[vladms]

> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity

So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.

[xorcist]

I have (the start of a) solution, but it's a boring one:

You have to have people who care about this stuff.

If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.

And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.

[dns_snek]

I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?

[xorcist]

You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated.

[latexr]

> You have to have people who care about this stuff.

What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.

[ExoticPearTree]

Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.

IBM or Accenture or whoever don't need to be the only ones winning tenders.

[vladms]

The total number of people working on the project might remain similar no matter if it's one company or many smaller companies. Writing clear documentation and API, well thought from the start is harder the larger the project.

Maybe there would be a benefit from having less layers of management, but multiple small companies or one big could have the same structure.

[ExoticPearTree]

A smsller company would have a flatter structer and less management.

Waiting for my coffee now, I had a thought: what if you have more than one company providing the same service and for a project “lifetime” of say 5 years, the money is split procentually by what company attracts the more users and you make it so that for the services offered through this you can only use one company, but you can switch at anytime.

[corroclaro]

Absolutely. One of the root causes for these terrible tender processes is a fear of in-housing competence and skill for systems.

It's the same reason major govt. IT orgs keep pushing for closed source (recently the Swedish Tax Authority was in the media for _pushing for Office 365_ as necessary for operations), out-sourced designs, big firm purchases over FOSS or real standards.

You need people that care (and they exist, even in the gigantic state orgs.) in positions to make good decisions. Right now, everything is up in the hands of nebulously defined managerial staff with none-to-doubtful technical competence.

Another recent case: the Swedish digital exams platform flopped at a rough cost of a billion SEK. Can't sustain 150K concurrent users, despite paying a "large company". Like, come on.

[mvdwoord]

Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.