How much info is too much? (Part 3)

In the previous two parts, the general conclusion is that within the IT sector, so much emphasis is on past clients and past projects, which could be a phishing exercise to extract information about previous clients.  People bidding will feel compelled to answer because they will believe that not to do so will exclude them from an opportunity; in other words, psychologically coerced to be unprofessional through fear of loss.

  • Discussing previous clients with potential future clients is unprofessional, we have covered this in detail. However, in a sector where it has become a de facto standard, it is the case that people willing to disclose vast amounts to confidential information about previous clients are awarded contracts for being seen as more cooperative. Professionalism, or lack thereof, doesn’t often come into it.
  • There are no regulations which protect client confidentiality in IT. Unlike other professions, IT and IT security don’t have licences that could be revoked by failing to take confidentiality seriously or any sanctions at a regulatory level. There are terms of business and non-disclosure agreements which provide protection, but the onus is on clients to enforce such contracts.

What is professional and unprofessional is somewhat subjective.  The majority of solicitors care deeply about client confidentiality as part of their profession, but the same is not in Information Technology. Consequently, it becomes challenging to compare the two as the definitions of professionalism are kilometres apart.

At a time when news articles are published daily about cyber threats and data breaches, is it time for a behaviour change when it comes to client confidentiality? Gone are the days where someone has a job for life, and here are the days where large numbers of IT practices offer valuable services to large numbers of individual businesses. Professionals in the IT sector have often participated in 100s of projects and accumulated vast knowledge about the inner workings of their own or their employers’ clients.

How much info is too much? (Part 2)

Part 1 focused on discussions about clients and projects; however, the same applies to printed and electronic literature which showcase products and services. Mentioning a list of client names to illustrate the general target audience and profile of clients is one thing, but then there is another level of detail which goes too far and can cause problems for clients.

The key is to quickly determine the difference between conversations about real opportunities and phishing or data mining conversations. It is not healthy to have a 15-minute conversation with someone you think is a potential client or anyone in the value chain, and spend most of the time talking about past clients and not come close to discussing requirements.

  • As a service provider, the essential points are about what the potential client needs. A client serious about solving a specific problem will be willing to discuss it in detail. Establish credibility by discussing how to address current challenges.
  • If confidentiality and sensitivity are an issue, use a non-disclosure agreement before discussing confidential matters. Issuing standard terms and conditions that include confidentiality is also an immediately available option.
  • If the opportunity is genuine, the conversation will be a two-way process, and both parties will better understand what is required and offer appropriate solutions. If the caller is evasive when answering questions, for example, closing down questions and changing the subject, it will feel like an interrogation and unlikely relating to genuine requirements.
  • Why would someone ask how much you charge for services but not be willing to engage and discuss what problems they are trying to solve and what their requirements are? More thought needs to go into why someone is asking specific questions while feeling compelled to answer every question.
  • It is good practice to state that ‘matters involving previous clients are private and confidential’, even if you didn’t sign a non-disclosure agreement with previous clients.

Generally, if the opportunity is genuine, the focus will be on how to resolve current problems and what the requirements will be.

How much info is too much? (Part 1)

Businesses often need to demonstrate credibility when bidding for projects, but how much information is too much information? When should the information be provided, if at all? To what extent can the supply chain process become victim to sophisticated social engineering attacks and what are the key signs to watch for while attempting to win projects with new clients. This article is the first in a series of blogs aimed at exploring these issues. They are born out of some strange and unexpected questions which if answered, would undoubtedly demonstrate a lack of credibility.

When a business or individual has requirements that need fulfilling, and they approach a supplier, individual or service provider for help, asking for what they want is the crucial step. If you were to walk into a shop and ask for something, typically you would expect a member of staff to show you what they could offer you. In more complex scenarios where you had a problem but were not sure what you needed, it may involve some discussion but would also result in being shown what was available to help. If you were to approach a solicitor for advice on dealing with an issue, the same would apply; the discussion would flow based on what you need and the problems that you have. This example may sound obvious, but this is far from what happens in information technology, and requests for information during the procurement process are often suspicious.

We would not expect someone to approach a solicitor and ask about issues with previous customers. It would seem perverse to need a solicitor for a divorce and to ask questions about previous divorces. If we did ask such a question, a solicitor would be unlikely to answer. The matter would be private and confidential, and to discuss it would be very unprofessional. With the shop scenario, someone in a shop asking who had previously bought a product or service would be equally nonsensical.

Closer to IT security, consider for a second that you sell and install burglar alarms and offer a monitoring service, and a customer wants to buy your services. You would expect the discussion to include the size of the house, the number of rooms and other factors to determine the best level of security required. What you would not expect is for the customer to ask who previously bought your security systems, where you installed the alarms and your response times.

These examples when presented this way sound rather peculiar, but in fact, these are reasonable analogies of what happens in the IT sector. Although much of the IT services provided would not be a problem, IT security is a sector where discretion and client confidentiality are a matter of significant importance.

  • Clients ask for a non-disclosure agreement (NDA) to be signed because they don’t want information about them or their projects to be disclosed
  • Beyond the issue of a discussion breaching a signed NDA, discussing previous clients with new clients or potential new clients is unprofessional, not to mention being in breach of a fiduciary duty
  • The very notion that in Information Technology, that suppliers and consultants disclose details of past clients’ projects to demonstrate credibility is so prevalent that IT professionals are an obvious target
  • Businesses and individuals will feel compelled to answer questions at an unreasonable level of detail, for fear that not doing so might exclude them entirely from an opportunity
  • Hackers often gather information from different sources to build profiles of an organisation’s systems and team structures in preparation for an attack

Here is a thought for consideration: You could ask for detailed information about a past project, and we could tell you. You would never be able to trust us with anything confidential, knowing that in the future, someone might ask us about your project, and we might discuss it.

The point is simple, discussing past clients and projects is unprofessional, unethical, and successfully demonstrates a complete lack of integrity and credibility; event more important about security-related matters.