Replaced by Outsourcing -- What's a Geek to Do?

SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?

"Here comes the obligatory South Park reference:

1. Perform Network Vulnerability Assessment
2. ?
3. Profit! (Sell Outsourced product)

Looks like they came up with an actual step 2:

Label anyone who is responsible for network security as the risk, and get them fired.

I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.

I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.

I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.

I'd like to hear comments from folks this has happened to, and what did you do as a result?"

Outsourcing wont be here for long..

[cOdEgUru]

Trust me, I manage a project which is outsourced and currently employs 3 software engg offshore.

The pluses -

(1) Benefit in terms of costs. Well they bill us 30 bucks for a software developer where here I would assume it will be around 60.. Whoopee doo..

(2) The supposed 24 hour day where your team onsite would plug 12 straight hours and your offshore team would plug in another 12 hours, therefore giving the client the impression that his project was worked upon for 24 hours..

(3) Now that implementation is made seperate and outsourced, the client just needs to focus on the business aspect and the designm therefore having more time to themselves to focus on issues that need attention

Minuses

(1) Cost is not that much better. Quite soon, firms will try to up the prices and then you will lose the benefit in terms of cost

(2) The 24 hour Day - Its quite different from what you are led to believe. Mostly both teams would take a couple of hours everyday trying to understand what the other has done, interact and to a certain extent, also play the blame game.

(3) The client would find himself being pulled more often back in to the implementation and design, since his offshore partner cant understand the design or has a "better" design. Chaos ensues.

Mostly from my experiences, what makes all the difference is the people who are developing this offshore. If they are intelligent enough and has good communication abilities, then you have a success story. If what you have is a guy who did a 14 day java crash course and has one year experience in plugging java code in to Helloworld.java, then you have an absolute wreck waiting to happen. It happened to me, I had two stupid asses with whom I spent 3-4 hours every night trying to drill in, the architecture, the requirements, the implementation details. And then I would wake up in the morning and they would have probably coded 10 lines and sent two emails with questions which either are stupid or should have been asked the night before. So what you have is two asswipes who just billed you for 16 hours and turned out 10 lines of code, of which 9 you will probably rewrite and a bunch of questions which doesnt amount to nada.

I dont think that any firm who is currently doing outsourcing has thought about the actual implementation through and through. They are all given rosy pictures of intelligent professionals back home plugging away on their keyboards churning out code that works on the first try.

More so, in a few years, the real picture would come out where probably 10% outsourcing actually churned out something positive and the rest 90% lost money, less money in fact, on projects which had no direction, no able offshore partner and a bunch of developers who doesnt know the difference between a class and an object if it kicked them in the ass with it.

Sorry I just had to rant, since I spent a better part of my night trying to work with some idiots and two days ago I kicked them out of the project. And in a combined 300 hour period, they coded two classes, and the style of coding will make you puke.

The other side of the story.

[Maradine]

Coming from the standpoint of a security auditor in a firm that specializes in Managed Security Services, let me lay a couple of things down in our defense.

1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.

2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.

3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.

Re:And then get arrested, convicted...

[The+Good+Reverend]

For those who don't know, this is a line from the movie "Office Space".

If you haven't seen it, you should. It's really a very funny look at office politics and lost jobs.