Shylock After the Trial by Sir john Gilbert
In the world of Information security we are just as exposed as other areas, if not more, to third party service providers, whether that be through provision of people, process or technology. The increasingly complex world means that the best solution to perimeter security is likely to be a multi-vendor or multi-technology approach.
We also need penetration testing and governance functions; to quote the old adage, Quis custodiet ipsos custodes, who will watch the watchers? Traditionally we have been used to contracts being set up with conditions that often do not have any practical purpose in day-to-day operation. They are held over both parties and seen to be the ultimate sanction if things do wrong and litigation comes into play. However, when the court is in session, it is often found that the conditions in the contract are easy to get out of and they can effectively be nullified. Does any of this sound familiar?
Let me introduce you to Shylock, Shakespeare’s most famous Jew and moneylender. In order to woo the beautiful Portia of Belmont, Bassanio needs some ready cash and goes to his friend Antonio for a loan (the original Wonga loan?). Anthony is currently short of cash himself as his ships are out at sea. He therefore goes to Shylock the moneylender and asks for the money using Antonio as guarantor until his ships return with their valuable cargo. Shylock has been the subject of antisemitism and sharp business practices from Antonio in the past and so makes a contractual condition of requesting a pound of flesh to be cut from Antonio if the loan defaults.
All seems well until Antonio’s ships are lost during a storm at sea and Shylock decides he wishes to collect on the loan. However, now enter the lawyers (who as per standard Shakespeare practice are other characters in disguise – more identity theft). Additional conditions are put on to Shylock during the court case that were never mentioned in the original contract. In this case, Shylock must remove exactly a pound of flesh and cannot spill a single drop of blood in doing so. In a modern sense, your vendor might want be asked to remove their service as it is failing, but the counter argument is that the removal of the service cannot impact any other part of the overall function, no blood, or data can be spilled. In the end, the court leaves Shylock in disgrace and definitely out of pocket due to the original condition being too onerous for practicality.
There are two lessons here for us in the InfoSec world. Firstly, be careful of the contract clauses you put in and be sure they can effectively be enacted to cover the eventuality you originally planned for. Secondly, as many in the industry say, the day you get the contract out of the drawer, you have already lost. Relationships with third parties are better dealt with through strong service level agreements and Key Performance Indicators. But the caveat here is that the SLA and KPI is not just an arbitrary figure, it must be something that is measured and controlled to encourage the correct behaviour from both sides of a business relationship. A stick to beat a vendor with will never engender partnership and might have unintended consequences, as Shylock found out!