this limitation by referring the subcontracting company directly to the business consumer. This is, unfortunately, very distasteful to some companies, because they fear they may lose future business. It is, however, the only legitimate way to conduct business like this. If you can’t offer the service yourself, you’ll need to refer security work, not subcontract it. Business consumers, be sure to watch out for this. In the middle of a lawsuit is not the time to find out your favorite systems integrator has been holding out on you.

Furthermore, if you do expert witness work, and most security companies do, affiliating yourself with another company can complicate your testimony options. For all parties. In the same way that experts tell lawyers not to list them without contract, experts and professionals should also remain unaffiliated unless they’ve worked out all the risks and exposures. A hypothetical example: security expert Dosko is affiliated with company EZ Bank Inspection, and EZ has a client, Town-group, that EZ does PCI inspections for. Town-group gets hacked and in the quest for deep pockets, Town-group sues Dosko because he’s affiliated and should have done something about the underlying problem. Dosko has a very unpleasant couple months trying to get out from under the net that Town-group is casting.

If you think you need to protect yourself, insurance is one option. And to be on the safe side, Google your company name once in a while, just to see if someone is capitalizing on your brand.
Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.