CAN OUTSOURCING BE DONE SECURELY?
18/1/2024
A large online parking application (anonymised to PARKING1) is consolidating the online parking application market for a possible profitable exit to a large player like Google. If Google ever wanted to introduce parking in Google Maps for example, the easiest way to do this is to acquire the companies worldwide who own the municipal parking contracts and who have parking customers already.
PARKING1’s strategy as an organisation is optimised for growth and profit. Everything should be in line with that. This means they outsource development and keep operational controls to a minimum to maximise profit:
Consciously light on controls means accepting the corresponding risk. The 2023 data leak is thus an accepted risk. Additionally, other than the public issues such as QR App replacement attacks, there are always an avalanche of non-visible issues such as brute force, Phishing attacks, SMS and Credit Card fraud etc. that come with every application provider that takes payment from customers.
The organisational structure is built around everything outsourced. That means you need additional governance (the outsourced company is responsible for the task, not for the oversight).
A crucial part of the exit is the relationship with multiple municipalities. Municipalities are very sensitive to public opinion and visible security incidents can lead to the voiding of contracts. Events like the 2021 and 2023 breaches are very unnerving to them but SMS and App replacement (QR attacks) are extremely visible and have now reached the level of public discussion about it.
You must have good security expertise and analytical tools
Obviously security, even when outsourced to third parties, must be managed in a risk management framework by PARKING1. Currently this security framework is extremely thin on the ground in PARKING1 after most security people have left. There is very little real security expertise reaching executive level and decisions are heavily focused on commercial issues.
Risk management provides visibility
If you don’t measure risk, you cannot manage it. The security incidents we see now are emerging because of known “risk accepted” issues. This is in part the result of making the operational teams who write the code responsible for deciding what issues to fix (this strategy seems to be the approach of the security strategy being created by non-security people). Not all risks are the same and you need expert oversight to help you fix the right things.
Risk management frameworks like ISO27001, PCI, Cobit etc. are all there to try to achieve a baseline posture, to keep best practice in play and minimise costly security incidents. Many municipalities required compliance to these standards as part of their contracts.
Low ESG scores
Low ESG score means it is hard to retain talent and critical expertise that require long ramp up times. This is most visible in security related functions. High rotation of strategic staff means the business is always in learning mode.
Hiring new staff in a complex business also requires them to understand the whole technology stack, the acquisition space and historical decisions. The ramp up period for this type of skill can be as high as 12 months.
Culture studies are critical in understanding where things go wrong with ESG. Greenwashing data by adjusting scales, not acting on feedback and literally making all the graphs green, irrespective of how bad scores are, don’t help you to understand the real issues. Not acting on the feedback of Culture studies indicates that they are not being done right and not regarded as useful.
Failure to do exit interviews and establish the real reasons why people leave the company also leads to low visibility of operational risk
Real security incidents
The fact that there are security incidents involving customer data has lots of downside to it. The latest breach is just one of a series of undulating issues, escalating in severity:
The market is accusing PARKING1 of hiding the severity of these incidents.
GDPR fines can be EU20 million or 4% of turnover whichever is bigger.
The market reaction to these incidents are customers leaving for competitors or can be municipalities cancelling current or future contracts.
Naturally this leads to not only a reduction in profit but also in the sales price once PARKING1 is sold (the sales price typically will be based on some multiple of annual profit which is now reduced due to these losses)
Shareholders now receive less dividends annually because of these incidents. Without an effective Risk Management framework, it is not possible to know how these losses compare to the cost of an effective Security and Risk Management framework.
PARKING1 still has to develop and secure the app and if they fail to attract talent, this could impact the quality of the product and future acquisitions.
How to address these issues within the current business plan
Improve ESG
Improve ESG by implementing Culture studies and Exit programs in order to determine the real issues impacting stakeholders in the company. Make sure you ask the right questions. If security is where you are suffering, then ESG should include the demographic that mostly affects security.
Create oversight boards
Often a requirement of the Risk Management program (In ISO 27001 it is control A.12.1.2), an Oversight Board reviews business decisions and makes visible the risk associated with operational decisions that impact security.
Implement security standards
Ensure compliance with industry security standards because not only does that increase the security posture of the company, it also provides visibility of security issues.
Select leaders on psychological well-being
Lastly, selecting and promoting leaders based on healthy psychological well-being is a great way to introduce resilience in the way the company operates. Subject matter experts are fantastic to understand problems, but you need people with a healthy psychological approach to act inclusive and address systemic problems in the company. You never know what is going to happen and the best thing you can do is ensure your people giving direction are in the best possible place to do so objectively and with a long term vision