Author: Robert Broxup

Part 1 focused on discussions about clients and projects; however, the same applies to printed and electronic literature which showcase products and services. Mentioning a list of client names to illustrate the general target audience and profile of clients is one thing, but then there is another level of detail which goes too far and can cause problems for clients.

The key is to quickly determine the difference between conversations about real opportunities and phishing or data mining conversations. It is not healthy to have a 15-minute conversation with someone you think is a potential client or anyone in the value chain, and spend most of the time talking about past clients and not come close to discussing requirements.

• As a service provider, the essential points are about what the potential client needs. A client serious about solving a specific problem will be willing to discuss it in detail. Establish credibility by discussing how to address current challenges.

• If confidentiality and sensitivity are an issue, use a non-disclosure agreement before discussing confidential matters. Issuing standard terms and conditions that include confidentiality is also an immediately available option.

• If the opportunity is genuine, the conversation will be a two-way process, and both parties will better understand what is required and offer appropriate solutions. If the caller is evasive when answering questions, for example, closing down questions and changing the subject, it will feel like an interrogation and unlikely relating to genuine requirements.

• Why would someone ask how much you charge for services but not be willing to engage and discuss what problems they are trying to solve and what their requirements are? More thought needs to go into why someone is asking specific questions while feeling compelled to answer every question.

• It is good practice to state that ‘matters involving previous clients are private and confidential’, even if you didn’t sign a non-disclosure agreement with previous clients.

Generally, if the opportunity is genuine, the focus will be on how to resolve current problems and what the requirements will be.

Businesses often need to demonstrate credibility when bidding for projects, but how much information is too much information? When should the information be provided, if at all? To what extent can the supply chain process become victim to sophisticated social engineering attacks and what are the key signs to watch for while attempting to win projects with new clients. This article is the first in a series of blogs aimed at exploring these issues. They are born out of some strange and unexpected questions which if answered, would undoubtedly demonstrate a lack of credibility.

When a business or individual has requirements that need fulfilling, and they approach a supplier, individual or service provider for help, asking for what they want is the crucial step. If you were to walk into a shop and ask for something, typically you would expect a member of staff to show you what they could offer you. In more complex scenarios where you had a problem but were not sure what you needed, it may involve some discussion but would also result in being shown what was available to help. If you were to approach a solicitor for advice on dealing with an issue, the same would apply; the discussion would flow based on what you need and the problems that you have. This example may sound obvious, but this is far from what happens in information technology, and requests for information during the procurement process are often suspicious.

We would not expect someone to approach a solicitor and ask about issues with previous customers. It would seem perverse to need a solicitor for a divorce and to ask questions about previous divorces. If we did ask such a question, a solicitor would be unlikely to answer. The matter would be private and confidential, and to discuss it would be very unprofessional. With the shop scenario, someone in a shop asking who had previously bought a product or service would be equally nonsensical.

Closer to IT security, consider for a second that you sell and install burglar alarms and offer a monitoring service, and a customer wants to buy your services. You would expect the discussion to include the size of the house, the number of rooms and other factors to determine the best level of security required. What you would not expect is for the customer to ask who previously bought your security systems, where you installed the alarms and your response times.

These examples when presented this way sound rather peculiar, but in fact, these are reasonable analogies of what happens in the IT sector. Although much of the IT services provided would not be a problem, IT security is a sector where discretion and client confidentiality are a matter of significant importance.

• Clients ask for a non-disclosure agreement (NDA) to be signed because they don’t want information about them or their projects to be disclosed

• Beyond the issue of a discussion breaching a signed NDA, discussing previous clients with new clients or potential new clients is unprofessional, not to mention being in breach of a fiduciary duty

• The very notion that in Information Technology, that suppliers and consultants disclose details of past clients’ projects to demonstrate credibility is so prevalent that IT professionals are an obvious target

• Businesses and individuals will feel compelled to answer questions at an unreasonable level of detail, for fear that not doing so might exclude them entirely from an opportunity

• Hackers often gather information from different sources to build profiles of an organisation’s systems and team structures in preparation for an attack

Here is a thought for consideration: You could ask for detailed information about a past project, and we could tell you. You would never be able to trust us with anything confidential, knowing that in the future, someone might ask us about your project, and we might discuss it.

The point is simple, discussing past clients and projects is unprofessional, unethical, and successfully demonstrates a complete lack of integrity and credibility; event more important about security-related matters.

Governance of Information Technology is essential to adequately direct and control the current and future use of technology within businesses and to ensure compliance with contractual, legislative and regulatory obligations. Failure to do so is highly likely to expose companies to one or more violations which could result in:

• Regulatory sanctions

• Criminal prosecution

• Loss of reputation

• Loss of clients

IT governance is required to align IT with the needs of the business. After all, the IT function is there to serve the company and not the other way around. In this context, IT is a fee-enabling function and seldom a fee-generating function. The corporate governance function and implemented framework will drive:

• Implementation of security standards

• Information storage, privacy and retention requirements

• Compliance with intellectual property rights and 3^rd party licences

• Adherence to environmental regulations

• Implementation of social responsibility standards

• Health and safety requirements

Corporate governance contributes significantly to:

• Effective implementation and exploitation of IT assets

• Clarity and alignment of responsibility, authority and accountability

• Efficient allocation of business resources

• Innovation with fee-generating services in the marketplace

• Business continuity and sustainability

• Reducing operational expenditure

• Achieving business objectives

Implementing IT governance encourages the building and maintaining of working-relationships throughout the business and avoids the pitfalls of IT isolation from overall business objectives.