Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replaced by Outsourcing -- What's a Geek to Do?

Posted by Cliff on from the disturbing-trends-in-the-market dept.

SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?

"Here comes the obligatory South Park reference:

  1. Perform Network Vulnerability Assessment
  2. ?
  3. Profit! (Sell Outsourced product)
Looks like they came up with an actual step 2:
Label anyone who is responsible for network security as the risk, and get them fired.
I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.

I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.

I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.

I'd like to hear comments from folks this has happened to, and what did you do as a result?"

27 of 1,166 comments (clear)

  1. I don't trust you by Anonymous Coward · · Score: 5, Insightful

    I don't trust you to work from home. You will just watch Scooby Doo.

    I doo trust a company in India, tho.

    1. Re:I don't trust you by The_ForeignEye · · Score: 5, Insightful

      I disagree.

      Sure, I could watch Scooby all day long and you wouldn't know...at first.

      Software projects are tracked and managed. It soon would be apparent that your progress is not aligned with what the initial estimate was, and although you could give some bullshit reasons as to why your progress was not as expected, they would eventually get rid of you for somebody more efficient.

      Working from home sounds like a really good idea, but I don't think it's going to happen (unfortunately). I work for a software consulting firm and we have some remote people that work from home because they have no other choice (they are too far away from the closest office). However, when I (or anybody in the office) asked about working from home, the excuse we were given was that it would break the "team environment". They value person-to-person interaction too much and they don't care whether you could do netmeeting, telephone conference, or video conference through the net.

      Working from home means you don't interact with other team members as much as you would if you were in the same location, and you don't share your knowledge and experience with them. Now, you don't share the comments about last night's football game either, but that's another story.

    2. Re:I don't trust you by K8Fan · · Score: 5, Insightful
      If your department manager is the type of prick who would try to steal credit for your brilliant ideas then walk around his desk and talk directly to his boss about your brilliant ideas... if you have enough of those conversations with that boss you may even find yourself being promoted to replace the prick who stole credit for all of your ideas.

      The flaw in this plan is that most geeks, in my experience, have no desire to be promoted to management. We just want to do the work. The dream job for someone who is generally attracted to network security work is to be left alone most of the time by a boss who can realize that the fact that they haven't had to concern themselves with network security is a Good Thing. Then they throw more money.

      The worst bosses I've ever worked for have been fellow geeks promoted above their social skill set. They are usually grumpy that they no longer get to play with the technology, and have to spend their days in meetings.

      --
      "How perfectly Goddamn delightful it all is, to be sure" Charles Crumb
  2. What to do? by grub · · Score: 5, Insightful


    What do to? Well, you're a casualty of corporate sleaze and politics. Read The Art Of War, get back on the horse and don't let yourself become a victim again.

    That sounds cold, I know, but what else can you do? Dwelling on the issue won't pay the rent.

    --
    Trolling is a art,
    1. Re:What to do? by Fnkmaster · · Score: 5, Insightful
      And more importantly, learn your lesson. Next time some huckster wants to sell you a "security audit", don't buy into it. Use it as justification to do an internal audit, or convince your bosses to bring in consultants of your choosing. Make it a collaborative process with your managers. Prize your relationship with your bosses above all else - don't be an ass kisser, be good, and make them look good. If when they think of you they think of the guy who saved their asses lots of times, they would have to be fools to let you go.


      Control is greatly undervalued in business. Often times, control is more important than your bottom line salary. You want to be in control without people knowing that you're in control - don't play politics or backstab people, just be very important to the bottom line and very trusted. If you are unable to make your boss realize that you are important, you should find another job as soon as possible. Also, ALWAYS keep a backup plan in place, enough money in the bank, and have lots of friends in your line of work to help give you an in to other job openings.


      It's a cheery little Machiavellian world we live in. :)

  3. A company making a protection racket? by tomstdenis · · Score: 5, Insightful

    Not like... say virus scanner writers right? [who probably write the viruses they detect...]

    I say if your management is stupid enough to fall for the tricks without trusting you then they deserve what they get and you probably shouldn't have been working there in the first place.

    Tom

    --
    Someday, I'll have a real sig.
  4. Re:Maybe it's time for the technocratic war to beg by Anonymous Coward · · Score: 5, Insightful

    As evidenced by the story poster, it lies with the non-technical types.

    I'm on call 24x7x365 while the CEO sleeps.

    You sure have a funny definition of power.

  5. just move on by gagy · · Score: 5, Insightful

    You can't take things like this personally. If they're outsourcing you, the wheels are already in motion and there's not much you can do to stop them. I have no attachment to my employer. I have an awesome team right now, and I feel loyal to them, but not to the company, but that's what they teach us in Business School. You have a chance of being outsourced, much like you have a chance of getting into a car accident. Nothing you can do once it happens. Collect your insurance and buy a new ride.

    --
    -I DDoSed your mom.
  6. Capitalism is a funny thing by wheany · · Score: 5, Insightful

    Capitalism is a funny thing. Well, at least the "modern" capitalism. Not only does your company have to profit, it has to profit more than last year, every year. This is one of the reasons people get laid off even when a company is making record profits.

  7. Editor's comments by spuke4000 · · Score: 5, Insightful
    Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?

    Based on the description of the problem this doesn't seem to have anything to do with oversea's labour. It's just that he was replaced by an outsourcing company (in his own country).

    About the reduction in pay comment, if you were sent home with a 50% pay cut would you be happy about it? Or would you be hitting monster.com on your 'extended' lunch breaks. I don't think it's really practical to half-way lay-off people, because the employees won't be at all loyal after that.

    --
    This post cannot be rebroadcast without the express written constent of Major League Baseball.
  8. You were set up by pegr · · Score: 5, Insightful

    Not sharing the results with the net security people is the giveaway. They wanted to fire you, and told the consultants that that was their goal. I'm in the biz, and what they did was way outside of accepted practice. So who is the company? We'd like to know who to avoid. I know the Big Four play this game, for their love is for money, not the best interests of their clients...

  9. work from home discount? by ed.han · · Score: 5, Insightful

    "here's a question i always wish i could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?"

    do you think that this would be a good idea, overall? think about where this winds up going if it becomes a trend in, say, 3-5 years time: it becomes a price war, and it's one that domestic employees cannot win. cost of living is just higher here than in a number of other countries.

    i think this is a very, very bad idea, and one that's not just bad for you personally, but also for people in the industry overall. it would have the effect of dropping IT salaries across the board. in essence, you would be arguing that you're overpaid. not a good idea, IMHO.

    that said: shame the PHBs were the ones making the decision. were there many others affected? this smells like a small bloodletting to help a business in a still underperforming industry cut some heads and increase profitability.

    ed

  10. Re:Easy solution by GeckoX · · Score: 5, Insightful

    Can't beat em, then join em right?

    That's all fine and dandy for those whom have a constantly shifting moral stance, or none at all...however some people, like the submitter of the story, would probably prefer to stick to their morals and avoid being a hypocrit.

    --
    No Comment.
  11. My time is as valuable in or out of office. by Shivetya · · Score: 5, Insightful

    Don't give employers this idea that working from home is a reward. My time is as valuable while in the office as outside of it.

    Working from home will already save them money on heating, cooling, parking, insurance, and office space. There are also tax benefits in certain areas of the country for implementing such environment and traffic friendly procedures.

    --
    * Winners compare their achievements to their goals, losers compare theirs to that of others.
  12. Re:Maybe it's time for the technocratic war to beg by jalefkowit · · Score: 5, Insightful
    I'm on call 24x7x365 while the CEO sleeps... The none technical types need to understand where info power resides.
    If you're on call 24/7 while they're home sleeping, it sounds to me like they've got a lot better handle on where power resides than you do...
    --

    Read my blog.

  13. Perception is the reality by BigGerman · · Score: 5, Insightful
    Always remember that.
    The guy could be right, the guy could be wrong - that is completely irrelevant. The percieved reality is:

    the guy was in charge of network security

    the third-party audit was performed (why? did they look for an excuse to dump him?)

    Vulnerability was found

    The guy was sacked.

    That is all that matters. Waste your time - blame outsourcing, Republicans, little green men.
    Get over it, fix the resume and get back into the game. American corp environment is completely free of common sense and logic.

  14. What I would do. by Angostura · · Score: 5, Insightful

    You make some extremely good points, and you make them cogently and cooly.

    Personally, I would set down my concerns; about the possible conflict of interest in the study; about the lack of technical oversight of the reports findings in a letter and send it to the company CEO.

    The letter should be couched in such a way to make it clear that you are writing becauase you are concerned about the company's security; not because you are disgruntled. Make that very clear, mention in passing the facts about your recent appraisals, and bonus payments.

    Leave the CEO in no doubt that you are a professional and you are concerned that the company may be being set up. Tell the CEO that (s)he should not hestitate to contact you, to discuss the issues.

    At the very least it will make you feel better. It may even get the company to rethink its policy.

  15. Re:What's good for the goose is good for the gande by mbrinkm · · Score: 5, Insightful

    I've heard stories of people doing the "revenge hack" to prove that the new security is worthless, then ending up in jail. Why would anyone want to risk jail time to get a job back at a company that obviously would rather listen to a contract consultant rather than a member of their company?

    --
    "Don't worry about people stealing an idea. If it's original, you will have to ram it down their throats." --Howard Aike
  16. Wrong war by lone_marauder · · Score: 5, Insightful

    You are not a casualty of off-shore outsourcing. You are a casualty of the battle between consultants and in-house IT expertise. Not that you're any less screwed, or that I'm any less outraged. And yes, I am a security consultant.

    The first thing I would have done is mention the name of the company that screwed you. I think this would give other in-house specialists pause before recommending them to management. Our own company's business model is built around providing the opposite sort of experience from the one you described. When we audit, we work with the IT staff, not against them, and we do so with the understanding of having "been there" (because I have been). We try to position ourselves as the guys who will tell it like it is, without panic, arrogance, or exaggeration, and we tell it to you, not your boss's boss.

    I have enormous disrespect for any network security firm who attempts to abuse the politics of their client's business to get ahead. Getting somebody fired in order ro pursue a business opportunity is beneath contempt and possible grounds for a lawsuit. I wish you luck.

    --
    who are those slashdot people? they swept over like Mongol-Tartars.
  17. Re:If the job gets moved... by diersing · · Score: 5, Insightful
    Because its not always that easy, considering you may have other ties to the community other then employment (like family, friends) or maybe you just love living where you do and there are other places to work.

    I too was 'downsized, right-sized or outsourced' depending on your point of view. In my situation, I was not offered the opportunity to move with my job as it wasn't 'my job' anymore as it now belonged to a 3rd party (another company in town performing those functions that use to be mine).

    Because we were 'audited' and told repeatedly it was non-threating and the new CIO was just getting a *pulse* of who was there and what we did... when we showed up for the wrap-up meeting that was to be an information exchange of what was discovered and what the next move was, we were quite surprised to get our walking papers.

    Naturally the audit was nothing more then a 'gather all the information you need to support us going forward' project. The better option, IMHO, would have been to tell us what was going on, I would have been more helpful and forthcoming as the enterprise I helped build/design/deploy had many MANY exceptions to standards and rules because of business need. Several weren't documented and as a result the transistion has been painful for them as they discover these exceptions and scramble to fix them. I think a better question to this topic would be... 'when your considering outsourcing, what is the best way to implement?'.

    The "keeping the guys in the dark" approach is bad for PR in the IT community. In my situation, the company was very generous with the severance package and if I had known it was to be offered I would have bent over backwards to help make the transition smooth.

  18. I am a security consultant... by JRHelgeson · · Score: 5, Insightful
    We outsource security all the time, and we have our outsourced IDS products, etc.

    One of the first things I say when I meet with a company is tell them that it's not the IT persons fault that the company is insecure. Network security is a relatively new field that ALL companies in existance are trying to get their arms around. I do NOT want to put anyone out of a job just for the sake of getting some consulting dollars. I feel that it is my responsibility to train the internal staff to be more aware of security issues rather than to terminate everyone and outsource it all.

    How can anyone thats not even on-site on a daily basis make the network more secure? When it comes to real security, you need to start with the folks that know the network the best. If they're resistant to change, then fire them. If they're willing to learn, train them.

    Network insecurity is fundamentally a management problem. Security inititaves must come from the top down, not the bottom up. I have never met a network administrator yet that has set out to create an insecure network. They likely were ignorant to the threats - therefore they needed training, which should have been ordered by management. Otherwise, you have security aware employees that are trying to push security up the chain to management, and management is completely unresponsive.

    I recently blasted a luddite CEO for not paying enough attention to his IT department. His company was compromised by a hacker and I came in to clean things up. I asked him; "Do you realize that your business relies 100% on what goes on in that server room?"

    Things are now changing in that company. We've now established data owners on the executive committee (Those that will hang if the data they own gets compromised), and now the IT department actually has a budget. 80% of the time I spend doing my security consulting is with executives, the remainder is with the tecnical staff giving them direction and training/pointers.

    Anyone that preaches anything different is trying to sell a magic fix for security, which doesn't exist.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  19. Security risk? by deepvoid · · Score: 5, Insightful

    The real security risk is the outsourcing company. The number one cause of security breaches in the US during the 90's was from outside (foreign) contractors who had access to information of confidential, secret, or restricted in nature. Now instead of having access to the data, the have access to the methods as well. Having a cheaper Software Engineer or Security Analyst does not mean you will get better engineering or more security. As evidence look at the airport system. The wages paid to security personnel are some of the lowest in the country, and hence cannot keep more skill individuals. Ex-convicts and high security risk individuals can be found in those occupations due to the poor fiscal incentives. We all know what that poor security led to.

    The lowest bidder does not nescesarily produce a quality product. When is the last time you found real wood in a piece of furniture in our country?

    I have heard the statement that the market is moving overseas to customers in China and India, and thus it is imperitive to hire from those localities. But why? If there are no skilled labor or engineering jobs left in the country, what will people do to make ends meet? Occupations at the top of the food chain will suffer as well. Already CEOs in some companies are being replaced by their foreign counterparts, and while the ousted CEO may have money in the bank, his children will end up in a shrinking service industry. Why will it shrink? Because the people they serve will no longer have any money.

    When labor went away, blue collar workers were forced to retrain in other fields, many just retired. They pushed thier children to get degrees in engineering, law, and medicine. Now the engineering jobs will be gone.

    Who will pay the taxes to support those millions who will retire in the next few years? Not the engineers and laborers, they live in China and India.

    What industry would you tell a young adult to get into, if all of them are destined to either be outsourced, or priced out of existence?

    Without the brain the body dies.

    --
    Fast machines, powerfull AI, impulsive invention,... All I lack is a good espresso machine!
  20. Re:MOD PARENT UP! by gcaseye6677 · · Score: 5, Insightful

    If you think offshore outsourcing is bad now, just wait until IT is unionized. Several posters have commented on the disappearance of American jobs in textiles, steel, electronic assembly, etc. What do these jobs have in common? They were all unionized, and now they don't exist. I'm not saying I like it this way and that unions would not have some benefits, I'm just saying they would not work and would provide much more incentive to offshore.

  21. Re:Maybe it's time for the technocratic war to beg by An+Onerous+Coward · · Score: 5, Insightful

    No.

    Try and hunt down an old sci-fi story called "The Roads Must Roll," by Robert Heinlein.

    Quick plot summary: In the future, American cities are interconnected by vast conveyor belts--called roads--which transports people and goods. A few political demagogues start convincing people that certain segments of society should be rewarded for doing "critical work." For example, the road mechanics realize that without them, society as a whole would be hosed.

    So a faction within this group of mechanics decides to go on strike, shutting off the roads and committing vandalism. Sure enough, everything stops working as the factions battle it out for control over the roads.

    The basic problem with their underlying thinking is this: There is no one ultimate locus of control. Our entire society is completely interdependent. If the network people quit doing what they do, things are hosed. The same goes for doctors, police, firefighters, manufacturers, and farmers.

    Take another example: Miners. There's an old mining slogan that says, "If it isn't grown, it has to be mined." There's a great deal of truth to that. Without mining and miners, we're screwed. But does that mean that the mining industry deserves ultimate control over our society? It's like having your kidneys demand veto power over your brain because the brain cannot operate without them.

    Management types think of themselves the same way you're asking computing types to think. According to their thinking, without a running business, you wouldn't have a job where you could ply your trade.

    Every society strikes a balance between individualism and collectivism. We're all individuals, but we're also functional units within a larger system that keeps everyone alive. I think you've definitely drawn the line in a bad place. Whether computer gurus are under or overvalued is irrelevant; I strongly object to your basic premise: if we have the power to wreck everything, we have the right to do so if the system doesn't give us what we want. It's merely blackmail writ large.

    --

    You want the truthiness? You can't handle the truthiness!

  22. Re:What's good for the goose is good for the gande by rutledjw · · Score: 5, Insightful
    Revenge? you want revenge? Just sit back and watch as the security for that company gets pummeled.

    I've rarely seen outsourcing go well. Now we're talking about info-sec? You're going to outsource the "guardians at the gate" job to a company whose tactics should be seen as seedy by the dumbest of Pointy-Haired-Bosses??? They'll get what they deserve. Maybe not sooner, but certianly later. Considering they are a financial company, the PR cost alone could be disasterous.

    Pardon my language, but f**k 'em. I'd leave cordially but expressing reservation about their tactics and ability to execute. IMHO there's no reason to burn bridges, IT is too close knit to do that. Plus there's no benefit for the guy who got canned. They could come back and beg him to return if there's a bridge left standing

    Finally, companies who act like greedy sheep are inevitably led to slaughter. I know, I work for one and we're getting killed for bone-headed accountant-driven decisions very similar to those decribed here...

    --

    Computer Science is Applied Philosophy
  23. Re:What's good for the goose is good for the gande by Anonymous Coward · · Score: 5, Insightful

    Yes. Good reply. In fact, this is exactly what I was going to suggest.

    But, it wouldn't suggest that a disgruntled IT guy is a threat, insomuch as the "new-an-improved" security is inadequate. Afterall, he wasn't disgruntled until he was fired.

    His work should indicate that this ex-employee isn't a threat, because he knows too much about the network... It should indicate that the new security company dosen't know shit. Otherwise, you're going to setup a mutual distrust between the company and the IT people. In other words: The IT people won't trust that their jobs are safe, and the company won't trust that the IT people won't fuck them over because they are mad.

    Personally, I wouldn't want to work in a place that's being kept in check by the threat of mutual assured destruction. It's too much tension. Bad for the blood pressure.

    The employees should be working on the same team as the management--with the same goals (higher productivity and profits, and all that garbage) If the managers see this quality in an IT person, they become quite invaluable as a bridge between the tech (which they don't understand), and the money (which they want more of).

    This sort of activity used to be upheld by the promise of profit-sharing (the more the company makes, the more you make, so if you save the company money, you get it back as a NICE bonus in the end). It's all but gone now, but you can use the same ideas to make yourself a truely invaluable person to the company (with a check to prove it).

  24. Re:What's good for the goose is good for the gande by Curunir_wolf · · Score: 5, Insightful
    Duh! *ANY* network administrator is a security risk, because (by necessity), they have access to:
    • Look at and modify every file on the servers (changing ownership first, if necessary)
    • Change anybody's password
    • Shut down services at will
    • Open up services and ports to the Internet, or elsewhere
    • Modify firewall rules
    The list could have been very long. Can you imagine the reaction of the executives when they saw that list?

    "Oh my god!!! That's a gaping vulnerability! Get rid of him, right now!"

    Idiots

    --
    "Somebody has to do something. It's just incredibly pathetic it has to be us."
    --- Jerry Garcia