You can outsource risk, but you can't outsource reputation
Over the last few weeks, I've had several people ask me about the recent hack on the NHS. A ransomware attack has meant that several hospitals have cancelled operations and there is now an urgent demand for blood donors. What does it say about the state of NHS IT that this attack has happened?
Nothing.
Because the NHS was not hacked.
Instead, a company they use to perform blood tests was attacked. Synnovis is the company responsible - they're the ones who have fallen prey to an attacker. This private company - will all the resources of the free-market system - hadn't protected themselves well enough.
I'm perfectly comfortable with the NHS buying things from private companies. The NHS doesn't need to write its own webserver software. There doesn't need to be a state-owned factory which produces "medical grade" ballpoint-pens. And, yeah, if a private company can run blood tests faster and cheaper - it might make sense to use them.
But the problem with outsourcing is that your customer doesn't understand the way your organisation is organised. I once worked for a telco who outsourced their customer service helpdesk. The shitty call-centre we used saved them a lot of money but dragged their reputation through the mud.
Similarly, here's a story in the Telegraph about the attack:
As ever, the real story is in the penultimate paragraph. You have to read all the way through to see it wasn't the NHS being hacked.
Go through other news stories on the subject and see how clear they make it that it isn't the NHS who have been hacked.
If your website goes down, do your users care whether its technically an outage at your 3rd party CDN? When your customers' credit card details are leaked, do the headlines mention your name or your payment provider's? Which bits of your reputation do you feel like handing to other people?
If you're able to, please donate blood.