Replaced by Outsourcing -- What's a Geek to Do?

SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?

"Here comes the obligatory South Park reference:

1. Perform Network Vulnerability Assessment
2. ?
3. Profit! (Sell Outsourced product)

Looks like they came up with an actual step 2:

Label anyone who is responsible for network security as the risk, and get them fired.

I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.

I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.

I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.

I'd like to hear comments from folks this has happened to, and what did you do as a result?"

Re:Sounds Like a BOFH episode

[Omegaunit]

http://bofh.ntk.net/Bastard.html

replaced by outsourcing

[Anonymous Coward]

Maybe it is good to consult a lawyer. If your employer fired you because of misrepresentation by the outsource company, you might have a good case against them

Slanderous conduct?

[JohnnyGTO]

Could being labeled a threat, which then causes you to lose your only source of income, be actionable?

Seems to me that if my employer was happy with my performance before the audit and I truly was no risk, I'd get a lawyer and sue both the company and the third party.

I had something similar happen to me back in the 80's and have regretted not taking action against what turn out to be a bunch of bastards

Ask the Headhunter

[jdavidb]

I can't recommend Nick Corcodilos' Ask The Headhunter [asktheheadhunter.com] enough. This advice is just wonderful, either for getting a new job, or for showing your worth to your current employer. It takes a little bit of mental adjustment to accept what he says (and it may be a bit scary), but he is absolutely right about how to go about it! The problem we in IT face right now is the feeling that our worth is going down as many of us are replaced through outsourcing and foreign labor. Brush up your skill set, but most importantly, learn how to apply your talents to solve real business problems in terms of dollars and you will never doubt your worth (nor will your potential employers).

ATH's advice is great. Be sure to get the book, read as much of the website as possible, and subscribe to the weekly newsletter. It's the only HTML mail I receive every week that I actually look forward to and enjoy reading.

Re:Editor's comments

[nate1138]

I don't know about that. If I could work from home, I could get rid of one of my cars (no public transit where I live at all) and all the associated expense. That would easily make up for a 20% pay cut (between the payment, gas, insurance, maintenance, etc). I think it would also be VERY appealing to those of us with children and two working parents. Get to work from home and be there when the kids get back from school. It doesn't apply to everybody, but for some folks it may be an option.

Now if they tried to send me home at half pay, fuck em. I'll take the money and find a new damn job.

Well...

[lrt512]

Without knowing what they said in the VA report about exacly *why* you are a major security risk, it's pretty hard to interpret what they were thinking. Perhaps there's someone at your former employer that you can contact to get at least an idea of the why?

Certianly if you were the only ITS employee around, that's a lot of potential power in one person's hands. That said, I'd recommend that some sharing of responsibility be made, some sort of check and balance between you and someone else if it was really a concern. If the VA truly did recommend that you be let go, that's at best a poor solution, and at worst a highly unethical conflict of interest with their product.

A vulnerability assessment does need to look at everything from personnel to the nuts and bolts of the hardware, but it also gives only recommendations for safeguards pertaining to those vulnerabilities... the final decision as to your fate could only have come from the brass of your former employer. You do have a right to know why you were let go; you should pursue that. "You're a major security risk" is NOT good enough.

L

litigate

[prgrmr]

I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.'

False statements that negatively effect your employment are actionable in most states. Unless they have documented, specific, realistic vulnerabilities, I'd go right to my attorney and file a multi-million dollar libel suit against both the 3rd party vendor and your former employer.

Good luck with your career.

Why wait until you're out of a job?

[Quarters]

...should I just start polishing my resume right away?

It always confuses me why people don't keep their resume up to date at all times. It's much easier to ammend your resume as you are doing things than it is if you wait until you need it quickly and then have to rack your memory to dredge up the things you did over the past x years.

Outsourcing wont be here for long..

[cOdEgUru]

Trust me, I manage a project which is outsourced and currently employs 3 software engg offshore.

The pluses -

(1) Benefit in terms of costs. Well they bill us 30 bucks for a software developer where here I would assume it will be around 60.. Whoopee doo..

(2) The supposed 24 hour day where your team onsite would plug 12 straight hours and your offshore team would plug in another 12 hours, therefore giving the client the impression that his project was worked upon for 24 hours..

(3) Now that implementation is made seperate and outsourced, the client just needs to focus on the business aspect and the designm therefore having more time to themselves to focus on issues that need attention

Minuses

(1) Cost is not that much better. Quite soon, firms will try to up the prices and then you will lose the benefit in terms of cost

(2) The 24 hour Day - Its quite different from what you are led to believe. Mostly both teams would take a couple of hours everyday trying to understand what the other has done, interact and to a certain extent, also play the blame game.

(3) The client would find himself being pulled more often back in to the implementation and design, since his offshore partner cant understand the design or has a "better" design. Chaos ensues.

Mostly from my experiences, what makes all the difference is the people who are developing this offshore. If they are intelligent enough and has good communication abilities, then you have a success story. If what you have is a guy who did a 14 day java crash course and has one year experience in plugging java code in to Helloworld.java, then you have an absolute wreck waiting to happen. It happened to me, I had two stupid asses with whom I spent 3-4 hours every night trying to drill in, the architecture, the requirements, the implementation details. And then I would wake up in the morning and they would have probably coded 10 lines and sent two emails with questions which either are stupid or should have been asked the night before. So what you have is two asswipes who just billed you for 16 hours and turned out 10 lines of code, of which 9 you will probably rewrite and a bunch of questions which doesnt amount to nada.

I dont think that any firm who is currently doing outsourcing has thought about the actual implementation through and through. They are all given rosy pictures of intelligent professionals back home plugging away on their keyboards churning out code that works on the first try.

More so, in a few years, the real picture would come out where probably 10% outsourcing actually churned out something positive and the rest 90% lost money, less money in fact, on projects which had no direction, no able offshore partner and a bunch of developers who doesnt know the difference between a class and an object if it kicked them in the ass with it.

Sorry I just had to rant, since I spent a better part of my night trying to work with some idiots and two days ago I kicked them out of the project. And in a combined 300 hour period, they coded two classes, and the style of coding will make you puke.

Re:What's good for the goose is good for the gande

[Glonoinha]

Yea that would be a bad idea. A better idea would be to be helpful, like those guys that list all the Microsoft vulnerabilities in a public forum so Microsoft will be able to fix them right away.

So how about listing on slashdot all the passwords, usernames, maybe the list of salaries of all the employees, ip addresses of back doors, list all that crap here for us and we will politely help the company get back on track to super-security awareness.

Seriously though, sorry to hear about what happened. Wonder what field the next 'boom' is going to be in ... maybe we can get a head start.

Re:DUH

[Mysticalfruit]

Actually, if your not a citizen of India, they won't let you work there....

Their okay with low balling all the jobs out of the rest of world, but their not interested in opening their own market place to foreign workers...

Luckily, my company tried outsourcing once, the outsourcing company fucked up the product so horribly that we gave up on them, write off the 5 million and bring it all back inhouse.

Re:Capitalism is a funny thing

[TopShelf]

I don't think there's been any significant change regarding the emphasis on continously growing profits over time. Investors have always look for earnings growth - the only difference today is the broadening of the investor class. Through 401K's and other programs, a larger portion of the populace owns stock than ever before, and they want strong growth just as much as the next guy. That can lead to an overemphasis on short-term profits, i.e. companies cooking their books to make sure they meet quarterly targets.

Layoffs when a company is making record profits can make sense - a company flush with cash may take that opportunity to invest in labor-saving improvements, for example, and position themselves better for the long term.

The other side of the story.

[Maradine]

Coming from the standpoint of a security auditor in a firm that specializes in Managed Security Services, let me lay a couple of things down in our defense.

1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.

2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.

3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.

Re:One word:

[Cedric C. Girouard]

I always love seeing the "unjust dismissal" or "simissal without cause" arguement. Listen up people. If an employer doesn't like your shirt, they can fire you. It's that simple. There doesn't need to be any cause. You have no 'right' as it were to be employed by any specific person. Unless you can prove your human rights were violated (they fired you because you're male/female/white/black/red/blue/jewish/catholic/e tc..)you've got no recourse. Things are a little different in a union environment. There, you don't get fired, you get laid off

That's why I love NOT living in the US.
Where I come from, if you get fired with undue cause, you have recourse. You take the company in front of the labor commission, and mediate. If mediation fails, you go in front of the Labor minister, and he decides. Decisions range from monetary compensation to full work re-integration... Once you're re-integrated, the company will have a tough time getting rid of you because any dismissal without a foot thick file containing DNA/photographic evidence will be considered retaliation.

While the system is not perfect, it works most of the time, and that's good enough for me.

I'd hate to live someplace where the color of your shirt is ground to dismissal.

Unions are not evil

[Anonymous Coward]

Unions give the employee a modicrum of power in the workplace. Ideally, the union can help employees to be fairly evaluated. Then they are fairly compensated, promoted and fired fairly. It helps control sleazy tricks like this. Without a union this person has no recourse, other than to go get another job, always fearful this could happen again. Unions can give someone some assurances of security. Believe me, when you get over 30, with a family and a mortgage, security is highly rated. With a union, there is a process the employer must go through to terminate. During the process, the sleazyness of the consulting company would come to the attention of people outside the department, and might actually be questioned by higher ups. Unions are not needed if employers always treated their employees with respect and with fairness. The Right has done a good job convincing people unions are evil and hold people back. Unions gave you the 40 hour work week, health benefits, safer working environments etc. Now that unions are weaker and less a threat, the Bush adminstration recently gutted overtime pay for millions of workers. Those with union contracts with overtime are safe, but millions are screwed. Commentary: Too Stingy With The Overtime Business Week : December 22, 2003 The Labor Dept.'s new eligibility rules would exclude millions

Re:You were set up

[Anonymous Coward]

Why post anonymously? We already know who the author of this Slashdot article is.. How do we know it was him saying this?

Re:One word:

[bleh-of-the-huns]

There are many states in the US where they cannot fire you without a valid reason. They can terminate your employment (layoffs etc) for no reason but then they have to provide you with severence (usually about 2 weeks, but sometimes more), and you can still collect unemployment. Getting fired is different, your basically screwed, but in those states, they must provide a reason, for both laying a person off or firing, and it must be valid. (in the former, a simple financial troubles excuse can get you layed off, but it is still a reason).

In places like Virginia, DC and Maryland (I think MD), these are Right to work states, meaning, they can terminate your employment for breathing in the wrong direction, and they dont even have to tell you why.

Re:And then get arrested, convicted...

[The Good Reverend]

For those who don't know, this is a line from the movie "Office Space [imdb.com]".

If you haven't seen it, you should. It's really a very funny look at office politics and lost jobs.

Well... Sorta!

[Chordonblue]

But the flipside of this is that you could end up with total incompetence in the workforce. That's fine if it's a janitorial position, but would you really want a dumbass to keep his/her job handling various functions in a nuclear reactor? What about in a financial institution you belong to?

Recourse IS available for those who qualify. I was fired unjustly from a company 15 years ago, believe me I know. I went to the employment board and filed a grievance. In 30 days I had the choice of getting my job back or taking a settlement - I took the settlement.

YOU don't know the full story in this situation either. Maybe a major security breach was found that the author of this article didn't know about. Maybe his company was looking to 'pare down' their IT staff anyway. My point is that in the U.S. shit can and will happen, but I believe the system works itself out. Not perfect, but then neither is a 75% tax rate under socialism.

Re:DUH

[larkost]

Ummm.... every hear of Green Cards? H-11B visas? The US is just as protective about foreigner's working here as other countries. You can argue about the number of foreigners working in the US vs. others, or what the specific requirements are, but everyone does it.

I was looking into trying to work in Europe, but there was no chance that I could.

Also remember there are a lot of countries that have unemployment rates > 10%, and India is defiantly on this list. Why should they give jobs to foreigners when there are already not enough jobs to go around.

Just cause?

[cperciva]

IANAL, laws vary from jurisdiction to jurisdiction, etc.

That said, it might be illegal to fire you without "just cause". A conslutant's report labelling you as a security risk might or might not qualify as such, especially if said conslutant proceeded to win a contract to replace you.

Read your contract, and consult a qualified lawyer, about what conditions your (former) employer must satisfy in order to fire you.

Re:One word:

[misterpies]

Not in the UK: you can't fire anyone without good reason. And before anyone gives me the standard "socialist/communist" crap about workers' rights being bad for the economy, we've got lower unemployment than the US and haven't been in recession since the early 1990s.

Re:One word:

[CountBrass]

Uhm excuse me but that's not true.

The world is not the US. Where I work if you've worked somewhere for 2 years or more then they can't just sack you. In mainland Europe they have evn stronger worker's rights.

So please, before submitting, remember that /. has an international audience and the US != The World.

Re:Bigot

[cOdEgUru]

Dude,

I am as Indian as they get :). I have nothing against any race or any color. And yes, my ex-offshore partner was Indian as well, but that doesnt change the fact that they were incompetent.

I wasnt issuing a blanket statement about all Indian outsourcing firms. I am merely referring to the fact that most of the firms who indulge in outsourcing are plainly jumping on the bandwagon with nary a thought about its implications in the long run. And hence outsourcing isnt here to stay, it will blow over very soon when firms and managers realize that it makes more sense to have the team onsite rather than having someone do most of the work at night when you arent around to manage.

And if your offshore partner is a plain schmuck, like was mine, they will shaft you at every step possible, by overbilling you, by working on other projects in the hour they bill you. Believe me, I have been a witness to this and much more.

Re:One word:

[jdreed1024]

I always love seeing the "unjust dismissal" or "simissal without cause" arguement. Listen up people. If an employer doesn't like your shirt, they can fire you. It's that simple

Except that it's not. You have to have cause for dismissal in most states, and the employees have to have been informed of the rules and disciplinary procedures and causes for dismissal. You can't even fire someone for being late, unless they were told that being late is firable.

Layoffs are different, though. You can lay someone off for whatever reason (services no longer required is the common one), but then they get severance packages, or whatever.

Trust me, I know. I worked in HR for 2 years - we had a lot of turnover, and we'd have to fire people for being late, or not being properly attired (the job required uniforms) etc. And they'd of course file a claim for wrongful dismissal, and then we'd have to send a representative to the dept of labor, and if the rep didn't show up, the employee automatically won. And if the rep couldn't prove that the employee had received the handbook which contained the rules for dismissal, the employee automatically won.

Re:work from home discount?

[Samrobb]

Pfft. Maybe I'm unusual, but quite honestly, when I work at home, I spend more time working (although it probably helps that I essentially don't watch TV at all). I don't have to commute - there's an extra 60-90 minutes right there. Home life and work life can blend - while I can take 30 minutes to watch the kidlets while my wife runs an errand, I also can (and do) treat dinner as a "break" before going "back to work" for an hour or two in the evening.

My wife's happy because I'm home (instead of elsewhere), the kids are happy because they get to see dada all day (instead of just in the morning and in the evening), and I'm happier because I'm able to go heads-down and concentrate on my work. I'd hate to work at home every day - there's some office interaction, face-to-face discussion that's really much more effecient than email communications - but I'd have to say that my ideal work situation has morphed into working at home 1-2 days a week.

Re:One word:

[schnell]

One word: Libel.

Nope.

"Libel" seems to be one of those words that gets thrown around on Slashdot without people entirely knowing what they're talking about. So, for everybody's future reference, here's the real deal (everybody that goes through journalism school gets a heaping dose of education on this to hopefully save their future employers from being sued into oblivion).

Libel is the printing in a (reasonably) public medium of disparaging comments against an individual. Slander is saying disparaging things in a public forum. Note that private conversations or interpersonal memos etc. are in no case covered by US libel/slander laws - to do so would violate free speech rights by preventing you from saying anything bad about anyone.

If you feel you have been libelled, you bring civil (not criminal) suit against the offending party. If you are a private citizen, you (usually) only have to show that the libel-er was wrong in order to win your case. If you are a public figure, you also have to prove that the libel-er was intentionally getting it wrong to hurt you (or at least being grossly negligent in checking their facts). There is also a provision of libel law called "fair comment" wherein you can be as wrong as you want when talking about a politician or other public figure on certain topics (political philosophies, quality of art/performance, etc.) and not be sued because everyone is free to have wildly differing opinions on those things even if they might be objectively incorrect.

Anyway - the bottom line is that this guy has essentially zero chance of suing for libel or slander and winning, unless his business publicly told others that he did something wrong. But on the positive side maybe he reads this and knows more about libel and slander, and it helps him win a game show or something.

Re:Red Herring had a different perspective.

[geoswan]

Yes, the A.C. points to a good article. Now here is link that works [redherring.com].

Re:And then get arrested, convicted...

[Master of Transhuman]

I don't know how many times I've said this, but I served eight years in Federal prison and the incidence of rape is much lower than the news media (including /.) would have you believe (at least if you're over forty and not terribly attractive...heh, heh). The Feds have a much more controlled environment than state prisons (or so I've heard, I've never been in a state prison).

The real nasty trick the Feds use is if someone does get raped or engages in consensual homosexual sex and the Feds find out, they will write your parents or your wife and tell them you did so. Nice, huh?

I do this

[OriginalArlen]

I work for a company that is a managed security services provider as a pentester. The majority of the customers I do pentests / VAs for are already customers of ours. Personally I've never come under any pressure to slant my reports one way or another. (Of course that doesn't mean it doesn't happen in other companies but the idea that my employer is especially ethical and moral in this respect is... unlikely ;)

Now having said all that, I do often find client sites with horrible glaring problems. Indeed I recently heard that an overseas office of (A.N. multinational megacorp that you'd have heard of) actually had their entire network shutdown as a direct result of a thoroughly stinking report I gave them. They got this stinking report because they had a single W2K machine on a DSL broadband connection running (unpatched) IIS, SQL server, PC Anywhere, VNC, FTP, Exchange (yes all on one box!) and a bunch of other stuff, oh yes including all the 137, 139, 445 Windows RPC ports wide open. No firewall at all. My report basically said "this machine is so insecure that the prudent thing to do is pull it off the network and give it a thorough audit - or save some time and just reformat and rebuild from scratch, because this is absolutely the easiest low-hanging fruit that any common-or-garden kiddie could trivially own.")

The funny thing (?) is that I got 90% of that data just from a careful use of Nessus and Nmap. You do need to read the docs and experiment and be sure you know what they're telling you, but running those against your own network from the outside is well within the capabilities of any Unix-head out there and probably the majority of Slashdot readers.

Normally I'd add a disclaimer about making sure you get authorised before you do this, but to be honest if you do "-TPolite " quiet scans from your home connection it shouldn't even get noticed amongst the normal background noise that any arbitary IP gets. (of course it may be a bit embarrassing if your own testing turns up lots of holes when you go to your boss to show them the results and you DIDN'T get authorisation first...)

I'd suggest something like this (using a current Nmap or post 3.45 - -V rocks!)

$ nohup nmap -sSVR -O -P0 -v -TPolite (your-netblock-here) -o sSVR-scan.log &

And then setup Nessus, remembering to turn off DoS and other non-safe plugins, and configure the portscanners carefully, and away you go. If you can provide the same data that my employers would charge your employer several thousand pounds for, perhaps you'll get a raise instead of the sack.

Don't run these internally unless you're 100% certain that there's no IDS anywhere. Otherwise you WILL be sacked (and may have problems getting another job - you can certainly forget a reference!)

hey,wait a sec! Whose side am I on?!

Re:I don't trust you

[Kurt Gray]

I think you're right, part of what's going on here is a cultural divide that exists in many companies between the managers in suits and the admins in the back cubes watching the network. In some offices these two types hardly ever speak to each other: no kinship, no trust, no loyalty. Both parties bear the responsibility to walk across the office and speak directly to each other once in a while.

My years in sys admin middle management taught me that some admins just don't want to speak the managers in suits. They automatically distrust the management, they resent that anyone who knows less about networking is being paid more and is manager of many departments. They view anyone who meets with management and eats lunch with management as a kiss-ass or someone not to be trusted. This to me is exactly the kind of attitude that holds people back from getting promotions, being recognized, and makes one more vulnerable to becoming a victim of downsizing. If management has no idea who you are and what you do all day then you are effectively nobody to them, you are just another labor expense on the accounting books.

The easiest way to let management know that you have value is find a problem, and don't just whine about, do a little homework and propose a practical solution along with some numbers as to how much it will cost/save the company. If your department manager is the type of prick who would try to steal credit for your brilliant ideas then walk around his desk and talk directly to his boss about your brilliant ideas... if you have enough of those conversations with that boss you may even find yourself being promoted to replace the prick who stole credit for all of your ideas. Don't be someone who complains all the time, try to be someone who has solutions rather than complaints. Leaders have answers, followers have complaints. Managers value people they can go to for answers.

So in summary if you make no attempt to talk to management then don't be surprised if they become more comfortable dealing with some out-sourced vendor then they are dealing with you... don't be surprised if someday the managers you hardly ever spoke to tell you to pack up your desk.

Re:DUH

[crushinghellhammer]

It's always great when people talk so freely about things they know nothing about. I personally know people from the US, France and Germany that work in India. They apply and get work permits, just like in the US. The process may take a little longer in certain cases, but the legal provisions exist.

Next, they are not interested in lowballing jobs out of the rest of the world, and it's not as if the entire nation works in call-centers. If jobs are being sent there, then it is due to the decisions of managers from the US and other countries. So it is AMERICANS or EUROPEANS taking those decisions - blame them! If you stop sending jobs there, all those employed in this business will take up something else. Why don't people understand this?

Next, talking about what you would earn in India. What you earn will definitely see you living comfortably. If you are going to rate standard of life by the exact same parameters you would use to do so in the US, then the difference will definitely be drastic. However, part of moving to another country should be a willingness to adapt to a change in life. It's not so different out there - they have a lot of the same brands we do - but somethings will definitely need getting accustomed to. People there will almost always treat you extremely well and you will never feel unwelcome.

I've been on both sides of this one.

[FSK]

I've been downsized and also worked as part of a team of consultants brought in to help a company outsource most of their IT needs so I think I can tell you a bit of what goes on when you see "the consultants" show up.

What a consulting firm is supposed to do (discover problem, suggest solutions) and what the consultants really do (stay for a long time, find ways hire friends) are two different things.

Even if the consultants are honest and full of good intentions you will most likely find yourself either having to justify your job or released from employment. Think about this from the consultant's point of view. "Who has the best solution to any problem? The guys I work and partner with! Who is a wildcard? The guys I don't know! Why that guy sitting next to the server room could destroy the whole company!"

Of course if the consultants aren't honest the situation is even worse.

When you see the consultants show up, don't panic. However don't ignore them either. This is the time when you get your resume updated and call friends with similar jobs "just to see if they heard of anything". Ask people you trust (who don't work with you) about recruiters they like. Compile a list of people who can help you if you find a new job fast.

The consultants might not effect you, but just in case view the situation as if your boss just told you that you have a 6 week warning before you're let go. Trust your gut (for lack of a better term) if you feel up against a wall then you probably are.

Now wait, do everything as you normally would. If the consultants leave and nothing happens you now have a updated resume (which you should have anyway). If you are let go, be pleasant thank everyone for the experience if you think you can get away with it ask for some kind of severance package (or if they could do better if you were offered one). Clean out your desk and never look back.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Before suing...

[JawFunk]

...I would subpoena the report to see what criteria "surfaced" that convinced his employer to replace him with the new guys. This could win the case for SafariShane, if there were no other "problems" with his history at the company.

Probably redundant but will go ahead anyways....

[CliffH]

Personally, as a small home based computer consultant, have been asked to do assessments for companies. I think it's just my general lack of common sense or morals that play into it, but, when I've found holes I can drive a Mack truck through, the first person I have went to is the current admin, showed them what I've found, and helped them fix it. Yeah, stupid buisness decision on my part, but it kept the following intact:

1) Person kept their job

2) I consequently got more buisness in doing further checks and consulting

3) Everyone was happy and the admin was upskilled

This was a win/win in my opinion. Everyone was kept happy and safe and the admin got some more skill to put under his belt. I just don't believe in fear mongering. If there is a problem, the current admin (if there is one) should be the first to know and given the tools to help fix the problem on the spot. Now, it's a whole different ballgame if it's outsource company against outsource company where there is no true full-time admin involved but we won't go there. :)

Only one who knows...

[evilpenguin]

This isn't about outsourcing software development overseas, this is about security at a company and outsourcing security and network administration. If a company has one person who holds all the keys to the security kingdom, even if he or she is doing a great job so far, you have an insecure system. Any system the depends on the knowledge or integrity of one person is an insecure system.

That said, firing that person is not the first best answer. The first best answer is to properly distribute the responsibility and oversight. It isn't right to put all you trust in an outside vendor either.

I don't know any specifics about this particular situation, but if I encountered a person who had all such controls in his or her hands and who regarded any distribution or surrender of authority or oversight as wrong or something to be resisted, I would consider replacing that person.

No system designed around a single point of failure is a reliable system.

Impaired Independence

[lizardb0y]

As an InfoSec auditor it appears that this company has seriously impaired independence in this case. An auditor must (to quote the ISACA Code of Professional Ethics):

Perform their duties in an independent and objective manner and avoid activities that impair, or may appear to impair, their independence or objectivity.
-- ISACA Code of Professional Ethics [isaca.org] (Links to a Word Document)

If the same company is both providing audit or assessment services and offering outsource services to the same client then there is a serious breach of professional objectivity.

The outsourcing backlash is beginning

[Presence1]

A number of posters here have mentioned issues of low quality, conflict of interest, time zone and cultural differences, etc. That is the view from the trenches.

Now, it is starting to be seen at the fringes of management, as seen in the current article below from Red Herring. Yes, this is for the advance guard investor audience, but it is still the begnning of the pendulum swinging the other way.

Top 10 trends: Outsourcing backlash [redherring.com]

Losing faith in the corporate structure

[L0J46K]

Sorry to hear you are jobless. In my opinion, some companies are moving the wrong way. I have been the CIO/CFO for almost a year. I don't know if my opinion is right since I am relatively a newbie to the position, but I would NEVER outsource security or any other confidential type work. How does a company justify paying a third party rather than an employee. I can understand adding dollars to the bottom line, but building a team of employees / co-workers is much more important. The problem with tech jobs is the people signing your paycheck and doing the hr work dont know sh*t about your job. In my area, central nj, tech jobs are steadily on the rise. I am about to start looking myself ;) Look at it this way. It's an opportunity to move onto bigger and better things. A company that does not value its employees is doomed to failure. Good luck.

Re:What's good for the goose ... not necessarily

[Thu Anon Coward]

I don't know that you'd want to fuck them. keep in mind, he said he worked for a financial institution. assuming that means a bank/credit union/savings&loan, etc, that is putting peoples money at risk. maybe even your fellow slashdotters. so you want to fuck your fellow slashdotters life savings huh?

I audit financial institutions for IT security. But I do it from the state government regulatory side. I'm not passing judgment on SafariShane, but I would certainly have questions for the financial institution of why they fired their IT Security guy. My job allows me to demand answers like that and then write them up if they haven't done their due diligence or refuse to answer me.

Business Week article on NAFTA's failures

[rilee]

The current issue has two articles of interest: the NAFTA shortcomings and the IRS targeting executive compensation accounting. There's a third article on a gent who buys distressed industries and was able to re-open a steele mill because the workers agreed to work for just-below-union wages. I bet he buys an IT something or other and re-employs US IT workers at a percentage below what they formerly earned. It's an iPods tune waiting to be activated.