Slashdot Mirror
Replaced by Outsourcing -- What's a Geek to Do?
SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
"Here comes the obligatory South Park reference:
- Perform Network Vulnerability Assessment
- ?
- Profit! (Sell Outsourced product)
Label anyone who is responsible for network security as the risk, and get them fired.I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
I don't trust you to work from home. You will just watch Scooby Doo.
I doo trust a company in India, tho.
...and sent to federal pound-me-in-the-ass prison.
He got hosed by an unethical competitor, but he can't do crap about that now. Time to brush off the resume.
What do to? Well, you're a casualty of corporate sleaze and politics. Read The Art Of War, get back on the horse and don't let yourself become a victim again.
That sounds cold, I know, but what else can you do? Dwelling on the issue won't pay the rent.
Trolling is a art,
Not like... say virus scanner writers right? [who probably write the viruses they detect...]
I say if your management is stupid enough to fall for the tricks without trusting you then they deserve what they get and you probably shouldn't have been working there in the first place.
Tom
Someday, I'll have a real sig.
As evidenced by the story poster, it lies with the non-technical types.
I'm on call 24x7x365 while the CEO sleeps.
You sure have a funny definition of power.
No offense, man, but if you're good at your job, get a new one.
...
If your company was willing to do that, you probably don't want to work there anyway.
it sucks, but Ob-la-di ob-la-da life goes on
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
You can't take things like this personally. If they're outsourcing you, the wheels are already in motion and there's not much you can do to stop them. I have no attachment to my employer. I have an awesome team right now, and I feel loyal to them, but not to the company, but that's what they teach us in Business School. You have a chance of being outsourced, much like you have a chance of getting into a car accident. Nothing you can do once it happens. Collect your insurance and buy a new ride.
-I DDoSed your mom.
In any IT situation, the guy/s who knows the system administration/root passwords is always a potential risk. They've fired you, but they must have someone who knows the stuff you do, root passwords and all.
Hey, wait a minute, now the new guy is the risk. Fire him and pass the root passwords to the next guy. Repeat to fade...
Sounds like someone has been solving the wrong problem.
Capitalism is a funny thing. Well, at least the "modern" capitalism. Not only does your company have to profit, it has to profit more than last year, every year. This is one of the reasons people get laid off even when a company is making record profits.
Based on the description of the problem this doesn't seem to have anything to do with oversea's labour. It's just that he was replaced by an outsourcing company (in his own country).
About the reduction in pay comment, if you were sent home with a 50% pay cut would you be happy about it? Or would you be hitting monster.com on your 'extended' lunch breaks. I don't think it's really practical to half-way lay-off people, because the employees won't be at all loyal after that.
This post cannot be rebroadcast without the express written constent of Major League Baseball.
Not sharing the results with the net security people is the giveaway. They wanted to fire you, and told the consultants that that was their goal. I'm in the biz, and what they did was way outside of accepted practice. So who is the company? We'd like to know who to avoid. I know the Big Four play this game, for their love is for money, not the best interests of their clients...
"here's a question i always wish i could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?"
do you think that this would be a good idea, overall? think about where this winds up going if it becomes a trend in, say, 3-5 years time: it becomes a price war, and it's one that domestic employees cannot win. cost of living is just higher here than in a number of other countries.
i think this is a very, very bad idea, and one that's not just bad for you personally, but also for people in the industry overall. it would have the effect of dropping IT salaries across the board. in essence, you would be arguing that you're overpaid. not a good idea, IMHO.
that said: shame the PHBs were the ones making the decision. were there many others affected? this smells like a small bloodletting to help a business in a still underperforming industry cut some heads and increase profitability.
ed
Can't beat em, then join em right?
That's all fine and dandy for those whom have a constantly shifting moral stance, or none at all...however some people, like the submitter of the story, would probably prefer to stick to their morals and avoid being a hypocrit.
No Comment.
Don't give employers this idea that working from home is a reward. My time is as valuable while in the office as outside of it.
Working from home will already save them money on heating, cooling, parking, insurance, and office space. There are also tax benefits in certain areas of the country for implementing such environment and traffic friendly procedures.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I always love seeing the "unjust dismissal" or "simissal without cause" arguement. Listen up people. If an employer doesn't like your shirt, they can fire you. It's that simple. There doesn't need to be any cause. You have no 'right' as it were to be employed by any specific person. Unless you can prove your human rights were violated (they fired you because you're male/female/white/black/red/blue/jewish/catholic/e tc..)you've got no recourse.
Things are a little different in a union environment. There, you don't get fired, you get laid off.
HAHAHAHA!!!! Tell that to former American steel, auto, textile, and rubber workers. You must not be from the Rust Belt.
Read my blog.
It is very hard on those who it affects, but the economic reality is that the money saved in efficiencies (even if it only goes towards fat cat bonuses) is very tangible.
There is illiquidity in labour pools because of immigration laws etc., but the internet removes these barriers. The global workplace is here, and as a result the market is freer than before.
It is quite feasible that if (eg) Russia in fifty years time will farm out its "boring" nanotech analysis work to the US. Like it or not, standards of living in 2nd and 3rd world countries are going to improve, sometimes at the expense of sections of the 1st world. However, overall and in the long-term, competition leads to better economies all round.
The guy could be right, the guy could be wrong - that is completely irrelevant. The percieved reality is:
the guy was in charge of network security
the third-party audit was performed (why? did they look for an excuse to dump him?)
Vulnerability was found
The guy was sacked.
That is all that matters. Waste your time - blame outsourcing, Republicans, little green men.
Get over it, fix the resume and get back into the game. American corp environment is completely free of common sense and logic.
You make some extremely good points, and you make them cogently and cooly.
Personally, I would set down my concerns; about the possible conflict of interest in the study; about the lack of technical oversight of the reports findings in a letter and send it to the company CEO.
The letter should be couched in such a way to make it clear that you are writing becauase you are concerned about the company's security; not because you are disgruntled. Make that very clear, mention in passing the facts about your recent appraisals, and bonus payments.
Leave the CEO in no doubt that you are a professional and you are concerned that the company may be being set up. Tell the CEO that (s)he should not hestitate to contact you, to discuss the issues.
At the very least it will make you feel better. It may even get the company to rethink its policy.
How does working for an outsourcing company violate this guy's morals? Not all outsourcing companies pull tricks like this to get work. On the otherhand, if your morals are "outsourcing is wrong," you have a stupid moral and should reevaluate it.
A deep unwavering belief is a sure sign you're missing something...
I've heard stories of people doing the "revenge hack" to prove that the new security is worthless, then ending up in jail. Why would anyone want to risk jail time to get a job back at a company that obviously would rather listen to a contract consultant rather than a member of their company?
"Don't worry about people stealing an idea. If it's original, you will have to ram it down their throats." --Howard Aike
You are not a casualty of off-shore outsourcing. You are a casualty of the battle between consultants and in-house IT expertise. Not that you're any less screwed, or that I'm any less outraged. And yes, I am a security consultant.
The first thing I would have done is mention the name of the company that screwed you. I think this would give other in-house specialists pause before recommending them to management. Our own company's business model is built around providing the opposite sort of experience from the one you described. When we audit, we work with the IT staff, not against them, and we do so with the understanding of having "been there" (because I have been). We try to position ourselves as the guys who will tell it like it is, without panic, arrogance, or exaggeration, and we tell it to you, not your boss's boss.
I have enormous disrespect for any network security firm who attempts to abuse the politics of their client's business to get ahead. Getting somebody fired in order ro pursue a business opportunity is beneath contempt and possible grounds for a lawsuit. I wish you luck.
who are those slashdot people? they swept over like Mongol-Tartars.
I too was 'downsized, right-sized or outsourced' depending on your point of view. In my situation, I was not offered the opportunity to move with my job as it wasn't 'my job' anymore as it now belonged to a 3rd party (another company in town performing those functions that use to be mine).
Because we were 'audited' and told repeatedly it was non-threating and the new CIO was just getting a *pulse* of who was there and what we did... when we showed up for the wrap-up meeting that was to be an information exchange of what was discovered and what the next move was, we were quite surprised to get our walking papers.
Naturally the audit was nothing more then a 'gather all the information you need to support us going forward' project. The better option, IMHO, would have been to tell us what was going on, I would have been more helpful and forthcoming as the enterprise I helped build/design/deploy had many MANY exceptions to standards and rules because of business need. Several weren't documented and as a result the transistion has been painful for them as they discover these exceptions and scramble to fix them. I think a better question to this topic would be... 'when your considering outsourcing, what is the best way to implement?'.
The "keeping the guys in the dark" approach is bad for PR in the IT community. In my situation, the company was very generous with the severance package and if I had known it was to be offered I would have bent over backwards to help make the transition smooth.
Comment removed based on user account deletion
No worker's rights?
Can you tell your boss to sod off and never show up to work again? Yes.
Can you find a job at another company, sometimes even a competitor, and instantly go work there with little fear of backlash from your current employer? Yes.
If a company lets you go, are you entitled to unemployment compenstation of some sort? Yes.
Can a company legally tell another company that you don't bathe, you write shitty code and your mother-in-law calls you 17 times a day distracting you at work? No.
We have rights, they just don't seem to be as nice when you're the one getting let go for no reason. Rights go both ways, unfortunately it's usually the employer that is on the receiving end of the benefit.
One of the first things I say when I meet with a company is tell them that it's not the IT persons fault that the company is insecure. Network security is a relatively new field that ALL companies in existance are trying to get their arms around. I do NOT want to put anyone out of a job just for the sake of getting some consulting dollars. I feel that it is my responsibility to train the internal staff to be more aware of security issues rather than to terminate everyone and outsource it all.
How can anyone thats not even on-site on a daily basis make the network more secure? When it comes to real security, you need to start with the folks that know the network the best. If they're resistant to change, then fire them. If they're willing to learn, train them.
Network insecurity is fundamentally a management problem. Security inititaves must come from the top down, not the bottom up. I have never met a network administrator yet that has set out to create an insecure network. They likely were ignorant to the threats - therefore they needed training, which should have been ordered by management. Otherwise, you have security aware employees that are trying to push security up the chain to management, and management is completely unresponsive.
I recently blasted a luddite CEO for not paying enough attention to his IT department. His company was compromised by a hacker and I came in to clean things up. I asked him; "Do you realize that your business relies 100% on what goes on in that server room?"
Things are now changing in that company. We've now established data owners on the executive committee (Those that will hang if the data they own gets compromised), and now the IT department actually has a budget. 80% of the time I spend doing my security consulting is with executives, the remainder is with the tecnical staff giving them direction and training/pointers.
Anyone that preaches anything different is trying to sell a magic fix for security, which doesn't exist.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?
Oh there's a fantastic idea. All I need to do now is figure out how to live without paying for food, clothing or rent and I'll be all set.
Do we really need to go over this again? Repeat after me: You cannot compete with 3rd world labor costs. Ok, now just the guys! Good, now just the girls...Oh right, there's no girls here.
The only way you're going to be able to keep your job is to do something that offshore workers can't do. What is that, you ask? Well, you could start my actually caring about the business that you work for. Too many IT people are so concerned about the technical aspects of thier jobs that they don't take the time to learn (and care about) how the business they work for actually makes money. This may have been OK in the late 90's, but IT people are getting the harsh reminder now that the reason that you have a job is not to play with the latest technology...it's to make money.
It's your job as an IT professional to bridge the gap between business and technology. You need to be thinking about things like Return on Investment. You need to be thinking about the business needs of your customer...keeping in mind that your customer is probably not a techie like you and only cares about things like "How much does it cost", and "Will it work with what I have now" and not whether or not it runs on Linux. Most importantly, you need to be thinking about money first and technology second. Only someone who is physically present at your place of employment is going to have enough information to make decisions based on those priorities, which is why people who ignore them are finding their jobs shipped overseas.
I feel safe saying that every engineer I work with understands that our service is provided to supplement existing security practices. We can provide some security services which companies cannot perform on thier own. Whether because of cost or technical reasons. We cannot replace a companies entire security team. There are too many small details which need to be handled which an MSSP cannot do remotely. Nor do we want to. We'd also much rather work with a knowledgeable insider than get an imcompetant IT manager who's claim to fame was programming cobol 20 years ago.
My guess is, some overzealous sales weenie got you canned. He probably pitched the MSSP services to the suits. The suits probably replied they already had in house security expertise. The sales weenie, fearing he would lose the sale, pitched the MSSP as a replacement for you. Something he never should have done. Most sales people will do anything they have to do to make the sale.
The real security risk is the outsourcing company. The number one cause of security breaches in the US during the 90's was from outside (foreign) contractors who had access to information of confidential, secret, or restricted in nature. Now instead of having access to the data, the have access to the methods as well. Having a cheaper Software Engineer or Security Analyst does not mean you will get better engineering or more security. As evidence look at the airport system. The wages paid to security personnel are some of the lowest in the country, and hence cannot keep more skill individuals. Ex-convicts and high security risk individuals can be found in those occupations due to the poor fiscal incentives. We all know what that poor security led to.
The lowest bidder does not nescesarily produce a quality product. When is the last time you found real wood in a piece of furniture in our country?
I have heard the statement that the market is moving overseas to customers in China and India, and thus it is imperitive to hire from those localities. But why? If there are no skilled labor or engineering jobs left in the country, what will people do to make ends meet? Occupations at the top of the food chain will suffer as well. Already CEOs in some companies are being replaced by their foreign counterparts, and while the ousted CEO may have money in the bank, his children will end up in a shrinking service industry. Why will it shrink? Because the people they serve will no longer have any money.
When labor went away, blue collar workers were forced to retrain in other fields, many just retired. They pushed thier children to get degrees in engineering, law, and medicine. Now the engineering jobs will be gone.
Who will pay the taxes to support those millions who will retire in the next few years? Not the engineers and laborers, they live in China and India.
What industry would you tell a young adult to get into, if all of them are destined to either be outsourced, or priced out of existence?
Without the brain the body dies.
Fast machines, powerfull AI, impulsive invention,... All I lack is a good espresso machine!
This should be the main topic for this coming election. But I think America is to wrapped up in other politics to worry about the future of thier jobs. We are so wrapped up in BS we don't see that far into the future. I bet the average american doesn't know where they will be in 2 years let alone how America will be.
I didn't use the preview button, so get over it!!!!
Mike
If you think offshore outsourcing is bad now, just wait until IT is unionized. Several posters have commented on the disappearance of American jobs in textiles, steel, electronic assembly, etc. What do these jobs have in common? They were all unionized, and now they don't exist. I'm not saying I like it this way and that unions would not have some benefits, I'm just saying they would not work and would provide much more incentive to offshore.
That's not necessarily true anymore. Dick Brown, for instance, was CEO of EDS for only about 4 years. He was recently handed about $36M and told to fuck off, and the company is still playing catch-up.
Mind you, having a Wall Street analyst downgrade their stock, only later to say "Wups, didn't mean it..." didn't help much either. What exactly is the liability there? EDS stock took a beating mainly because of that one moron, and he gets off with a wrist-slap and an apology?
If all you did there was security, then you were in a bad position to begin with. Security should be a part of everything that is done, not handled simply by one person somewhere.
Network engineer - The person or persons responsible for designing, managing, and maintaining the enterprise network should be the ones responsible for its security through all aspects of their work. Security has to be designed in to begin with, so that the network has the absolute minimum exposure and still provides a maximum ability for authorized staff to monitor and control it, while all other authorized staff can make full intended use of the network.
Systems administrator - The person or persons responsible for selecting, installing, configuring, operating, and administering computer systems, both servers as well as workstations and desktops, should be the ones responsible for its security through all aspects of their work. Security has to be part of all the procedures so that the systems have the absolute minimum exposure while allowing authorized staff to perform the functions the systems are intended for.
Programmer/analyst - The person or persons responsible for designing, programming, testing, and deploying new applications, or changes to existing applications, should be the ones responsible for its security through all aspects of their work. Security has to be designed into the way the application works, into its program code, properly and thoroughly tested, and then further verified once the application is up and running. And this has to be done while the application can still be fully used by all authorized staff, clients, customers, etc.
Get the picture?
Sorry to burst your bubble, but there should not be just one person who handles security. Depending on the nature of the business, one person might be the one who handles security coordination, but that isn't a techie/geek job; it should be more along the lines of an auditor who would be a paper pusher kind of person at businesses like banks and investment firms.
As to your current situation I advise the following:
Hire a lawyer. Have this lawyer contact the company pretending to be your new potential employer, and ask them for reference information about you. Actually do this twice (be sure completely different people call and pretend to be completely different companies). In one case your "new" position should basically be described as one similar to what you had at the company that outsourced you out. In the other case your "new" position should basically be central to your non-security skill set, such as a network administrator or network engineer (or whatever is appropriate for you). If they give you a good recommendation, then move on with your life and don't worry about it (just don't open your own personal accounts there, etc). However, if they give you a bad recommendation (such as "he was assessed to be a security risk") then discuss with your lawyer that situation and determine what can be done (you may have a case for a defamation lawsuit against either your employer or the outsourcing company).
Be aware that most companies do tend to try to pretect themselves from lawsuits when giving references. They may very well not specify any problems. But that can also be interpreted by future employers as a problem, if they didn't give you a glowing recommendation. You'll have to determine how that will affect your career future.
You might want to start your own small "security management and monitoring services company". There are lots of smaller businesses that will need this kind of service (whether they know that or not ... but that's a salesman's job to work on), but are too small to hire someone full time, and not big enough to hire the big security contracting firms. In a few years, as the big security firms expand to the smaller businesses (to keep up equity growth as their big business market saturates), they may come along and offer to buy up your business. If you play your cards right, you could end up being more "successful" than the managers of the financial institution that fired you.
now we need to go OSS in diesel cars
Then actually, you ARE a pretty big security risk.
You are the ONLY one who knows what's going on with the network security-wise. You could have them penetrated 10 ways to Sunday and they'd have to take your word for it that they're secure.
That's the first point. The second point is that you didn't get screwed over by a network security geek, you got screwed over by a salesman who makes money for some hot-shot CEO who pays a few network security geeks to do far more work than they should be handling. I just got myself fired from a job for "not fitting in". This meant that I had personal and professional objections to monitoring network connectivity, security, e-mail, webhosting, and VPN for some 150 customers and 4-500 sites at 50 hours a week as one of 6 people doing the job. Meanwhile, the 10 sales guys have a "Vice President" title hanging off their names, don't have a clue how to use a computer, and are promising the moon while the CEO rakes it in.
This situation is a real issue. Most of these companies are taking advantage of federal legislation requiring a certain level of security for a bank. And while it's not fair to you, you DO constitute a security risk as a sole security person. On the other hand, you also can't go back to your employer in a month and say, "Your security is full of holes now with this new provider, here let me show you." The bank's been swindled, you're unemployed, and an overworked staff just got more overworked. It's a lousy situation all around. The only thing you can do is move on.
Though I don't envy you trying to explain away getting fired as a security risk on your resume. That's probably the second-most unfair thing about the whole deal.
You thought that this sig was what you think that I thought you wanted me to think. I think.
They won't sue you. At the very least tell us who the company doing the audit was. If they actually came after you, they would get an incredibly bad reputation for acting in very unethical ways. And you need trust to operate as a security company.
Unionization isn't what's making those jobs disappear, it's overall labor/skill costs. Sure, unions make demands, but in Mexico there are no environmental controls. Union Carbide or Ford or whoever can setup shop down there and dump toxins into the environment all day long and nobody cares. That saves money. Also when Pablo is getting paid $20 US every day, that's a big savings too. The NAFTA is just one wonderful plan that made this possible. Textiles, well again, slave labor in another country takes care of that. Thailand, Bali, Turkey, you name it, wherever cost of living is super low, wages will be low as well.
Globalization helps YOU by bringing down the cost of goods. Globalization helps THEM by lowering costs. The only people it hurts (ultimately) is the third world country that the actual manufacturing takes place in. Some companies have been known to buy land in these countries, destroy the local economy by buying up farms and razing them, then dropping in a factory. The people work in the factory right away just to survive.
No.
Try and hunt down an old sci-fi story called "The Roads Must Roll," by Robert Heinlein.
Quick plot summary: In the future, American cities are interconnected by vast conveyor belts--called roads--which transports people and goods. A few political demagogues start convincing people that certain segments of society should be rewarded for doing "critical work." For example, the road mechanics realize that without them, society as a whole would be hosed.
So a faction within this group of mechanics decides to go on strike, shutting off the roads and committing vandalism. Sure enough, everything stops working as the factions battle it out for control over the roads.
The basic problem with their underlying thinking is this: There is no one ultimate locus of control. Our entire society is completely interdependent. If the network people quit doing what they do, things are hosed. The same goes for doctors, police, firefighters, manufacturers, and farmers.
Take another example: Miners. There's an old mining slogan that says, "If it isn't grown, it has to be mined." There's a great deal of truth to that. Without mining and miners, we're screwed. But does that mean that the mining industry deserves ultimate control over our society? It's like having your kidneys demand veto power over your brain because the brain cannot operate without them.
Management types think of themselves the same way you're asking computing types to think. According to their thinking, without a running business, you wouldn't have a job where you could ply your trade.
Every society strikes a balance between individualism and collectivism. We're all individuals, but we're also functional units within a larger system that keeps everyone alive. I think you've definitely drawn the line in a bad place. Whether computer gurus are under or overvalued is irrelevant; I strongly object to your basic premise: if we have the power to wreck everything, we have the right to do so if the system doesn't give us what we want. It's merely blackmail writ large.
You want the truthiness? You can't handle the truthiness!
I've rarely seen outsourcing go well. Now we're talking about info-sec? You're going to outsource the "guardians at the gate" job to a company whose tactics should be seen as seedy by the dumbest of Pointy-Haired-Bosses??? They'll get what they deserve. Maybe not sooner, but certianly later. Considering they are a financial company, the PR cost alone could be disasterous.
Pardon my language, but f**k 'em. I'd leave cordially but expressing reservation about their tactics and ability to execute. IMHO there's no reason to burn bridges, IT is too close knit to do that. Plus there's no benefit for the guy who got canned. They could come back and beg him to return if there's a bridge left standing
Finally, companies who act like greedy sheep are inevitably led to slaughter. I know, I work for one and we're getting killed for bone-headed accountant-driven decisions very similar to those decribed here...
Computer Science is Applied Philosophy
Yes. Good reply. In fact, this is exactly what I was going to suggest.
But, it wouldn't suggest that a disgruntled IT guy is a threat, insomuch as the "new-an-improved" security is inadequate. Afterall, he wasn't disgruntled until he was fired.
His work should indicate that this ex-employee isn't a threat, because he knows too much about the network... It should indicate that the new security company dosen't know shit. Otherwise, you're going to setup a mutual distrust between the company and the IT people. In other words: The IT people won't trust that their jobs are safe, and the company won't trust that the IT people won't fuck them over because they are mad.
Personally, I wouldn't want to work in a place that's being kept in check by the threat of mutual assured destruction. It's too much tension. Bad for the blood pressure.
The employees should be working on the same team as the management--with the same goals (higher productivity and profits, and all that garbage) If the managers see this quality in an IT person, they become quite invaluable as a bridge between the tech (which they don't understand), and the money (which they want more of).
This sort of activity used to be upheld by the promise of profit-sharing (the more the company makes, the more you make, so if you save the company money, you get it back as a NICE bonus in the end). It's all but gone now, but you can use the same ideas to make yourself a truely invaluable person to the company (with a check to prove it).
you mean like a STRIKE organized by a UNION?
I probably just started a flamewar.
On one hand you have frightened entrenched management reacting to what they think is the best fiscal course of action. They are making decisions out of fear. They will outsource like crazy and force domestic rates for similar services to drop as a result.
What will then happen is that the supplying companies will start raising their rates as their clients become more dependent. Additionally, companies will become frightened about increased project management burdens, tying important business-critical development to minimally invested 3rd parties and decreased savings.
Even when the economy is good, we all used to laugh about Coke and IBM who both did the following: One manager gets hired, wanted to pee on every post in sight and exclaim "Oh my god! We need to get rid of these people and outsource it all. It's not our core business. We can save tons in HR costs. We'll save BIG!". Then the next person who sits in his chair comes in, wants to pee on every post in sight and exclaim "Oh my god! Do you realize how much our vendors are ripping us for? We need to bring this work in-house. We can hire the best people for a fraction of the rate their consultants/programmers/etc charge! We'll save BIG!". Rinse. Wash. Repeat.
I think there will be a great balancing out soon. As soon as people get-over the knee-jerk reaction of outsourcing, esp. to India, you'll see things settle down a bit. It's so not the cure-all that desperate managers think it is, but it does have it place.
NE QUID NIMIS
-_-
- Look at and modify every file on the servers (changing ownership first, if necessary)
- Change anybody's password
- Shut down services at will
- Open up services and ports to the Internet, or elsewhere
- Modify firewall rules
The list could have been very long. Can you imagine the reaction of the executives when they saw that list?"Oh my god!!! That's a gaping vulnerability! Get rid of him, right now!"
Idiots
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Shane, this sounds like a truly rotten experience. And some of the advice you have gotten here is pretty crappy too.
Before you consider taking revenge, do you think there is anyone in management or H.R. to whom you could have a conversation? The idea that management had had a sudden, abrupt reversal in their confidence in your ability and trustworthiness must be a disturbing one. Perhaps there is someone to whom you can turn to for some reassurance.
"I thought I was doing a good job. I did get a 12.5% merit increase in pay. But the secrecy around how my employment was terminated is disturbing. Is there something in the security report that will cause the firm to give future employers a less than enthusiastic endorsement of my skills? I'd like to know this."
You don't absolutely know the outside consultant's slagged your performance or trustworthiness. And, if I read your account correctly, you don't know that your former employers turned around and hired the consulting firm to replace you.
Good luck.
People used to brawl out their differences.
So people banded together. THey called them gangs. Go watch gangs of New York. Tell me if that is how you want to live. Or in the days before The U.S.A split of from the U.K. look at how every major (present day) democracy in the world treated its own citizens. There was a reason the French started axing their own Aristocrats.
Yes, it is still about money and power. But lawyers and insurance firms are a vast improvment over roving gangs with knives and clubs.
It ain't perfect, but it is an improvement.
Open Source Identity Management: FreeIPA.org
Don't get bitter, it is not good for the health. All ways keep your bridges open because you never know. If I were you I would go to the executive/manager and simply say "even though you might think outsource your network security, I respectfully disagree and here is why." Point out what the potential problems they will face with this new company and simply tell them that your services will be available to them as a contractor. Walk away with your dignity and their respect and you'll probably get a call from them if they ever need you. Of course next time they call, you'll be pulling the strings. In the mean time collect your unemployment check and look for new job. Maybe it is time to start a new hobby or learn something new and expand your horizons.
-----
One is born into aristocracy, but mediocrity can only be achieved through hard work.
> Before leaving, he fired off an abusive companywide email, messed up the servers, and changed the root passwords.
That cocksucker is a major liability, and not someone I'd want working on my network. What if I had a legit reason for firing him, say he installs WinXP on my Linux cluster, then I gotta worry about passwords and e-mails, etc.
Can I get an eye poke?
Dog House Forum
Good question. I mean, if the outsourced company found his unsecured FTP address that he used to up/download his MMORPG character stats and his biology homework, he probably *was* a risk.
However, I tend to think that the sort of scam he got burned by is real. And management is usually stupid enough to buy into crap like this. But I doubt it's actionable, since the outside company would have a valid argument that because he knows the network and all the passwords (or other entry methods/points) he IS a risk, even if he isn't INCLINED to use the information in a negative way.
However, by the same argument, THEY are now the biggest security risk to the network and because they are not employed, they have little interest in protecting the network (at least, less than HE did, since is only paycheck was derived from protecting that network). If his former company were to suffer an intrusion and as a consequence go belly-up, the outsourced company merely loses a single client, not their entire livelihood.
Nitewing '98
Everything works...in theory.
"At my last job (one of the big 3 ISP's) one of the NT admin's screwed up and opened our one internal systems to the whole world. One of our techs studing security discovered the hole and reported it our PHB. Who came to our SA team to check and confirm. They were more concerned about the tech finding the hole, than the idiot NT admin who screw up an NT securtiy setting. "
Then one of two things.
He could have gone to the "idiot"(a hint here. It's not good to go to a person with your prejudices. It could have been an honest error), and told him about the problem and let him correct it, with the boss being none the wiser, and his "image" intact.
He could have fixed the mistake, with no one the wiser. If everyone is as clueless as you state? Then this should have been an easy task.
The main thing that stories like the above demonstrate is that geeks make lousy diplomats. There's a right way and a wrong way to present "difficult" news. Learn how (among other things) and you'll do well in life, and work. Forget how, and you're the subject of a story on Slashdot.