Slashdot Mirror
Replaced by Outsourcing -- What's a Geek to Do?
SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
"Here comes the obligatory South Park reference:
- Perform Network Vulnerability Assessment
- ?
- Profit! (Sell Outsourced product)
Label anyone who is responsible for network security as the risk, and get them fired.I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
The managers and CEOs of this country have no idea about how to make router connection or how to correct a line of code in their payroll systems.
I'm on call 24x7x365 while the CEO sleeps.
The none technical types need to understand where info power resides.
Easy solution:
Get a job working with an outsourcer. Duh.
"Services" is where the IT business is going. And yes, there are outsourcing companies in the USA and various other non-India, non-China nations. Skilled, flexible talent is very valuable to a services company. And it's satisfying work because you're not stuck with one environment all the time -- you get to play with lots of different customer environments, picking up new skills along the way.
Basically, what I'm saying here is, quit whining. Make yourself a valuable person and you will find employment. And don't rest on your laurels, either: you have to constantly adapt and pick up new skills.
Now I shall sit back and wait to get modded down by the unemployed, disgruntled Slashdot hive mind, but my position on this issue stands.
Tired of FB/Google censorship? Visit UNCENSORED!
I work for a software company. After many months of people having a hard time getting interviews, and very few leaving for other jobs. In the past three weeks, suddenly we had seven people announce they are leaving for new jobs. I have a friend who was recently laid off from another tech company a couple of weeks ago. He's had quite a few interviews already.
Things seem to be looking better out there. New jobs will replace the old ones lost.
By reading this sig, you agree to the terms of my sig license.
- the good : I've had lots of time to play with my 2 year
old son
- the bad : I've got a family to feed
- the ugly : I'm learning that experience in the industry
hurts ones chances te land a job, as we're considered "too expensive"
I've found a few consulting gigs to help, but now I'm moving out of the Bay Area - can't afford to live here anymore.The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
I'd say he should contact his former employer and offer to perform testing of the outsourced security system as a consultant -- after all, he knows those systems as well as anybody else. Then he should try to hack the system -- since he's working as a consultant, it would be legal to do so.
Then when he's able to hack in through the outsourced security system, he should state that the outsourced company's report was right -- a disgruntled former IT person is a big threat, but since he knows the tricks he'll know how to counteract that threat.
I was removed from my job where the majority of my team's time was spent monitoring our data centre, and calling in whoever we needed, when we needed, to fix glitches. I was proud of our work, and it's one of the times I truly felt a true "team player" that so many employers are after.
In the space of 3 months, two separate consulting firms recommended our tasks be outsourced. We all lost our jobs, and what comes out in the wash? The outsourced monitoring company is a subsidiary of one of the consulting firms. No surprises there.
Now, my employers have gone from having a small dedicated team who treated their equipment as their very own, to having a useless 'monitoring' company who not only can't detect an outage to save themselves (when the most clueless of managers has needed to contact them to ASK if a server is down when it's been out all night, things are bad) but don't actually do fixes themselves, but re-outsource those also
Last I heard email went out for 4 days. Our worst was a 3 hour fix, which was a combination of intermittent server problems and a backup clean slate machine that failed right after install, so we needed to source and rebuild a box from scratch. The new firm's best time is over a day.
The only thing I like about the whole situation is they're getting what they deserved, and are locked into it for another 18 months. Morals be damned, schadenfreude is fun.
SafariShane needs to get onboard with a company that does this kind of work. A buddy of mine ran a one-guy development/network admin company for several years, and got into security as well, picking up a cert or two.
Due to the economic downturn (and his bread and butter client not falling under the Prompt Payment Act), he had to get a job with The Man.
He got a job with these people, as the tech half of a two-guy sales team, by leveraging his knowledge of Windows and *nix networking and security.
He's working like a sled dog, can't say anything about what clients he's seeing, or much about the product. But he's a very, very well paid sled dog in terms of base salary, benefits and commission; he went out and got a 32" TV and laser-corrected his eyes.
I didn't think the house band in Hell would play this badly.
1) what is the name of the company? This is for my own dealings. To be honest, I will take your story with a grain of salt but a little research might help me understand if I would want to do business with them or add them to my blacklist.
2) what is your question, "how do I build stable relationships with PHBs so that free lunches and golf outings from vendors dont get me outsourced again" or "how do I prepare for 3rd party assesments/sales pitches to ensure that both they and I can be objectively analyzed"?
Sadly, in corp IT, the answer to both questions is the answer to the first. Face time, "expectations management", proactive education, whispering sweet nothings in the ear, and many other social engineering tactics are how you build relationships with the morons in charge. This is how you will also be better prepared to deal with vendor incursions into your domain.
Technically the way to prepare for this is to do an assesment yourself, early and often, document it, summarize it, broadcast it, and ask for money. You will get ignored and turned down but you will have paper trail and they will remember, vaguely, that you said something about security when the sales pitch comes and they wont be surprised.
In corp IT and much of the world, when dealing with non-engineers, technical merit does not speak for itself but appearance and posturing go a long way. So, in the future, over-communicate and advertise. Remember that most non-technical people get their educations from advertisements and sales pitches so fight fire with fire.
...went along the same lines.
I was working for a development firm, we had long term client who had made use of many other development firms.
We landed a big project, the client had us work with another development firm, this one out of India to supplement our skill set, throw more bodies on the project, and so they had a clear understanding of the architecture when they took it over later.
We came to find out that the head programmer working with us would go directly to the client and tell them how poorly we performed, that we didn't know what we were doing and other such niceties.
The PM from the client bought it, and we were removed from the project (an action that within 6 month caused 130 people to loose jobs.)
The other firm left with our architecture, our code, and our self esteem, we left the company with 2 weeks severance.
The most ironic part was that these guys came in with no knowledge of the platform! We taught them to Java as we went! That was the biggest slap in the face that I have ever received.
What are you going to do, hopefully this kind of stuff will run rampant and leave a nasty taste in everyones mouth.
Can you tell your boss to sod off and never show up to work again? Yes.
Sure, if you don't mind not earning money.
Can you find a job at another company, sometimes even a competitor, and instantly go work there with little fear of backlash from your current employer? Yes.
Not if you sign a non-complete contract. Otherwise, they can, and probably will, sue your ass until there's nothing left.
If a company lets you go, are you entitled to unemployment compenstation of some sort? Yes.
Not always. If the company makes it look as if you are the cause of your unemployment status, as this guy was because "he let the company security slide, as was found by the vulerability assessment", then you have fewer chances of seeing anything more then the standard 2 weeks. But there's little chance that government U.I. would kick in. Could you survive 3 months with only 2 weeks pay?
Can a company legally tell another company that you don't bathe, you write shitty code and your mother-in-law calls you 17 times a day distracting you at work? No.
A company can legally tell another company of the reason that you were let go. And since this guy was accused of letting network security lapse, that's not going to sound good when another company calls up.
I wouldn't trust anything else coming from this company if I were him. I would try to minimize any contact with this company by future potential employers. He really is in as bad a position as he thinks. What's worse is that probably none of it is deserved. Good luck buddy, because you're going to need it...
medicine has become the same way.
Many hospitals are contracting with large national companies to provide physicians services that were traditionally provided "in house." This is most easily done for things like Radiology, where films can be digitized and shipped anywhere in the world to be read by a room full of radiologists. It's also being done (and has been for years) with Pathology services... send your slides and tissue specimens to a big lab to be examined rather than the employing a bunch of local pathologists. Admittedly, there are some economies of scale that enter into the picture... "sending out" can be more efficient.
This is also a big deal in my own specialty (emergency medicine); competition is brutal. There are large national "contract management" ER groups that are constantly approaching hospital administrators with sales people, brochures, and a pitch about their high-quality, lower-cost emergency medicine care. Contracts change hands in ER all the time, which is why a lot of ER docs live like gypsies... if your hospital outsources their ER services, you get fired, and have to find another job (if you live in a smaller area with only one or two hospitals, you can be SOL... time to uproot the family and move.)
How do I/we fight it? Relationships and service. We make ourselves available to the administration to address concerns and problems. We build relationships with the community physicians, so that they KNOW who's taking care of their patients in the ER, and KNOW they can trust us to take care of the critically-ill. We integrate ourselves into hospital committees, and get involved in the community. We implement Quality Assurance and Peer Review to ensure that we're practicing up to the standard of care. It can be a lot of work trying to keep your job (never thought you'd hear a doctor say that, did you?).
In ER, losing your contract/job or not usually has nothing to do with bad medicine... it's failure to "play the game" that sinks you. There may be a parallel here for the infosec geek that was fired... If there's one area where the prototypical "geek" personality probably hurts the most, it's in the eschewing of those critical relationships. It's great to have m4d 5ki11z in the server room... but a little face time with the powers that be could make the difference between paycheck and pink slip...
There's no guarantees, however... even with all my efforts, I can still get sold out if my hospital administrator gets a wild hair, or just plain doesn't like me.
It's business reality for lots of folks, not just IT.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Whenever an issue like this comes up the inevitable /. knee-jerk libetarians come out of the wood-work: "capitalism good protection bad" Well maybe some of these libetarians should find out what Adam Smith was really about. His model of capitalism is based in an agrarian society with independent artisans and traders. His idea of a free market is exactly that - where everyone has equal access to market and equal information.
Corporate America has as much to do with the Adam Smith model as the Bolshevist U.S.S.R. It's not even related to Marx' model of capitalism, for in Corporate America, capital is as alientated from controlling the means of production as labor is. Instead, what you have is a management class which calls the shots and enriches itself at the expense of both workers and owners - can you say Enron, Adelphi, Worldcom etc etc.
Sure a worker has the "freedom" to say "fuck you" to his boss and look for another job. In theory. In practice, as the job market shrinks despite the "improving" economy (i.e. the management class being further enriched) those jobs are very hard to come by. So the worker has to bite his tongue as his workload is doubled, as her boss wittles away more and more of her "perks," as the threat of outsourcing is used to bludgeon him into obedience.
Saying to someone "go out and upgrade your skills" is also BS. A friend of mine is in his mid-40s, extremely talented, engineer/MBA out of work for a year and a half. Who's going to hire people in their 40s and 50s, no matter how much talent and experience they have, no matter how upgraded their skills are? And you young 'uns are going to get there faster than you think.
Corporate America demands obedience, makes people work like slaves, uses them, chews them up and throws them out when they no longer are useful. Maybe we should just kill off laid of workers so we don't have to worry about unemployment insurance and welfare?
And no I am not speaking out of personal bitterness. I have a successful consultancy business and work for myself. But even if you believe in ultra-selfishness, a society with many poor, disaffected people is a very scary and dangerous place to live in. This is an issue that effects all of us, not just the laid off.
My own experience relating to this:
;-)
1) Medium to large size business do not trust individuals: only other businesses are trusted. A local Goodwill (yeah, really, Goodwill) used to outsource work to me on a very regular basis. I'd give them plenty of freebies (again, it's Goodwill) along with the outsourced work. Eventually they hired someone to take care of internal matters and the outsourced work finally stopped (he had a gripe with me apparently). The CEO didn't question his judgment because he was moving to Microsoft products and outsourcing to larger companies. It didn't matter that they were paying six times (I kid you not) as much for the same work, their firewall had been removed (the new guy didn't understand how to manage it), and they removed a perfectly stable Linux box in favor of Exchange (easier to maintain for him, but DID go down frequently). None of this mattered. The CEO and kin felt more comfortable with larger businesses despite the problems. They care about feeling better, not about how much they're paying or how often something goes down. They will excuse ANYTHING if they're happy.
2) This (security assessment) is a new tactic from a small group of companies/individuals that have been around for a while. Years ago I handled support for a local ISP. The ISP had (shame on them) sold bandwidth to an adjacent office which was plopped right on the main network (no bridge/firewall/etc). This office had a MUD server which was compromised and made a really great packet sniffer. Account info was snagged and used....by a **network security firm** working out of Canada. They changed a few passwords to get attention, then e-mailed the owner of the ISP with a 'Hey, we didn't do anything but we wanted you to know your setup is easily corrupted. We can supply you with services to prevent this in the future.'. It's like, some kind of dorky geek mafia.
The original submitter could be a dick or a great employee. Either way, it doesn't matter because these security goons are out there and using a much better tactic to get business. It's pathetic, but it's real and there are enough ignorant businesses out there to make it profitable. All the education in the world won't help some employers, they're just too fucking stupid. Maybe the submitter's best bet is to hook up with one of these shitty security firms....join 'em before they beat you out of the market (re: multiple bad security profiles).
Sorry for the long rant...too much coffee
Comment removed based on user account deletion
He should sue the outsourcing company for slander and libel (since they probably handed his employer a report stating he was a security risk)
Of course it all depends on what context he was fired for. Are we getting the whole story here? Did you do any activities that could be considered a security risk?
If the IT world had better organisation it wouldn't consist of people being trodden underfoot because they think they are "elite" "indespensible" and "able to stand alone". As a rule of thumb your CEO is smarter than your average 21 year old programmer, and believe me *his* interests don't match yours, however much he swears they do.
India has much much stronger labour laws than the USA on most issues (although enforcement has problems sometimes). Indian IT workers sometimes do belong to unions or labour groups. Interestingly some of them chose not to use the word "union" because they wanted a labour group but didn't want the conflict the word union implies in some parts of the world, but to imply constructive working together
The jobs that went from the USA and EU have something much more important in common. They are low skilled, highly manpower intensive and not subsidized. It has a lot to do with wage costs and very little to do with unions.
Software is manpower intensive, not subsidized and the skills are being developed rapidly to a high level in other countries. The rest follows logically enough.
Welcome to globalization of production. Unfortunately globalisation of buying is a different matter (eg DVD prices in europe , US text book costs, US v Canadian medicine prices).
I was wondering if it was them. If you read Bruce Schneir's Secrets and Lies, you reach the end and figure out the whole book is a way for them to sell their services.
1. Security is tough.
2. It is best left to professionals.
3. You are better off hiring those professionals rather than trying to develop it yourself.
4. You should hire us.
Pointed Haired Bosses don't think that way. At my last job (one of the big 3 ISP's) one of the NT admin's screwed up and opened our one internal systems to the whole world. One of our techs studing security discovered the hole and reported it our PHB. Who came to our SA team to check and confirm. They were more concerned about the tech finding the hole, than the idiot NT admin who screw up an NT securtiy setting. They were insisting on firing the tech. They said opening up our system to world was less of and issue, than a employee sniffing our network, even if he reported it.
I've worked for too many large corporations don't ever think management is going to think logicly.
Well, he could sue them. It's called "slander." If they wrote it down as well, it's called "libel." As a bonus, as part of the trial he could subpoena all the documents related to the case, and find out what they really had to say about him.
Courts tend to look at libel related to employment very favorably. He should contact a lawyer.
Ownyourphone.com. Custom ringtones, cheap and easy
Not being a lawyer, but knowing a few, plus having a few who swear by having employment lawyers, I would say that you should definitely talk to one!!
A company who chooses to terminate your employment because of research or inquiries, the results of which are not told to you, sounds quite... well illegal. Were you a regular fulltime employee? Did you sign some sort of disclaimer because you were in "security" that they coudl at any time terminate you because you could be terminated as a "security risk" ???
Get a lawyer now!
Exactly what I was thinking.
Here in Canada, you also can't get fired on the spot (well, not for this). You have to receive at least a verbal warning and/or a written warning first, outlining what it is you are doing wrong.
I don't know what the laws in the US are (or even if you are in the US), but you might want to check with a lawyer. A quick consult shouldn't cost you much, if anything.
Tuus crepidae innexilis sunt.
This assumes hes being on the level
While geeks are smart they dont know the law. If this new company wrongly accused him of incompetence or negligence he has have every right to sue them. The sooner the better..... He doesnt sue his employer thats bad for future employment. He sues this third party and then subpoenas exactly what they told his employer about him.
In addition to libel, and defmation there is also tortious interference with business relation(ie your employment with this company)
Id say he needs to consult with a lawyer
If that's possible then yes, he should sue. It might be extremely difficult however.
I have some experience in this as I was fired as a security risk. The cause? I installed a firewall on my PC. The formal letter stated that this could interfere with their network firewall (a Cisco box that was very over-the-top for a small development company of twenty people).
Of course that wasn't the real reason. It was the refusal to work unpaid overtime and perhaps a tendancy to correct my boss that got me out. However, how do I go about getting this fixed in court? No matter how expert I am in IT (and I am quite expert), they can through an 'expert' back at me in court, and how will a judge know the difference.
And aside from that, what would be the charge? I'd already resigned and was working out my notice. The sole result is that any reference from my former employer now states that I was fired for 'Gross Misconduct.' The burden is on me to convince people that it wasn't fair.
A very nasty situation all round.
I wish the poster good luck if he finds a way to sue, but beware of getting into a credentials battle with various "experts," because most courts wont be able to assess your case on the basis of technical details.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
and the lesson is ... If employee morale is rock bottom, there's generally a damn good reason at the top. Look for a job elsewhere before its too late.
As for offering to work from home in place of outsourcing? Are you nutz You would just be proving that womeone could do the job remotely ... ie in some place that is beyond even the third world. Lets face it, India and China are now complaning about jobs being ousoureced. Obviously the work is being done by krrgs from the planet Zog.
Sent from my ASR33 using ASCII
COntrary to the belief by many people, business's do not exist to provide a job to any particular person, excepting perhaps, the owner. A business exists for the sole purpose of making money for the people who own it. The fact that they provide jobs to other people is mearly incidental. As such, the owners or management can choose who they want working for them.
Anybody who doesn't see it this way should try to put themselves into the position of the owners. Try to imagine owning a company. If you are the boss and you don't want a particular person working there any longer, you would fire them, right?
If you don't like people having that sort of power over you, start your own business.
Now, don't get me wrong, I do feel that what the company did was most likely a bad move, and certainly was not a good way to repay a person who seems to have been a good employee.
Any way you look at it, the management is responsible to the owners, be it private parties or stockholders. Their job is to make money for them. It is not to provide the employees with work.
Sorry for the rant, but I get irritated when people think the their employer OWES them a job, they don't.
Hockey - Canada's gift to the world
That's what I did. My former employer of five years spent several times my salary-to-date on consultants from Gartner, who convinced management that everything I'd built was wrong and they should spend my salary for the next five years on Microsoft products. I helped them roll it all out, they showed me the door... and now (from what I hear from a few friends there) they are hurting. {shrug}
I am not a security geek - so can not comment on the issue of having a security audit cost me my job.
On the other hand, I do have some thoughts on increasing your likelyhood of finding or keeping a job in this tough IT marketplace, that can be found here...
The executive summary: diversify your skill base, and become a jack of all trades; coupled with that, look at other means to increase your ability to satisfy your user community better and faster than the competition.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
.
IANAL (but I've paid for their kids' dental work and sailboat), but there are two issues here: I think you have excellent grounds for proving damages to your reputation in the industry (from both the consultancy and your employer), in addition to wrongful termination if you were let go with prejudice (fired for false or misrepresented cause and denied unemployment). However, the real money is in the first part, so go for a libel/slander lawyer with knowledge of labor, not a labor lawyer who's heard of slander and will sue to get your job back. What you really should want from this is to (a) clear your name, (b) collect monetary damages, and (c) walk away. Dunno about FL law, but you should get all your lawyer fees back as well if you file the suit properly...
I have (unfortunately) some experience in picking a lawyer for similarly hostile and unpleasant situations. In a recent situation that involved an insurance company, I turned to my own insurance carrier (home, personal liability, auto etc) and asked to be put in touch with a couple of senior examiner/adjusters. When I reached them (no easy task), I asked them the following question:
"Who is the meanest son-of-a-bitch you never want to be across a table from?"
Both people gave me the same name, and I hired that person as my lawyer. Yeah, the hourly rate was kinda frightening, but when your lawyer scares the piss out of the other party simply by name, the proceedings tend to be much shorter, and more to your advantage.
How does that apply to your case? Call a libel/slander *defense* lawyer, and ask him/her the question above. Two votes for one name, and voila, you have your counsel.
My personal advice is not to be shy about this. There's a time to shrug and walk away from an employer who lays you off for stupid reasons (I did a few months ago), and there's a time to fight like hell against something that could drown your career. This seems to me like the latter. What will you say in a few years, when a potential employer asks "If you weren't a security risk, why didn't you fight it?"
Jon Espenschied
I think not...(*poof*)
I used to do assessments for a company that wanted to do them to discredit the existing IT and replace them. After awhile it really bothered me because we went after some good, hard working, dedicated people.
I decided to get some certs and marketability and find a job less 'stressful'. In studying the Code of Ethics for the CISSP, I realized that it should be my job to help dedicated people hang on to their job with instruction, training, learning, awareness.
I now work at companies with the idea that I will locate 'vulnerabilities' and correct them with the resources they currently have. I know its a stretch for some to adopt that line of thinking but in the long run, this attitude is paying off.