I’m amazed at the number of people who blindly sign contracts.  You don’t do that with your own blank checks, do you?

Still, here we go again.  The day before an important contract is to be signed (by my company), someone (wisely) decided it needed to have a quick “review by security.”  I shouldn’t complain, at least I was given a chance to see what we were getting into.  Normally, contracts are signed and I only find out about it when the software or service goes live.  Then it’s too late for any changes – and we often get stuck footing the bill for changes or cleaning up the mess.

For the record, I was asked to review a “standard” contract that came from the vendor providing a service to my company.  As expected, it was written by the vendor and strongly in their favor.  It’s amazing what others try to hide in a contract.  (We won’t talk about EULA’s here.)  I used this opportunity both as a learning experience and an educational opportunity (even for our lawyer).

Contracts are supposed to spell out the details of an agreement in a way clear to all parties.  So given the opportunity to review this document, I had a simple objective: create clarity of expectations out of ambiguity and ensure my company would not be liable for the vendor’s mistakes, defects, or deficiencies. 

In this case, my involvement helped us prevent some situations we would prefer to avaoid.  But this experience brought to mind a question:

Why is it important for information security to review contracts before they are signed? 

I fear that most people involved in contracts believe that the lawyers and “the business” have all of that covered.  Either that or many dislike “legal mumbo-jumbo” and don’t take the time to review the contract.  I understand where those beliefs started – but time have changed and if we want to be successful, we also have to change.

Today’s Security 2.0 professional must be able to read, review, and provide comments on legal documents and contracts.  This does not mean that you need a legal degree or extensive knowledge of contracts.  It does mean that we need to move beyond IT. 

It’s all about protecting the business. We must be engaged in negotiating, interpreting, and managing contracts with the business.  Our unique knowledge and viewpoints allows us to spot legal issues that may be missed by others.   We need to knowledgably interact with legal council and those handling business contracts and offer educated suggestions.  Showing how we add value increases the likelihood of our continued involvement. It’s all about collaboration and working together to secure the infrastructure.

How do we reach this nirvana?  By reading and studying in areas outside of IT. The Security 2.0 professional grows outside of his/her IT comfort zone to better understand the inner-workings of the business.  When asked to review a contract, take your time, understand the legalese, ask questions when you don’t know something, and show you can add value to the process. 

To help, here are two resources that are impressive and useful: ChangeThis (http://www.changethis.com/) and the Personal MBA (http://www.personalmba.com/). They have many resources and articles to help you think outside the IT box. 

Michael Santarcangelo is developing these and other concepts of Security 2.0, so stay tuned.

By working together, we all become stronger.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.