Replaced by Outsourcing -- What's a Geek to Do? 1166
SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?
"Here comes the obligatory South Park reference:
- Perform Network Vulnerability Assessment
- ?
- Profit! (Sell Outsourced product)
I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.Label anyone who is responsible for network security as the risk, and get them fired.
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
Re:Sounds Like a BOFH episode (Score:2, Informative)
replaced by outsourcing (Score:1, Informative)
Slanderous conduct? (Score:2, Informative)
Seems to me that if my employer was happy with my performance before the audit and I truly was no risk, I'd get a lawyer and sue both the company and the third party.
I had something similar happen to me back in the 80's and have regretted not taking action against what turn out to be a bunch of bastards
Ask the Headhunter (Score:4, Informative)
I can't recommend Nick Corcodilos' Ask The Headhunter [asktheheadhunter.com] enough. This advice is just wonderful, either for getting a new job, or for showing your worth to your current employer. It takes a little bit of mental adjustment to accept what he says (and it may be a bit scary), but he is absolutely right about how to go about it! The problem we in IT face right now is the feeling that our worth is going down as many of us are replaced through outsourcing and foreign labor. Brush up your skill set, but most importantly, learn how to apply your talents to solve real business problems in terms of dollars and you will never doubt your worth (nor will your potential employers).
ATH's advice is great. Be sure to get the book, read as much of the website as possible, and subscribe to the weekly newsletter. It's the only HTML mail I receive every week that I actually look forward to and enjoy reading.
Re:Editor's comments (Score:5, Informative)
Now if they tried to send me home at half pay, fuck em. I'll take the money and find a new damn job.
Well... (Score:2, Informative)
Certianly if you were the only ITS employee around, that's a lot of potential power in one person's hands. That said, I'd recommend that some sharing of responsibility be made, some sort of check and balance between you and someone else if it was really a concern. If the VA truly did recommend that you be let go, that's at best a poor solution, and at worst a highly unethical conflict of interest with their product.
A vulnerability assessment does need to look at everything from personnel to the nuts and bolts of the hardware, but it also gives only recommendations for safeguards pertaining to those vulnerabilities... the final decision as to your fate could only have come from the brass of your former employer. You do have a right to know why you were let go; you should pursue that. "You're a major security risk" is NOT good enough.
L
litigate (Score:3, Informative)
False statements that negatively effect your employment are actionable in most states. Unless they have documented, specific, realistic vulnerabilities, I'd go right to my attorney and file a multi-million dollar libel suit against both the 3rd party vendor and your former employer.
Good luck with your career.
Why wait until you're out of a job? (Score:4, Informative)
It always confuses me why people don't keep their resume up to date at all times. It's much easier to ammend your resume as you are doing things than it is if you wait until you need it quickly and then have to rack your memory to dredge up the things you did over the past x years.
Outsourcing wont be here for long.. (Score:5, Informative)
The pluses -
(1) Benefit in terms of costs. Well they bill us 30 bucks for a software developer where here I would assume it will be around 60.. Whoopee doo..
(2) The supposed 24 hour day where your team onsite would plug 12 straight hours and your offshore team would plug in another 12 hours, therefore giving the client the impression that his project was worked upon for 24 hours..
(3) Now that implementation is made seperate and outsourced, the client just needs to focus on the business aspect and the designm therefore having more time to themselves to focus on issues that need attention
Minuses
(1) Cost is not that much better. Quite soon, firms will try to up the prices and then you will lose the benefit in terms of cost
(2) The 24 hour Day - Its quite different from what you are led to believe. Mostly both teams would take a couple of hours everyday trying to understand what the other has done, interact and to a certain extent, also play the blame game.
(3) The client would find himself being pulled more often back in to the implementation and design, since his offshore partner cant understand the design or has a "better" design. Chaos ensues.
Mostly from my experiences, what makes all the difference is the people who are developing this offshore. If they are intelligent enough and has good communication abilities, then you have a success story. If what you have is a guy who did a 14 day java crash course and has one year experience in plugging java code in to Helloworld.java, then you have an absolute wreck waiting to happen. It happened to me, I had two stupid asses with whom I spent 3-4 hours every night trying to drill in, the architecture, the requirements, the implementation details. And then I would wake up in the morning and they would have probably coded 10 lines and sent two emails with questions which either are stupid or should have been asked the night before. So what you have is two asswipes who just billed you for 16 hours and turned out 10 lines of code, of which 9 you will probably rewrite and a bunch of questions which doesnt amount to nada.
I dont think that any firm who is currently doing outsourcing has thought about the actual implementation through and through. They are all given rosy pictures of intelligent professionals back home plugging away on their keyboards churning out code that works on the first try.
More so, in a few years, the real picture would come out where probably 10% outsourcing actually churned out something positive and the rest 90% lost money, less money in fact, on projects which had no direction, no able offshore partner and a bunch of developers who doesnt know the difference between a class and an object if it kicked them in the ass with it.
Sorry I just had to rant, since I spent a better part of my night trying to work with some idiots and two days ago I kicked them out of the project. And in a combined 300 hour period, they coded two classes, and the style of coding will make you puke.
Re:What's good for the goose is good for the gande (Score:5, Informative)
So how about listing on slashdot all the passwords, usernames, maybe the list of salaries of all the employees, ip addresses of back doors, list all that crap here for us and we will politely help the company get back on track to super-security awareness.
Seriously though, sorry to hear about what happened. Wonder what field the next 'boom' is going to be in
Re:DUH (Score:3, Informative)
Their okay with low balling all the jobs out of the rest of world, but their not interested in opening their own market place to foreign workers...
Luckily, my company tried outsourcing once, the outsourcing company fucked up the product so horribly that we gave up on them, write off the 5 million and bring it all back inhouse.
Re:Capitalism is a funny thing (Score:3, Informative)
Layoffs when a company is making record profits can make sense - a company flush with cash may take that opportunity to invest in labor-saving improvements, for example, and position themselves better for the long term.
The other side of the story. (Score:5, Informative)
1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.
2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.
3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.
Re:One word: (Score:3, Informative)
That's why I love NOT living in the US.
Where I come from, if you get fired with undue cause, you have recourse. You take the company in front of the labor commission, and mediate. If mediation fails, you go in front of the Labor minister, and he decides. Decisions range from monetary compensation to full work re-integration... Once you're re-integrated, the company will have a tough time getting rid of you because any dismissal without a foot thick file containing DNA/photographic evidence will be considered retaliation.
While the system is not perfect, it works most of the time, and that's good enough for me.
I'd hate to live someplace where the color of your shirt is ground to dismissal.
Unions are not evil (Score:1, Informative)
Re:You were set up (Score:1, Informative)
Re:One word: (Score:4, Informative)
In places like Virginia, DC and Maryland (I think MD), these are Right to work states, meaning, they can terminate your employment for breathing in the wrong direction, and they dont even have to tell you why.
Re:And then get arrested, convicted... (Score:5, Informative)
If you haven't seen it, you should. It's really a very funny look at office politics and lost jobs.
Well... Sorta! (Score:4, Informative)
Recourse IS available for those who qualify. I was fired unjustly from a company 15 years ago, believe me I know. I went to the employment board and filed a grievance. In 30 days I had the choice of getting my job back or taking a settlement - I took the settlement.
YOU don't know the full story in this situation either. Maybe a major security breach was found that the author of this article didn't know about. Maybe his company was looking to 'pare down' their IT staff anyway. My point is that in the U.S. shit can and will happen, but I believe the system works itself out. Not perfect, but then neither is a 75% tax rate under socialism.
Re:DUH (Score:3, Informative)
I was looking into trying to work in Europe, but there was no chance that I could.
Also remember there are a lot of countries that have unemployment rates > 10%, and India is defiantly on this list. Why should they give jobs to foreigners when there are already not enough jobs to go around.
Just cause? (Score:3, Informative)
That said, it might be illegal to fire you without "just cause". A conslutant's report labelling you as a security risk might or might not qualify as such, especially if said conslutant proceeded to win a contract to replace you.
Read your contract, and consult a qualified lawyer, about what conditions your (former) employer must satisfy in order to fire you.
Re:One word: (Score:3, Informative)
Not in the UK: you can't fire anyone without good reason. And before anyone gives me the standard "socialist/communist" crap about workers' rights being bad for the economy, we've got lower unemployment than the US and haven't been in recession since the early 1990s.
Re:One word: (Score:4, Informative)
Uhm excuse me but that's not true.
The world is not the US. Where I work if you've worked somewhere for 2 years or more then they can't just sack you. In mainland Europe they have evn stronger worker's rights.
So please, before submitting, remember that /. has an international audience and the US != The World.
Re:Bigot (Score:4, Informative)
I am as Indian as they get
I wasnt issuing a blanket statement about all Indian outsourcing firms. I am merely referring to the fact that most of the firms who indulge in outsourcing are plainly jumping on the bandwagon with nary a thought about its implications in the long run. And hence outsourcing isnt here to stay, it will blow over very soon when firms and managers realize that it makes more sense to have the team onsite rather than having someone do most of the work at night when you arent around to manage.
And if your offshore partner is a plain schmuck, like was mine, they will shaft you at every step possible, by overbilling you, by working on other projects in the hour they bill you. Believe me, I have been a witness to this and much more.
Re:One word: (Score:4, Informative)
Except that it's not. You have to have cause for dismissal in most states, and the employees have to have been informed of the rules and disciplinary procedures and causes for dismissal. You can't even fire someone for being late, unless they were told that being late is firable.
Layoffs are different, though. You can lay someone off for whatever reason (services no longer required is the common one), but then they get severance packages, or whatever.
Trust me, I know. I worked in HR for 2 years - we had a lot of turnover, and we'd have to fire people for being late, or not being properly attired (the job required uniforms) etc. And they'd of course file a claim for wrongful dismissal, and then we'd have to send a representative to the dept of labor, and if the rep didn't show up, the employee automatically won. And if the rep couldn't prove that the employee had received the handbook which contained the rules for dismissal, the employee automatically won.
Re:work from home discount? (Score:3, Informative)
Pfft. Maybe I'm unusual, but quite honestly, when I work at home, I spend more time working (although it probably helps that I essentially don't watch TV at all). I don't have to commute - there's an extra 60-90 minutes right there. Home life and work life can blend - while I can take 30 minutes to watch the kidlets while my wife runs an errand, I also can (and do) treat dinner as a "break" before going "back to work" for an hour or two in the evening.
My wife's happy because I'm home (instead of elsewhere), the kids are happy because they get to see dada all day (instead of just in the morning and in the evening), and I'm happier because I'm able to go heads-down and concentrate on my work. I'd hate to work at home every day - there's some office interaction, face-to-face discussion that's really much more effecient than email communications - but I'd have to say that my ideal work situation has morphed into working at home 1-2 days a week.
Re:One word: (Score:3, Informative)
One word: Libel.
Nope.
"Libel" seems to be one of those words that gets thrown around on Slashdot without people entirely knowing what they're talking about. So, for everybody's future reference, here's the real deal (everybody that goes through journalism school gets a heaping dose of education on this to hopefully save their future employers from being sued into oblivion).
Libel is the printing in a (reasonably) public medium of disparaging comments against an individual. Slander is saying disparaging things in a public forum. Note that private conversations or interpersonal memos etc. are in no case covered by US libel/slander laws - to do so would violate free speech rights by preventing you from saying anything bad about anyone.
If you feel you have been libelled, you bring civil (not criminal) suit against the offending party. If you are a private citizen, you (usually) only have to show that the libel-er was wrong in order to win your case. If you are a public figure, you also have to prove that the libel-er was intentionally getting it wrong to hurt you (or at least being grossly negligent in checking their facts). There is also a provision of libel law called "fair comment" wherein you can be as wrong as you want when talking about a politician or other public figure on certain topics (political philosophies, quality of art/performance, etc.) and not be sued because everyone is free to have wildly differing opinions on those things even if they might be objectively incorrect.
Anyway - the bottom line is that this guy has essentially zero chance of suing for libel or slander and winning, unless his business publicly told others that he did something wrong. But on the positive side maybe he reads this and knows more about libel and slander, and it helps him win a game show or something.
Re:Red Herring had a different perspective. (Score:5, Informative)
Re:And then get arrested, convicted... (Score:2, Informative)
The real nasty trick the Feds use is if someone does get raped or engages in consensual homosexual sex and the Feds find out, they will write your parents or your wife and tell them you did so. Nice, huh?
I do this (Score:2, Informative)
Now having said all that, I do often find client sites with horrible glaring problems. Indeed I recently heard that an overseas office of (A.N. multinational megacorp that you'd have heard of) actually had their entire network shutdown as a direct result of a thoroughly stinking report I gave them. They got this stinking report because they had a single W2K machine on a DSL broadband connection running (unpatched) IIS, SQL server, PC Anywhere, VNC, FTP, Exchange (yes all on one box!) and a bunch of other stuff, oh yes including all the 137, 139, 445 Windows RPC ports wide open. No firewall at all. My report basically said "this machine is so insecure that the prudent thing to do is pull it off the network and give it a thorough audit - or save some time and just reformat and rebuild from scratch, because this is absolutely the easiest low-hanging fruit that any common-or-garden kiddie could trivially own.")
The funny thing (?) is that I got 90% of that data just from a careful use of Nessus and Nmap. You do need to read the docs and experiment and be sure you know what they're telling you, but running those against your own network from the outside is well within the capabilities of any Unix-head out there and probably the majority of Slashdot readers.
Normally I'd add a disclaimer about making sure you get authorised before you do this, but to be honest if you do "-TPolite " quiet scans from your home connection it shouldn't even get noticed amongst the normal background noise that any arbitary IP gets. (of course it may be a bit embarrassing if your own testing turns up lots of holes when you go to your boss to show them the results and you DIDN'T get authorisation first...)
I'd suggest something like this (using a current Nmap or post 3.45 - -V rocks!)
$ nohup nmap -sSVR -O -P0 -v -TPolite (your-netblock-here) -o sSVR-scan.log &
And then setup Nessus, remembering to turn off DoS and other non-safe plugins, and configure the portscanners carefully, and away you go. If you can provide the same data that my employers would charge your employer several thousand pounds for, perhaps you'll get a raise instead of the sack.
Don't run these internally unless you're 100% certain that there's no IDS anywhere. Otherwise you WILL be sacked (and may have problems getting another job - you can certainly forget a reference!)
hey,wait a sec! Whose side am I on?!
Re:I don't trust you (Score:5, Informative)
My years in sys admin middle management taught me that some admins just don't want to speak the managers in suits. They automatically distrust the management, they resent that anyone who knows less about networking is being paid more and is manager of many departments. They view anyone who meets with management and eats lunch with management as a kiss-ass or someone not to be trusted. This to me is exactly the kind of attitude that holds people back from getting promotions, being recognized, and makes one more vulnerable to becoming a victim of downsizing. If management has no idea who you are and what you do all day then you are effectively nobody to them, you are just another labor expense on the accounting books.
The easiest way to let management know that you have value is find a problem, and don't just whine about, do a little homework and propose a practical solution along with some numbers as to how much it will cost/save the company. If your department manager is the type of prick who would try to steal credit for your brilliant ideas then walk around his desk and talk directly to his boss about your brilliant ideas... if you have enough of those conversations with that boss you may even find yourself being promoted to replace the prick who stole credit for all of your ideas. Don't be someone who complains all the time, try to be someone who has solutions rather than complaints. Leaders have answers, followers have complaints. Managers value people they can go to for answers.
So in summary if you make no attempt to talk to management then don't be surprised if they become more comfortable dealing with some out-sourced vendor then they are dealing with you... don't be surprised if someday the managers you hardly ever spoke to tell you to pack up your desk.
Re:DUH (Score:2, Informative)
Next, they are not interested in lowballing jobs out of the rest of the world, and it's not as if the entire nation works in call-centers. If jobs are being sent there, then it is due to the decisions of managers from the US and other countries. So it is AMERICANS or EUROPEANS taking those decisions - blame them! If you stop sending jobs there, all those employed in this business will take up something else. Why don't people understand this?
Next, talking about what you would earn in India. What you earn will definitely see you living comfortably. If you are going to rate standard of life by the exact same parameters you would use to do so in the US, then the difference will definitely be drastic. However, part of moving to another country should be a willingness to adapt to a change in life. It's not so different out there - they have a lot of the same brands we do - but somethings will definitely need getting accustomed to. People there will almost always treat you extremely well and you will never feel unwelcome.
I've been on both sides of this one. (Score:2, Informative)
What a consulting firm is supposed to do (discover problem, suggest solutions) and what the consultants really do (stay for a long time, find ways hire friends) are two different things.
Even if the consultants are honest and full of good intentions you will most likely find yourself either having to justify your job or released from employment. Think about this from the consultant's point of view. "Who has the best solution to any problem? The guys I work and partner with! Who is a wildcard? The guys I don't know! Why that guy sitting next to the server room could destroy the whole company!"
Of course if the consultants aren't honest the situation is even worse.
When you see the consultants show up, don't panic. However don't ignore them either. This is the time when you get your resume updated and call friends with similar jobs "just to see if they heard of anything". Ask people you trust (who don't work with you) about recruiters they like. Compile a list of people who can help you if you find a new job fast.
The consultants might not effect you, but just in case view the situation as if your boss just told you that you have a 6 week warning before you're let go. Trust your gut (for lack of a better term) if you feel up against a wall then you probably are.
Now wait, do everything as you normally would. If the consultants leave and nothing happens you now have a updated resume (which you should have anyway). If you are let go, be pleasant thank everyone for the experience if you think you can get away with it ask for some kind of severance package (or if they could do better if you were offered one). Clean out your desk and never look back.
Comment removed (Score:4, Informative)
Before suing... (Score:3, Informative)
Probably redundant but will go ahead anyways.... (Score:3, Informative)
Personally, as a small home based computer consultant, have been asked to do assessments for companies. I think it's just my general lack of common sense or morals that play into it, but, when I've found holes I can drive a Mack truck through, the first person I have went to is the current admin, showed them what I've found, and helped them fix it. Yeah, stupid buisness decision on my part, but it kept the following intact:
1) Person kept their job
2) I consequently got more buisness in doing further checks and consulting
3) Everyone was happy and the admin was upskilled
This was a win/win in my opinion. Everyone was kept happy and safe and the admin got some more skill to put under his belt. I just don't believe in fear mongering. If there is a problem, the current admin (if there is one) should be the first to know and given the tools to help fix the problem on the spot. Now, it's a whole different ballgame if it's outsource company against outsource company where there is no true full-time admin involved but we won't go there. :)
Only one who knows... (Score:3, Informative)
That said, firing that person is not the first best answer. The first best answer is to properly distribute the responsibility and oversight. It isn't right to put all you trust in an outside vendor either.
I don't know any specifics about this particular situation, but if I encountered a person who had all such controls in his or her hands and who regarded any distribution or surrender of authority or oversight as wrong or something to be resisted, I would consider replacing that person.
No system designed around a single point of failure is a reliable system.
Impaired Independence (Score:2, Informative)
Perform their duties in an independent and objective manner and avoid activities that impair, or may appear to impair, their independence or objectivity.
-- ISACA Code of Professional Ethics [isaca.org] (Links to a Word Document)
If the same company is both providing audit or assessment services and offering outsource services to the same client then there is a serious breach of professional objectivity.
The outsourcing backlash is beginning (Score:2, Informative)
Now, it is starting to be seen at the fringes of management, as seen in the current article below from Red Herring. Yes, this is for the advance guard investor audience, but it is still the begnning of the pendulum swinging the other way.
Top 10 trends: Outsourcing backlash [redherring.com]
Losing faith in the corporate structure (Score:2, Informative)
Re:What's good for the goose ... not necessarily (Score:2, Informative)
I audit financial institutions for IT security. But I do it from the state government regulatory side. I'm not passing judgment on SafariShane, but I would certainly have questions for the financial institution of why they fired their IT Security guy. My job allows me to demand answers like that and then write them up if they haven't done their due diligence or refuse to answer me.
Business Week article on NAFTA's failures (Score:2, Informative)