Replaced by Outsourcing -- What's a Geek to Do?

SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?

"Here comes the obligatory South Park reference:

1. Perform Network Vulnerability Assessment
2. ?
3. Profit! (Sell Outsourced product)

Looks like they came up with an actual step 2:

Label anyone who is responsible for network security as the risk, and get them fired.

I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.

I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.

I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.

I'd like to hear comments from folks this has happened to, and what did you do as a result?"

Re:Editor's comments

[nate1138]

I don't know about that. If I could work from home, I could get rid of one of my cars (no public transit where I live at all) and all the associated expense. That would easily make up for a 20% pay cut (between the payment, gas, insurance, maintenance, etc). I think it would also be VERY appealing to those of us with children and two working parents. Get to work from home and be there when the kids get back from school. It doesn't apply to everybody, but for some folks it may be an option.

Now if they tried to send me home at half pay, fuck em. I'll take the money and find a new damn job.

Outsourcing wont be here for long..

[cOdEgUru]

Trust me, I manage a project which is outsourced and currently employs 3 software engg offshore.

The pluses -

(1) Benefit in terms of costs. Well they bill us 30 bucks for a software developer where here I would assume it will be around 60.. Whoopee doo..

(2) The supposed 24 hour day where your team onsite would plug 12 straight hours and your offshore team would plug in another 12 hours, therefore giving the client the impression that his project was worked upon for 24 hours..

(3) Now that implementation is made seperate and outsourced, the client just needs to focus on the business aspect and the designm therefore having more time to themselves to focus on issues that need attention

Minuses

(1) Cost is not that much better. Quite soon, firms will try to up the prices and then you will lose the benefit in terms of cost

(2) The 24 hour Day - Its quite different from what you are led to believe. Mostly both teams would take a couple of hours everyday trying to understand what the other has done, interact and to a certain extent, also play the blame game.

(3) The client would find himself being pulled more often back in to the implementation and design, since his offshore partner cant understand the design or has a "better" design. Chaos ensues.

Mostly from my experiences, what makes all the difference is the people who are developing this offshore. If they are intelligent enough and has good communication abilities, then you have a success story. If what you have is a guy who did a 14 day java crash course and has one year experience in plugging java code in to Helloworld.java, then you have an absolute wreck waiting to happen. It happened to me, I had two stupid asses with whom I spent 3-4 hours every night trying to drill in, the architecture, the requirements, the implementation details. And then I would wake up in the morning and they would have probably coded 10 lines and sent two emails with questions which either are stupid or should have been asked the night before. So what you have is two asswipes who just billed you for 16 hours and turned out 10 lines of code, of which 9 you will probably rewrite and a bunch of questions which doesnt amount to nada.

I dont think that any firm who is currently doing outsourcing has thought about the actual implementation through and through. They are all given rosy pictures of intelligent professionals back home plugging away on their keyboards churning out code that works on the first try.

More so, in a few years, the real picture would come out where probably 10% outsourcing actually churned out something positive and the rest 90% lost money, less money in fact, on projects which had no direction, no able offshore partner and a bunch of developers who doesnt know the difference between a class and an object if it kicked them in the ass with it.

Sorry I just had to rant, since I spent a better part of my night trying to work with some idiots and two days ago I kicked them out of the project. And in a combined 300 hour period, they coded two classes, and the style of coding will make you puke.

Re:What's good for the goose is good for the gande

[Glonoinha]

Yea that would be a bad idea. A better idea would be to be helpful, like those guys that list all the Microsoft vulnerabilities in a public forum so Microsoft will be able to fix them right away.

So how about listing on slashdot all the passwords, usernames, maybe the list of salaries of all the employees, ip addresses of back doors, list all that crap here for us and we will politely help the company get back on track to super-security awareness.

Seriously though, sorry to hear about what happened. Wonder what field the next 'boom' is going to be in ... maybe we can get a head start.

The other side of the story.

[Maradine]

Coming from the standpoint of a security auditor in a firm that specializes in Managed Security Services, let me lay a couple of things down in our defense.

1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.

2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.

3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.

Re:And then get arrested, convicted...

[The+Good+Reverend]

For those who don't know, this is a line from the movie "Office Space".

If you haven't seen it, you should. It's really a very funny look at office politics and lost jobs.

Re:Red Herring had a different perspective.

[geoswan]

Yes, the A.C. points to a good article. Now here is link that works.

Re:I don't trust you

[Kurt+Gray]

I think you're right, part of what's going on here is a cultural divide that exists in many companies between the managers in suits and the admins in the back cubes watching the network. In some offices these two types hardly ever speak to each other: no kinship, no trust, no loyalty. Both parties bear the responsibility to walk across the office and speak directly to each other once in a while.

My years in sys admin middle management taught me that some admins just don't want to speak the managers in suits. They automatically distrust the management, they resent that anyone who knows less about networking is being paid more and is manager of many departments. They view anyone who meets with management and eats lunch with management as a kiss-ass or someone not to be trusted. This to me is exactly the kind of attitude that holds people back from getting promotions, being recognized, and makes one more vulnerable to becoming a victim of downsizing. If management has no idea who you are and what you do all day then you are effectively nobody to them, you are just another labor expense on the accounting books.

The easiest way to let management know that you have value is find a problem, and don't just whine about, do a little homework and propose a practical solution along with some numbers as to how much it will cost/save the company. If your department manager is the type of prick who would try to steal credit for your brilliant ideas then walk around his desk and talk directly to his boss about your brilliant ideas... if you have enough of those conversations with that boss you may even find yourself being promoted to replace the prick who stole credit for all of your ideas. Don't be someone who complains all the time, try to be someone who has solutions rather than complaints. Leaders have answers, followers have complaints. Managers value people they can go to for answers.

So in summary if you make no attempt to talk to management then don't be surprised if they become more comfortable dealing with some out-sourced vendor then they are dealing with you... don't be surprised if someday the managers you hardly ever spoke to tell you to pack up your desk.

Comment removed

[account_deleted]

Comment removed based on user account deletion