CAN OUTSOURCING BE DONE SECURELY?

18/1/2024

A large online parking application (anonymised to PARKING1) is consolidating the online parking application market for a possible profitable exit to a large player like Google. If Google ever wanted to introduce parking in Google Maps for example, the easiest way to do this is to acquire the companies worldwide who own the municipal parking contracts and who have parking customers already.

PARKING1’s strategy as an organisation is optimised for growth and profit. Everything should be in line with that. This means they outsource development and keep operational controls to a minimum to maximise profit:

You must have good security expertise and analytical tools

Obviously security, even when outsourced to third parties, must be managed in a risk management framework by PARKING1. Currently this security framework is extremely thin on the ground in PARKING1 after most security people have left. There is very little real security expertise reaching executive level and decisions are heavily focused on commercial issues.

Risk management provides visibility

If you don’t measure risk, you cannot manage it. The security incidents we see now are emerging because of known “risk accepted” issues. This is in part the result of making the operational teams who write the code responsible for deciding what issues to fix (this strategy seems to be the approach of the security strategy being created by non-security people). Not all risks are the same and you need expert oversight to help you fix the right things.

Risk management frameworks like ISO27001, PCI, Cobit etc. are all there to try to achieve a baseline posture, to keep best practice in play and minimise costly security incidents. Many municipalities required compliance to these standards as part of their contracts.

Low ESG scores

Low ESG score means it is hard to retain talent and critical expertise that require long ramp up times. This is most visible in security related functions.  High rotation of strategic staff means the business is always in learning mode. 

Hiring new staff in a complex business also requires them to understand the whole technology stack, the acquisition space and historical decisions. The ramp up period for this type of skill can be as high as 12 months.

Culture studies are critical in understanding where things go wrong with ESG. Greenwashing data by adjusting scales, not acting on feedback and literally making all the graphs green, irrespective of how bad scores are, don’t help you to understand the real issues. Not acting on the feedback of Culture studies indicates that they are not being done right and not regarded as useful.

Failure to do exit interviews and establish the real reasons why people leave the company also leads to low visibility of operational risk

Real security incidents

The fact that there are security incidents involving customer data has lots of downside to it. The latest breach is just one of a series of undulating issues, escalating in severity:

How to address these issues within the current business plan

Improve ESG

Improve ESG by implementing Culture studies and Exit programs in order to determine the real issues impacting stakeholders in the company. Make sure you ask the right questions. If security is where you are suffering, then ESG should include the demographic that mostly affects security.

Create oversight boards

Often a requirement of the Risk Management program (In ISO 27001 it is control A.12.1.2), an Oversight Board reviews business decisions and makes visible the risk associated with operational decisions that impact security.

Implement security standards

Ensure compliance with industry security standards because not only does that increase the security posture of the company, it also provides visibility of security issues.

Select leaders on psychological well-being

Lastly, selecting and promoting leaders based on healthy psychological well-being is a great way to introduce resilience in the way the company operates. Subject matter experts are fantastic to understand problems, but you need people with a healthy psychological approach to act inclusive and address systemic problems in the company. You never know what is going to happen and the best thing you can do is ensure your people giving direction are in the best possible place to do so objectively and with a long term vision