Slashdot Mirror
Replaced by Outsourcing -- What's a Geek to Do?
SafariShane asks: "Yesterday I was fired from my position as 'Network Security Analyst' from a financial institution. I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' At the time, I thought a vulnerability assessment of our network was a good idea, but in retrospect, it occurs to me that this company, who's other product is 'Outsourced Network Monitoring and Intrusion Detection' may pull this little trick everywhere they go. Has this happened to any other network security folks out there. Does anyone know if this is a common practice, and what's a geek to do if they find out a 3rd party assessment is on the way? If this happens again at another institution, should I just start polishing my resume right away?" Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay? For those of you who feel the threat of Outsourcing breathing down your neck, what are you doing to try and stay in your current job, or even in this current market?
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
"Here comes the obligatory South Park reference:
- Perform Network Vulnerability Assessment
- ?
- Profit! (Sell Outsourced product)
Label anyone who is responsible for network security as the risk, and get them fired.I wouldn't even dream up the above situation, except that when the assessment was done, all results were hidden from me. The company presented the results not to the geeks that can interpret them, but directly to the executives that still think 'Clippy' is a great product.
I'll also note, because people will ask me anyway, if there were other problems. In my year on the job, there was only 1 network intrusion: Welchia, which was contained in twenty minutes. Anyone familiar with Welchia will know that it is no easy task. I was never reprimanded for anything. In fact, I received a 12.5% raise only two months ago for job performance.
I doubt what they did was illegal, but it's bad business at best. Here is a group of network security geeks, who get other network security geeks fired, so they can increase their bottom line.
I'd like to hear comments from folks this has happened to, and what did you do as a result?"
SafariShane needs to turn around and hack back in to the system in a week and show that the new company's security measures weren't that great. ;-) This will ingratiate himself with the CEO and get the new company kicked out.
;-)
Problem solved.
I don't trust you to work from home. You will just watch Scooby Doo.
I doo trust a company in India, tho.
...and sent to federal pound-me-in-the-ass prison.
He got hosed by an unethical competitor, but he can't do crap about that now. Time to brush off the resume.
The managers and CEOs of this country have no idea about how to make router connection or how to correct a line of code in their payroll systems.
I'm on call 24x7x365 while the CEO sleeps.
The none technical types need to understand where info power resides.
What do to? Well, you're a casualty of corporate sleaze and politics. Read The Art Of War, get back on the horse and don't let yourself become a victim again.
That sounds cold, I know, but what else can you do? Dwelling on the issue won't pay the rent.
Trolling is a art,
Not like... say virus scanner writers right? [who probably write the viruses they detect...]
I say if your management is stupid enough to fall for the tricks without trusting you then they deserve what they get and you probably shouldn't have been working there in the first place.
Tom
Someday, I'll have a real sig.
Easy solution:
Get a job working with an outsourcer. Duh.
"Services" is where the IT business is going. And yes, there are outsourcing companies in the USA and various other non-India, non-China nations. Skilled, flexible talent is very valuable to a services company. And it's satisfying work because you're not stuck with one environment all the time -- you get to play with lots of different customer environments, picking up new skills along the way.
Basically, what I'm saying here is, quit whining. Make yourself a valuable person and you will find employment. And don't rest on your laurels, either: you have to constantly adapt and pick up new skills.
Now I shall sit back and wait to get modded down by the unemployed, disgruntled Slashdot hive mind, but my position on this issue stands.
Tired of FB/Google censorship? Visit UNCENSORED!
Unions. Baby, it's time. Other than that, you call a lawyer. Now. I'm VERY sure what they did was very much illegal, and since you indicate you have a clean work history, they have no room to fire you.
Were you given a chance to present an opposing opinion? I am fortunate enough to work for a company that knows the value of having in-house IT. Even when we bring outside consultants in, my boss and those above her understand that you simply cannot replace having someone in-house who knows every intricate detail. I was thinking that perhaps if you were given a chance to present the pros of having in-house infosec you may have been able to make a strong enough case for staying.
Social Engineering Expert: Because there is no patch for stupidity.
As evidenced by the story poster, it lies with the non-technical types.
I'm on call 24x7x365 while the CEO sleeps.
You sure have a funny definition of power.
No offense, man, but if you're good at your job, get a new one.
...
If your company was willing to do that, you probably don't want to work there anyway.
it sucks, but Ob-la-di ob-la-da life goes on
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
You can't take things like this personally. If they're outsourcing you, the wheels are already in motion and there's not much you can do to stop them. I have no attachment to my employer. I have an awesome team right now, and I feel loyal to them, but not to the company, but that's what they teach us in Business School. You have a chance of being outsourced, much like you have a chance of getting into a car accident. Nothing you can do once it happens. Collect your insurance and buy a new ride.
-I DDoSed your mom.
In any IT situation, the guy/s who knows the system administration/root passwords is always a potential risk. They've fired you, but they must have someone who knows the stuff you do, root passwords and all.
Hey, wait a minute, now the new guy is the risk. Fire him and pass the root passwords to the next guy. Repeat to fade...
Sounds like someone has been solving the wrong problem.
Capitalism is a funny thing. Well, at least the "modern" capitalism. Not only does your company have to profit, it has to profit more than last year, every year. This is one of the reasons people get laid off even when a company is making record profits.
Based on the description of the problem this doesn't seem to have anything to do with oversea's labour. It's just that he was replaced by an outsourcing company (in his own country).
About the reduction in pay comment, if you were sent home with a 50% pay cut would you be happy about it? Or would you be hitting monster.com on your 'extended' lunch breaks. I don't think it's really practical to half-way lay-off people, because the employees won't be at all loyal after that.
This post cannot be rebroadcast without the express written constent of Major League Baseball.
Not sharing the results with the net security people is the giveaway. They wanted to fire you, and told the consultants that that was their goal. I'm in the biz, and what they did was way outside of accepted practice. So who is the company? We'd like to know who to avoid. I know the Big Four play this game, for their love is for money, not the best interests of their clients...
sPh
How some companies can make all the wrong desisions! But let's face it, anyone whos job it is to protect against (insure against, etc.) has a hard time justifying the work he/she has done: The more successfull you are, the more it seems you are not neede. Also, if some expensive advisor labels you, there is pretty little you can do. The combination must be deadly. Not much you could have done. Your former boss will pay the price in a year or so, and he will remeber you. But its not much of a soulace for you.
-- (:> jms cs.vu.nl (_) --"---
"here's a question i always wish i could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?"
do you think that this would be a good idea, overall? think about where this winds up going if it becomes a trend in, say, 3-5 years time: it becomes a price war, and it's one that domestic employees cannot win. cost of living is just higher here than in a number of other countries.
i think this is a very, very bad idea, and one that's not just bad for you personally, but also for people in the industry overall. it would have the effect of dropping IT salaries across the board. in essence, you would be arguing that you're overpaid. not a good idea, IMHO.
that said: shame the PHBs were the ones making the decision. were there many others affected? this smells like a small bloodletting to help a business in a still underperforming industry cut some heads and increase profitability.
ed
http://bofh.ntk.net/Bastard.html
// Empires come and go we live forever
Geeks buy books and learn more things and get a different job. Faux geeks file for unemployment.
These days nobody has job security. My suggestion (if you want to get your job back is thus - and should be quite simple as you worked in network security).
;)
1. Perform a "vulnerability assesment" of your own. Possibly even try something similar to Welchia - to demonstate a) that their computer systems are insecure and b) that outsourcing your job is leading to weaker security
2. Point out that in twelve months of you working in the job there was only one network intrusion Welchia and that you dealt with that within twenty minutes!
3. Point out all the flaws in their new outsourced network security
4. Suggest that if they want their network to stay secure that they outsource to you at double or triplr your salary.
Video Game cheats, hints a
Don't give employers this idea that working from home is a reward. My time is as valuable while in the office as outside of it.
Working from home will already save them money on heating, cooling, parking, insurance, and office space. There are also tax benefits in certain areas of the country for implementing such environment and traffic friendly procedures.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I work for a software company. After many months of people having a hard time getting interviews, and very few leaving for other jobs. In the past three weeks, suddenly we had seven people announce they are leaving for new jobs. I have a friend who was recently laid off from another tech company a couple of weeks ago. He's had quite a few interviews already.
Things seem to be looking better out there. New jobs will replace the old ones lost.
By reading this sig, you agree to the terms of my sig license.
As reported by "America's Finest News Source" this is even happening to Company CEOs!
The worst thing you can do is overanalyze the situation. That's not to say you can try and learn something for the events that happened, but the best thing to do is just move on. A similar situation happened to me and it really got me down, but I stepped back reframed everything and realized it this probably was a good thing since the work environment I was in was really going downhill. It sucks, but keep your chin up.
This Space for Rent.
You didn't mention any specific vulnerabilities that were directed against you in this audit. Were there any legitimate holes that you overlooked or was most of the report fabricated?
Security is a complex task in any environment (from physical threats, unknown vulnerabilities, social engineering, misconfiguration, etc) and the increased size and complexity of networks and systems means this problem will only get worse.
Having what sounds like a single security / administrator handling a financial computer network does sound risky to me personally (but maybe you were just singled out among you coworkers?)
Your comment about telecommuting is a good one though. No longer requiring physical presence to do a contract or work some other position could free you up for additional tasks at other companies bringing your overall salary to a decent level.
Both parties get what they want in the deal; businesses with inexpensive, on demand services; engineers working an efficient schedule for multiple clients (thus good wage despite lower prices on individual jobs)
I'm not sure what kind of reputable engineer you would need to be to pull this off. Liability is going to be the major sticking point on any contract or work-for-hire (until you get a proven track record of completed, functional projects)
Do you have anything in writing that says this? If you do, it might be worthwhile to have a quick chat with a lawyer. (If you can't afford one, your local employment assistance agency or legal aid society might be able to help.) IANAL, but I would think that making this kind of claim without any evidence to support it might be actionable.
If you pursue this route, I would not try to get the job back. You've found out the hard way that the people you worked for are intellectual and ethical cretins. Try for a cash settlement, and then find another job.
HAHAHAHA!!!! Tell that to former American steel, auto, textile, and rubber workers. You must not be from the Rust Belt.
Could being labeled a threat, which then causes you to lose your only source of income, be actionable?
Seems to me that if my employer was happy with my performance before the audit and I truly was no risk, I'd get a lawyer and sue both the company and the third party.
I had something similar happen to me back in the 80's and have regretted not taking action against what turn out to be a bunch of bastards
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
- the good : I've had lots of time to play with my 2 year
old son
- the bad : I've got a family to feed
- the ugly : I'm learning that experience in the industry
hurts ones chances te land a job, as we're considered "too expensive"
I've found a few consulting gigs to help, but now I'm moving out of the Bay Area - can't afford to live here anymore.The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
"I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.' "
If you have been fired with that argument and if you performed your job within the expected parameters find a lawyer and sue them.
Not for vengeance or something like this... just business...
Have you thought about your future employers calling your old job for references? "The old network admin? Well, nice guy, but was fired because he was a security risk"
and move on...
From the second sentence of the story:
Reading between the lines, it seems that a 3rd party vendor labelled him a major security risk. But I'm just guessing.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Read my blog.
It is very hard on those who it affects, but the economic reality is that the money saved in efficiencies (even if it only goes towards fat cat bonuses) is very tangible.
There is illiquidity in labour pools because of immigration laws etc., but the internet removes these barriers. The global workplace is here, and as a result the market is freer than before.
It is quite feasible that if (eg) Russia in fifty years time will farm out its "boring" nanotech analysis work to the US. Like it or not, standards of living in 2nd and 3rd world countries are going to improve, sometimes at the expense of sections of the 1st world. However, overall and in the long-term, competition leads to better economies all round.
The guy could be right, the guy could be wrong - that is completely irrelevant. The percieved reality is:
the guy was in charge of network security
the third-party audit was performed (why? did they look for an excuse to dump him?)
Vulnerability was found
The guy was sacked.
That is all that matters. Waste your time - blame outsourcing, Republicans, little green men.
Get over it, fix the resume and get back into the game. American corp environment is completely free of common sense and logic.
This is like the Army Protection Racket sketch from Monty Python. The foreigners come in, "That's a nice network you've got there, Mr. Corporate Executive. It'd be a real shame if someone were to, you know, hack into it, maybe set your building on fire, you know... a real shame..."
You are in error. No-one is screaming. Thank you for your cooperation.
You make some extremely good points, and you make them cogently and cooly.
Personally, I would set down my concerns; about the possible conflict of interest in the study; about the lack of technical oversight of the reports findings in a letter and send it to the company CEO.
The letter should be couched in such a way to make it clear that you are writing becauase you are concerned about the company's security; not because you are disgruntled. Make that very clear, mention in passing the facts about your recent appraisals, and bonus payments.
Leave the CEO in no doubt that you are a professional and you are concerned that the company may be being set up. Tell the CEO that (s)he should not hestitate to contact you, to discuss the issues.
At the very least it will make you feel better. It may even get the company to rethink its policy.
I've heard stories of people doing the "revenge hack" to prove that the new security is worthless, then ending up in jail. Why would anyone want to risk jail time to get a job back at a company that obviously would rather listen to a contract consultant rather than a member of their company?
"Don't worry about people stealing an idea. If it's original, you will have to ram it down their throats." --Howard Aike
You are not a casualty of off-shore outsourcing. You are a casualty of the battle between consultants and in-house IT expertise. Not that you're any less screwed, or that I'm any less outraged. And yes, I am a security consultant.
The first thing I would have done is mention the name of the company that screwed you. I think this would give other in-house specialists pause before recommending them to management. Our own company's business model is built around providing the opposite sort of experience from the one you described. When we audit, we work with the IT staff, not against them, and we do so with the understanding of having "been there" (because I have been). We try to position ourselves as the guys who will tell it like it is, without panic, arrogance, or exaggeration, and we tell it to you, not your boss's boss.
I have enormous disrespect for any network security firm who attempts to abuse the politics of their client's business to get ahead. Getting somebody fired in order ro pursue a business opportunity is beneath contempt and possible grounds for a lawsuit. I wish you luck.
who are those slashdot people? they swept over like Mongol-Tartars.
I can't recommend Nick Corcodilos' Ask The Headhunter enough. This advice is just wonderful, either for getting a new job, or for showing your worth to your current employer. It takes a little bit of mental adjustment to accept what he says (and it may be a bit scary), but he is absolutely right about how to go about it! The problem we in IT face right now is the feeling that our worth is going down as many of us are replaced through outsourcing and foreign labor. Brush up your skill set, but most importantly, learn how to apply your talents to solve real business problems in terms of dollars and you will never doubt your worth (nor will your potential employers).
ATH's advice is great. Be sure to get the book, read as much of the website as possible, and subscribe to the weekly newsletter. It's the only HTML mail I receive every week that I actually look forward to and enjoy reading.
Secession is the right of all sentient beings.
Without knowing what they said in the VA report about exacly *why* you are a major security risk, it's pretty hard to interpret what they were thinking. Perhaps there's someone at your former employer that you can contact to get at least an idea of the why?
Certianly if you were the only ITS employee around, that's a lot of potential power in one person's hands. That said, I'd recommend that some sharing of responsibility be made, some sort of check and balance between you and someone else if it was really a concern. If the VA truly did recommend that you be let go, that's at best a poor solution, and at worst a highly unethical conflict of interest with their product.
A vulnerability assessment does need to look at everything from personnel to the nuts and bolts of the hardware, but it also gives only recommendations for safeguards pertaining to those vulnerabilities... the final decision as to your fate could only have come from the brass of your former employer. You do have a right to know why you were let go; you should pursue that. "You're a major security risk" is NOT good enough.
L
If the people doing the assesement cut ethical corners to get this contract, then they probably will cut corners in performing this contract. Give the company six months or so, then contact some of your fellow employees who are still there and, at a convenient point in the conversation, steer it towards whether the new service is doing its job well. If the network has been down with a virus five ties in the last six months or so, the board members or minor stock holders might be very interested in your opinion. You won't get your job back, and unless you handle it delicately, you might just get branded as a trouble maker, but if you can stay focused and professional, you might get the people who actually made the decision to join you on unemployment.
Who is John Cabal?
I'd say he should contact his former employer and offer to perform testing of the outsourced security system as a consultant -- after all, he knows those systems as well as anybody else. Then he should try to hack the system -- since he's working as a consultant, it would be legal to do so.
Then when he's able to hack in through the outsourced security system, he should state that the outsourced company's report was right -- a disgruntled former IT person is a big threat, but since he knows the tricks he'll know how to counteract that threat.
I too was 'downsized, right-sized or outsourced' depending on your point of view. In my situation, I was not offered the opportunity to move with my job as it wasn't 'my job' anymore as it now belonged to a 3rd party (another company in town performing those functions that use to be mine).
Because we were 'audited' and told repeatedly it was non-threating and the new CIO was just getting a *pulse* of who was there and what we did... when we showed up for the wrap-up meeting that was to be an information exchange of what was discovered and what the next move was, we were quite surprised to get our walking papers.
Naturally the audit was nothing more then a 'gather all the information you need to support us going forward' project. The better option, IMHO, would have been to tell us what was going on, I would have been more helpful and forthcoming as the enterprise I helped build/design/deploy had many MANY exceptions to standards and rules because of business need. Several weren't documented and as a result the transistion has been painful for them as they discover these exceptions and scramble to fix them. I think a better question to this topic would be... 'when your considering outsourcing, what is the best way to implement?'.
The "keeping the guys in the dark" approach is bad for PR in the IT community. In my situation, the company was very generous with the severance package and if I had known it was to be offered I would have bent over backwards to help make the transition smooth.
*cragen
No. He should just post the name of the company he was fired from... and they will have legions of crackers breathing down their necks now.
I was pushed out by a 3rd party vendor, who labeled me the major security risk, after performing a 'vulnerability assessment.'
False statements that negatively effect your employment are actionable in most states. Unless they have documented, specific, realistic vulnerabilities, I'd go right to my attorney and file a multi-million dollar libel suit against both the 3rd party vendor and your former employer.
Good luck with your career.
Comment removed based on user account deletion
Now, here's something interesting. A little bit back, if you recall, there was this big scandal with a large energy corporation called Enron. Now, it seemed that they were cooking their books like there was no tomorrow (which in fact there wasn't). A big part of the problem is that they were using their auditing company as their general financial friend too. What does this have to do with your problem?
Simply put, the idea of a third party review of anything is to get a clear and objective review of whatever is being audited, whether it is a company's financial dealings or it's network security. Now, was your company's third party review objective, no.
I don't know the details, but from your post I do know that the company doing the auditing had a financial interest in giving your network security team a bad grade.
On the bright side of it, the people you worked for seem to be missing the point of auditing (which probably means that they missed that day in Business school or that they are stupid). I mean, a 'financial institution', you would think that they would have learned the lesson of the past few years.
It always confuses me why people don't keep their resume up to date at all times. It's much easier to ammend your resume as you are doing things than it is if you wait until you need it quickly and then have to rack your memory to dredge up the things you did over the past x years.
Six years ago the company I was working at hired an "efficiency expert" (yeah... yeah... the Bobs). This person spent three weeks interviewing people and taking notes. In the end he recommended letting our IT Manager go because he was wasteful.
The company did NOT follow his recommendations... one month later the BOB submitted his resume for IT Manger.
People suck.
www.thejulingtoncreekplantaion.com
Sure, we're not living in our cars (yet) and we're not getting beat up just for talking about organizing (we're ignored), but there seem to be a lot of parallels between what was happening to Okies in the '30s and programmers today. It's amazing how the same kinds of corporate greed issues are still happening just the same as they were then. Essentially, offshoring puts downward pressure on our income just as bringing in too many workers did to farm labor back then. The main difference is that it will do us absolutely no good to unionize since the corporations have a huge supply of workers willing to work for nothing (at least from our perspective).
Just like in the book where the price paid for a picked box of peaches went from 5cents then 2.5 cents (for a ton, as I recall), the same is happening to us programmers. A year and a half ago I had a C++ contract working at $40/hr which was easily $10 to $15/hr less than the year before that. Last week I accepted (after not having paying work for over a year) a C++ contract at $35/hr. What will the going rate be in another year?
Global free trade/capitalism is a race to the bottom.
I was removed from my job where the majority of my team's time was spent monitoring our data centre, and calling in whoever we needed, when we needed, to fix glitches. I was proud of our work, and it's one of the times I truly felt a true "team player" that so many employers are after.
In the space of 3 months, two separate consulting firms recommended our tasks be outsourced. We all lost our jobs, and what comes out in the wash? The outsourced monitoring company is a subsidiary of one of the consulting firms. No surprises there.
Now, my employers have gone from having a small dedicated team who treated their equipment as their very own, to having a useless 'monitoring' company who not only can't detect an outage to save themselves (when the most clueless of managers has needed to contact them to ASK if a server is down when it's been out all night, things are bad) but don't actually do fixes themselves, but re-outsource those also
Last I heard email went out for 4 days. Our worst was a 3 hour fix, which was a combination of intermittent server problems and a backup clean slate machine that failed right after install, so we needed to source and rebuild a box from scratch. The new firm's best time is over a day.
The only thing I like about the whole situation is they're getting what they deserved, and are locked into it for another 18 months. Morals be damned, schadenfreude is fun.
SafariShane needs to get onboard with a company that does this kind of work. A buddy of mine ran a one-guy development/network admin company for several years, and got into security as well, picking up a cert or two.
Due to the economic downturn (and his bread and butter client not falling under the Prompt Payment Act), he had to get a job with The Man.
He got a job with these people, as the tech half of a two-guy sales team, by leveraging his knowledge of Windows and *nix networking and security.
He's working like a sled dog, can't say anything about what clients he's seeing, or much about the product. But he's a very, very well paid sled dog in terms of base salary, benefits and commission; he went out and got a 32" TV and laser-corrected his eyes.
I didn't think the house band in Hell would play this badly.
This sounds like where IT is heading. And keep in mind that companies still have marketing departments that interact with the agencies to make sure things work right.
Why not embrace this model and start up your own outsourcing firm? It's obviously profitable, and with the growing number of extremely skilled IT workers out there that are unemployed, I'm sure you won't have a problem finding talent.
Buy Steampunk Clothing Online!
In fact, I received a 12.5% raise only two months ago for job performance.
If your story is right on accurate, then this is truly a travesty. Sitting on the other side of the desk, though, it may have made financial sense to outsource your responsibilities. If you fail, the company has no recourse. If they fail, it's a civil court problem that brings money back to the company. On another thought, they may have underbid your salary.
Although an important thing to have, the responsibility of network security is basically insurance for the company. The fact that they only had one intrusion in 12 months may have made outsourcing that insurance at a cheaper rate a good idea...after all, historically there hasn't been much threat.
THE INTERNET: Making Geeks cool and porn available to minors since 1987
One of the first things I say when I meet with a company is tell them that it's not the IT persons fault that the company is insecure. Network security is a relatively new field that ALL companies in existance are trying to get their arms around. I do NOT want to put anyone out of a job just for the sake of getting some consulting dollars. I feel that it is my responsibility to train the internal staff to be more aware of security issues rather than to terminate everyone and outsource it all.
How can anyone thats not even on-site on a daily basis make the network more secure? When it comes to real security, you need to start with the folks that know the network the best. If they're resistant to change, then fire them. If they're willing to learn, train them.
Network insecurity is fundamentally a management problem. Security inititaves must come from the top down, not the bottom up. I have never met a network administrator yet that has set out to create an insecure network. They likely were ignorant to the threats - therefore they needed training, which should have been ordered by management. Otherwise, you have security aware employees that are trying to push security up the chain to management, and management is completely unresponsive.
I recently blasted a luddite CEO for not paying enough attention to his IT department. His company was compromised by a hacker and I came in to clean things up. I asked him; "Do you realize that your business relies 100% on what goes on in that server room?"
Things are now changing in that company. We've now established data owners on the executive committee (Those that will hang if the data they own gets compromised), and now the IT department actually has a budget. 80% of the time I spend doing my security consulting is with executives, the remainder is with the tecnical staff giving them direction and training/pointers.
Anyone that preaches anything different is trying to sell a magic fix for security, which doesn't exist.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?
Oh there's a fantastic idea. All I need to do now is figure out how to live without paying for food, clothing or rent and I'll be all set.
Do we really need to go over this again? Repeat after me: You cannot compete with 3rd world labor costs. Ok, now just the guys! Good, now just the girls...Oh right, there's no girls here.
The only way you're going to be able to keep your job is to do something that offshore workers can't do. What is that, you ask? Well, you could start my actually caring about the business that you work for. Too many IT people are so concerned about the technical aspects of thier jobs that they don't take the time to learn (and care about) how the business they work for actually makes money. This may have been OK in the late 90's, but IT people are getting the harsh reminder now that the reason that you have a job is not to play with the latest technology...it's to make money.
It's your job as an IT professional to bridge the gap between business and technology. You need to be thinking about things like Return on Investment. You need to be thinking about the business needs of your customer...keeping in mind that your customer is probably not a techie like you and only cares about things like "How much does it cost", and "Will it work with what I have now" and not whether or not it runs on Linux. Most importantly, you need to be thinking about money first and technology second. Only someone who is physically present at your place of employment is going to have enough information to make decisions based on those priorities, which is why people who ignore them are finding their jobs shipped overseas.
Not only do they have scooby doo in india, but he's much more evil than he is in the united states -- he gives kids tattoos and has got them buying 75 gram packages of "krackjack". We americans have to settle for regular crack.
HIV Crosses Species Barrier... into Muppets
Unfortunately, this sounds pretty standard. Having recently left an outsource vendor, I can tell you that all of these "takeovers" start small and innocently. The general rule of thumb is to grasp hold of three of the company's problem or large projects/systems. Once that happens, leaving the vendor changes from painful to nearly impossible. Unfortunately, all I/T personnel are under attack. With recent graduates flooding the market, the cost of employment has taken a sharp downturn. For companies that don't want to bother with training and development or can no longer support dedicated staff, outsourcing is the way to go. Although our jobs are at risk daily, many do not recognize the danger until external factors are added to the equation. You don't need to be paranoid, but you do need to be aware of such changes, decisions, and movements within your organization. To your point about coming back later with another security investigation, just walk away. If you plan on starting your own security firm, you might get away with it, but accept the fact that most people will be suspicious of your intentions. I apologize and sympathize, but you need to move on and learn to watch for the warning signs. We are all replaceable.
Trust me, I manage a project which is outsourced and currently employs 3 software engg offshore.
The pluses -
(1) Benefit in terms of costs. Well they bill us 30 bucks for a software developer where here I would assume it will be around 60.. Whoopee doo..
(2) The supposed 24 hour day where your team onsite would plug 12 straight hours and your offshore team would plug in another 12 hours, therefore giving the client the impression that his project was worked upon for 24 hours..
(3) Now that implementation is made seperate and outsourced, the client just needs to focus on the business aspect and the designm therefore having more time to themselves to focus on issues that need attention
Minuses
(1) Cost is not that much better. Quite soon, firms will try to up the prices and then you will lose the benefit in terms of cost
(2) The 24 hour Day - Its quite different from what you are led to believe. Mostly both teams would take a couple of hours everyday trying to understand what the other has done, interact and to a certain extent, also play the blame game.
(3) The client would find himself being pulled more often back in to the implementation and design, since his offshore partner cant understand the design or has a "better" design. Chaos ensues.
Mostly from my experiences, what makes all the difference is the people who are developing this offshore. If they are intelligent enough and has good communication abilities, then you have a success story. If what you have is a guy who did a 14 day java crash course and has one year experience in plugging java code in to Helloworld.java, then you have an absolute wreck waiting to happen. It happened to me, I had two stupid asses with whom I spent 3-4 hours every night trying to drill in, the architecture, the requirements, the implementation details. And then I would wake up in the morning and they would have probably coded 10 lines and sent two emails with questions which either are stupid or should have been asked the night before. So what you have is two asswipes who just billed you for 16 hours and turned out 10 lines of code, of which 9 you will probably rewrite and a bunch of questions which doesnt amount to nada.
I dont think that any firm who is currently doing outsourcing has thought about the actual implementation through and through. They are all given rosy pictures of intelligent professionals back home plugging away on their keyboards churning out code that works on the first try.
More so, in a few years, the real picture would come out where probably 10% outsourcing actually churned out something positive and the rest 90% lost money, less money in fact, on projects which had no direction, no able offshore partner and a bunch of developers who doesnt know the difference between a class and an object if it kicked them in the ass with it.
Sorry I just had to rant, since I spent a better part of my night trying to work with some idiots and two days ago I kicked them out of the project. And in a combined 300 hour period, they coded two classes, and the style of coding will make you puke.
Rapid Nirvana
Yea that would be a bad idea. A better idea would be to be helpful, like those guys that list all the Microsoft vulnerabilities in a public forum so Microsoft will be able to fix them right away.
... maybe we can get a head start.
So how about listing on slashdot all the passwords, usernames, maybe the list of salaries of all the employees, ip addresses of back doors, list all that crap here for us and we will politely help the company get back on track to super-security awareness.
Seriously though, sorry to hear about what happened. Wonder what field the next 'boom' is going to be in
Glonoinha the MebiByte Slayer
I feel safe saying that every engineer I work with understands that our service is provided to supplement existing security practices. We can provide some security services which companies cannot perform on thier own. Whether because of cost or technical reasons. We cannot replace a companies entire security team. There are too many small details which need to be handled which an MSSP cannot do remotely. Nor do we want to. We'd also much rather work with a knowledgeable insider than get an imcompetant IT manager who's claim to fame was programming cobol 20 years ago.
My guess is, some overzealous sales weenie got you canned. He probably pitched the MSSP services to the suits. The suits probably replied they already had in house security expertise. The sales weenie, fearing he would lose the sale, pitched the MSSP as a replacement for you. Something he never should have done. Most sales people will do anything they have to do to make the sale.
1) what is the name of the company? This is for my own dealings. To be honest, I will take your story with a grain of salt but a little research might help me understand if I would want to do business with them or add them to my blacklist.
2) what is your question, "how do I build stable relationships with PHBs so that free lunches and golf outings from vendors dont get me outsourced again" or "how do I prepare for 3rd party assesments/sales pitches to ensure that both they and I can be objectively analyzed"?
Sadly, in corp IT, the answer to both questions is the answer to the first. Face time, "expectations management", proactive education, whispering sweet nothings in the ear, and many other social engineering tactics are how you build relationships with the morons in charge. This is how you will also be better prepared to deal with vendor incursions into your domain.
Technically the way to prepare for this is to do an assesment yourself, early and often, document it, summarize it, broadcast it, and ask for money. You will get ignored and turned down but you will have paper trail and they will remember, vaguely, that you said something about security when the sales pitch comes and they wont be surprised.
In corp IT and much of the world, when dealing with non-engineers, technical merit does not speak for itself but appearance and posturing go a long way. So, in the future, over-communicate and advertise. Remember that most non-technical people get their educations from advertisements and sales pitches so fight fire with fire.
...went along the same lines.
I was working for a development firm, we had long term client who had made use of many other development firms.
We landed a big project, the client had us work with another development firm, this one out of India to supplement our skill set, throw more bodies on the project, and so they had a clear understanding of the architecture when they took it over later.
We came to find out that the head programmer working with us would go directly to the client and tell them how poorly we performed, that we didn't know what we were doing and other such niceties.
The PM from the client bought it, and we were removed from the project (an action that within 6 month caused 130 people to loose jobs.)
The other firm left with our architecture, our code, and our self esteem, we left the company with 2 weeks severance.
The most ironic part was that these guys came in with no knowledge of the platform! We taught them to Java as we went! That was the biggest slap in the face that I have ever received.
What are you going to do, hopefully this kind of stuff will run rampant and leave a nasty taste in everyones mouth.
Actually, if your not a citizen of India, they won't let you work there....
Their okay with low balling all the jobs out of the rest of world, but their not interested in opening their own market place to foreign workers...
Luckily, my company tried outsourcing once, the outsourcing company fucked up the product so horribly that we gave up on them, write off the 5 million and bring it all back inhouse.
Yes Francis, the world has gone crazy.
The real security risk is the outsourcing company. The number one cause of security breaches in the US during the 90's was from outside (foreign) contractors who had access to information of confidential, secret, or restricted in nature. Now instead of having access to the data, the have access to the methods as well. Having a cheaper Software Engineer or Security Analyst does not mean you will get better engineering or more security. As evidence look at the airport system. The wages paid to security personnel are some of the lowest in the country, and hence cannot keep more skill individuals. Ex-convicts and high security risk individuals can be found in those occupations due to the poor fiscal incentives. We all know what that poor security led to.
The lowest bidder does not nescesarily produce a quality product. When is the last time you found real wood in a piece of furniture in our country?
I have heard the statement that the market is moving overseas to customers in China and India, and thus it is imperitive to hire from those localities. But why? If there are no skilled labor or engineering jobs left in the country, what will people do to make ends meet? Occupations at the top of the food chain will suffer as well. Already CEOs in some companies are being replaced by their foreign counterparts, and while the ousted CEO may have money in the bank, his children will end up in a shrinking service industry. Why will it shrink? Because the people they serve will no longer have any money.
When labor went away, blue collar workers were forced to retrain in other fields, many just retired. They pushed thier children to get degrees in engineering, law, and medicine. Now the engineering jobs will be gone.
Who will pay the taxes to support those millions who will retire in the next few years? Not the engineers and laborers, they live in China and India.
What industry would you tell a young adult to get into, if all of them are destined to either be outsourced, or priced out of existence?
Without the brain the body dies.
Fast machines, powerfull AI, impulsive invention,... All I lack is a good espresso machine!
This should be the main topic for this coming election. But I think America is to wrapped up in other politics to worry about the future of thier jobs. We are so wrapped up in BS we don't see that far into the future. I bet the average american doesn't know where they will be in 2 years let alone how America will be.
I didn't use the preview button, so get over it!!!!
Mike
Talk to a lawyer. If you can prove even remotely that they were negligent, wrong, or malicious, try suing them. What the hell, you have time, right? They'll settle. Think of it as extending your severeance a bit.
If you think offshore outsourcing is bad now, just wait until IT is unionized. Several posters have commented on the disappearance of American jobs in textiles, steel, electronic assembly, etc. What do these jobs have in common? They were all unionized, and now they don't exist. I'm not saying I like it this way and that unions would not have some benefits, I'm just saying they would not work and would provide much more incentive to offshore.
Coming from the standpoint of a security auditor in a firm that specializes in Managed Security Services, let me lay a couple of things down in our defense.
1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.
2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.
3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.
trustedworlds.net - gaming, security, and the gunk that lives in between
Yeah, the CEO can have you replaced, but you can't replace the CEO. :)
--
"I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo
> "Theoretically it will not stop until an equilibrium is reached and the U.S. standard of living is equal to the African standard of living."
Or vice versa.. is that so bad... ??
I knew someone who worked for a company years ago (maybe he still does) whee the bosses were similarly stupid. He was THE unix guy at a company involved with transoceanic shipping. His bosses were so paranoid that he might do something maliciously (servers on the ships too) that they made him WRITE CODE that would track what he did in the event he decided to do something unauthorized. All kinds of shades of stupid.
The flip side of this is that most of the major IT disasters I've seen have been caused by idiot1 getting hired by idiot2 to do a job that neither idiot1 nor idiot2 knew the first thing about.
I am sorry to hear what happened to you. However, it is time the American workers determined what work culture they want to work in. In third world, the foreign specialists come and sign hymns about the great American "hire and fire" system that gives flexibility to the employer to drop you like a used paper-towel. Look at UAW, they have awesome power, but then they are also labelled as evil by the republicans. In Japan, they have a life-time employment kind of system. Yet, they are masters of mass-production and a developed country too. Hence, giving a worker security of job is not a too dangerous things as the right in America would like to believe. Well, next time they tell you about the great American capitalist system on TV are you ready to spit on them? If not then enjoy being fired. TO HELL WITH AYN RAND...
That is just profoundly unethical. The phrase floating around at the back of our minds is "conflict of interests". What company would trust a "consultant" that sells a product or service directly related to their consultation? The employer hired the consultant to determine the status of their security. The consultant recommended their own service as a cure. A job was lost in the process. That's just nasty-- the consultant was in a position where it was obviously most profitable to recommend their own product.
My Photography - http://ian-x.com
The Deathlings (comic) - http://thedeathlings.com
That's not necessarily true anymore. Dick Brown, for instance, was CEO of EDS for only about 4 years. He was recently handed about $36M and told to fuck off, and the company is still playing catch-up.
Mind you, having a Wall Street analyst downgrade their stock, only later to say "Wups, didn't mean it..." didn't help much either. What exactly is the liability there? EDS stock took a beating mainly because of that one moron, and he gets off with a wrist-slap and an apology?
If all you did there was security, then you were in a bad position to begin with. Security should be a part of everything that is done, not handled simply by one person somewhere.
Network engineer - The person or persons responsible for designing, managing, and maintaining the enterprise network should be the ones responsible for its security through all aspects of their work. Security has to be designed in to begin with, so that the network has the absolute minimum exposure and still provides a maximum ability for authorized staff to monitor and control it, while all other authorized staff can make full intended use of the network.
Systems administrator - The person or persons responsible for selecting, installing, configuring, operating, and administering computer systems, both servers as well as workstations and desktops, should be the ones responsible for its security through all aspects of their work. Security has to be part of all the procedures so that the systems have the absolute minimum exposure while allowing authorized staff to perform the functions the systems are intended for.
Programmer/analyst - The person or persons responsible for designing, programming, testing, and deploying new applications, or changes to existing applications, should be the ones responsible for its security through all aspects of their work. Security has to be designed into the way the application works, into its program code, properly and thoroughly tested, and then further verified once the application is up and running. And this has to be done while the application can still be fully used by all authorized staff, clients, customers, etc.
Get the picture?
Sorry to burst your bubble, but there should not be just one person who handles security. Depending on the nature of the business, one person might be the one who handles security coordination, but that isn't a techie/geek job; it should be more along the lines of an auditor who would be a paper pusher kind of person at businesses like banks and investment firms.
As to your current situation I advise the following:
Hire a lawyer. Have this lawyer contact the company pretending to be your new potential employer, and ask them for reference information about you. Actually do this twice (be sure completely different people call and pretend to be completely different companies). In one case your "new" position should basically be described as one similar to what you had at the company that outsourced you out. In the other case your "new" position should basically be central to your non-security skill set, such as a network administrator or network engineer (or whatever is appropriate for you). If they give you a good recommendation, then move on with your life and don't worry about it (just don't open your own personal accounts there, etc). However, if they give you a bad recommendation (such as "he was assessed to be a security risk") then discuss with your lawyer that situation and determine what can be done (you may have a case for a defamation lawsuit against either your employer or the outsourcing company).
Be aware that most companies do tend to try to pretect themselves from lawsuits when giving references. They may very well not specify any problems. But that can also be interpreted by future employers as a problem, if they didn't give you a glowing recommendation. You'll have to determine how that will affect your career future.
You might want to start your own small "security management and monitoring services company". There are lots of smaller businesses that will need this kind of service (whether they know that or not ... but that's a salesman's job to work on), but are too small to hire someone full time, and not big enough to hire the big security contracting firms. In a few years, as the big security firms expand to the smaller businesses (to keep up equity growth as their big business market saturates), they may come along and offer to buy up your business. If you play your cards right, you could end up being more "successful" than the managers of the financial institution that fired you.
now we need to go OSS in diesel cars
medicine has become the same way.
Many hospitals are contracting with large national companies to provide physicians services that were traditionally provided "in house." This is most easily done for things like Radiology, where films can be digitized and shipped anywhere in the world to be read by a room full of radiologists. It's also being done (and has been for years) with Pathology services... send your slides and tissue specimens to a big lab to be examined rather than the employing a bunch of local pathologists. Admittedly, there are some economies of scale that enter into the picture... "sending out" can be more efficient.
This is also a big deal in my own specialty (emergency medicine); competition is brutal. There are large national "contract management" ER groups that are constantly approaching hospital administrators with sales people, brochures, and a pitch about their high-quality, lower-cost emergency medicine care. Contracts change hands in ER all the time, which is why a lot of ER docs live like gypsies... if your hospital outsources their ER services, you get fired, and have to find another job (if you live in a smaller area with only one or two hospitals, you can be SOL... time to uproot the family and move.)
How do I/we fight it? Relationships and service. We make ourselves available to the administration to address concerns and problems. We build relationships with the community physicians, so that they KNOW who's taking care of their patients in the ER, and KNOW they can trust us to take care of the critically-ill. We integrate ourselves into hospital committees, and get involved in the community. We implement Quality Assurance and Peer Review to ensure that we're practicing up to the standard of care. It can be a lot of work trying to keep your job (never thought you'd hear a doctor say that, did you?).
In ER, losing your contract/job or not usually has nothing to do with bad medicine... it's failure to "play the game" that sinks you. There may be a parallel here for the infosec geek that was fired... If there's one area where the prototypical "geek" personality probably hurts the most, it's in the eschewing of those critical relationships. It's great to have m4d 5ki11z in the server room... but a little face time with the powers that be could make the difference between paycheck and pink slip...
There's no guarantees, however... even with all my efforts, I can still get sold out if my hospital administrator gets a wild hair, or just plain doesn't like me.
It's business reality for lots of folks, not just IT.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Then actually, you ARE a pretty big security risk.
You are the ONLY one who knows what's going on with the network security-wise. You could have them penetrated 10 ways to Sunday and they'd have to take your word for it that they're secure.
That's the first point. The second point is that you didn't get screwed over by a network security geek, you got screwed over by a salesman who makes money for some hot-shot CEO who pays a few network security geeks to do far more work than they should be handling. I just got myself fired from a job for "not fitting in". This meant that I had personal and professional objections to monitoring network connectivity, security, e-mail, webhosting, and VPN for some 150 customers and 4-500 sites at 50 hours a week as one of 6 people doing the job. Meanwhile, the 10 sales guys have a "Vice President" title hanging off their names, don't have a clue how to use a computer, and are promising the moon while the CEO rakes it in.
This situation is a real issue. Most of these companies are taking advantage of federal legislation requiring a certain level of security for a bank. And while it's not fair to you, you DO constitute a security risk as a sole security person. On the other hand, you also can't go back to your employer in a month and say, "Your security is full of holes now with this new provider, here let me show you." The bank's been swindled, you're unemployed, and an overworked staff just got more overworked. It's a lousy situation all around. The only thing you can do is move on.
Though I don't envy you trying to explain away getting fired as a security risk on your resume. That's probably the second-most unfair thing about the whole deal.
You thought that this sig was what you think that I thought you wanted me to think. I think.
They won't sue you. At the very least tell us who the company doing the audit was. If they actually came after you, they would get an incredibly bad reputation for acting in very unethical ways. And you need trust to operate as a security company.
Unionization isn't what's making those jobs disappear, it's overall labor/skill costs. Sure, unions make demands, but in Mexico there are no environmental controls. Union Carbide or Ford or whoever can setup shop down there and dump toxins into the environment all day long and nobody cares. That saves money. Also when Pablo is getting paid $20 US every day, that's a big savings too. The NAFTA is just one wonderful plan that made this possible. Textiles, well again, slave labor in another country takes care of that. Thailand, Bali, Turkey, you name it, wherever cost of living is super low, wages will be low as well.
Globalization helps YOU by bringing down the cost of goods. Globalization helps THEM by lowering costs. The only people it hurts (ultimately) is the third world country that the actual manufacturing takes place in. Some companies have been known to buy land in these countries, destroy the local economy by buying up farms and razing them, then dropping in a factory. The people work in the factory right away just to survive.
But the flipside of this is that you could end up with total incompetence in the workforce. That's fine if it's a janitorial position, but would you really want a dumbass to keep his/her job handling various functions in a nuclear reactor? What about in a financial institution you belong to?
Recourse IS available for those who qualify. I was fired unjustly from a company 15 years ago, believe me I know. I went to the employment board and filed a grievance. In 30 days I had the choice of getting my job back or taking a settlement - I took the settlement.
YOU don't know the full story in this situation either. Maybe a major security breach was found that the author of this article didn't know about. Maybe his company was looking to 'pare down' their IT staff anyway. My point is that in the U.S. shit can and will happen, but I believe the system works itself out. Not perfect, but then neither is a 75% tax rate under socialism.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
No.
Try and hunt down an old sci-fi story called "The Roads Must Roll," by Robert Heinlein.
Quick plot summary: In the future, American cities are interconnected by vast conveyor belts--called roads--which transports people and goods. A few political demagogues start convincing people that certain segments of society should be rewarded for doing "critical work." For example, the road mechanics realize that without them, society as a whole would be hosed.
So a faction within this group of mechanics decides to go on strike, shutting off the roads and committing vandalism. Sure enough, everything stops working as the factions battle it out for control over the roads.
The basic problem with their underlying thinking is this: There is no one ultimate locus of control. Our entire society is completely interdependent. If the network people quit doing what they do, things are hosed. The same goes for doctors, police, firefighters, manufacturers, and farmers.
Take another example: Miners. There's an old mining slogan that says, "If it isn't grown, it has to be mined." There's a great deal of truth to that. Without mining and miners, we're screwed. But does that mean that the mining industry deserves ultimate control over our society? It's like having your kidneys demand veto power over your brain because the brain cannot operate without them.
Management types think of themselves the same way you're asking computing types to think. According to their thinking, without a running business, you wouldn't have a job where you could ply your trade.
Every society strikes a balance between individualism and collectivism. We're all individuals, but we're also functional units within a larger system that keeps everyone alive. I think you've definitely drawn the line in a bad place. Whether computer gurus are under or overvalued is irrelevant; I strongly object to your basic premise: if we have the power to wreck everything, we have the right to do so if the system doesn't give us what we want. It's merely blackmail writ large.
You want the truthiness? You can't handle the truthiness!
Ummm.... every hear of Green Cards? H-11B visas? The US is just as protective about foreigner's working here as other countries. You can argue about the number of foreigners working in the US vs. others, or what the specific requirements are, but everyone does it.
I was looking into trying to work in Europe, but there was no chance that I could.
Also remember there are a lot of countries that have unemployment rates > 10%, and India is defiantly on this list. Why should they give jobs to foreigners when there are already not enough jobs to go around.
IANAL, laws vary from jurisdiction to jurisdiction, etc.
That said, it might be illegal to fire you without "just cause". A conslutant's report labelling you as a security risk might or might not qualify as such, especially if said conslutant proceeded to win a contract to replace you.
Read your contract, and consult a qualified lawyer, about what conditions your (former) employer must satisfy in order to fire you.
Tarsnap: Online backups for the truly paranoid
Comment removed based on user account deletion
Whenever an issue like this comes up the inevitable /. knee-jerk libetarians come out of the wood-work: "capitalism good protection bad" Well maybe some of these libetarians should find out what Adam Smith was really about. His model of capitalism is based in an agrarian society with independent artisans and traders. His idea of a free market is exactly that - where everyone has equal access to market and equal information.
Corporate America has as much to do with the Adam Smith model as the Bolshevist U.S.S.R. It's not even related to Marx' model of capitalism, for in Corporate America, capital is as alientated from controlling the means of production as labor is. Instead, what you have is a management class which calls the shots and enriches itself at the expense of both workers and owners - can you say Enron, Adelphi, Worldcom etc etc.
Sure a worker has the "freedom" to say "fuck you" to his boss and look for another job. In theory. In practice, as the job market shrinks despite the "improving" economy (i.e. the management class being further enriched) those jobs are very hard to come by. So the worker has to bite his tongue as his workload is doubled, as her boss wittles away more and more of her "perks," as the threat of outsourcing is used to bludgeon him into obedience.
Saying to someone "go out and upgrade your skills" is also BS. A friend of mine is in his mid-40s, extremely talented, engineer/MBA out of work for a year and a half. Who's going to hire people in their 40s and 50s, no matter how much talent and experience they have, no matter how upgraded their skills are? And you young 'uns are going to get there faster than you think.
Corporate America demands obedience, makes people work like slaves, uses them, chews them up and throws them out when they no longer are useful. Maybe we should just kill off laid of workers so we don't have to worry about unemployment insurance and welfare?
And no I am not speaking out of personal bitterness. I have a successful consultancy business and work for myself. But even if you believe in ultra-selfishness, a society with many poor, disaffected people is a very scary and dangerous place to live in. This is an issue that effects all of us, not just the laid off.
.. This vendor wrote a report about your performance/risk, and you where not allowed to see the document?
Get a lawyer.
Hell, I'd start handing put flier advocating unionizing. really piss them off. and there is nothing they can do about it.
The Kruger Dunning explains most post on
Yeah, there's a great idea. I can just see it now:
All techies go to Pharmacy school. That way, when we're up late at night coding for a client, we know how to mix our own Phenylbarbital to keep us awake.
Better yet -- All techies get their RPh, and that way the entire Pharmacy market is flooded. Hey, I'll work for the same $50k/yr as a Pharmacist as I did when I was a Manager of IT. Lower the bar in that industry. Before you know it, your local Walgreens will be outsourcing the Pharmacy to a bunch of $9/hr 'pretty proficient in English' individuals.
Let's take it a step further... All techies become MDs. Heck, after six years of school and internships and rotations, I hear MDs make over $100K/yr! Flood that industry with h4x0r5 so the next time you have a nail stuck in your ass it can be removed by the techieMD who was up all last night working on developing the next DDoS against the RIAA's website. Hrmpf!
Do YOU really want YOUR techie to be a RPh?
I think not.
Comment removed based on user account deletion
Dude,
:). I have nothing against any race or any color. And yes, my ex-offshore partner was Indian as well, but that doesnt change the fact that they were incompetent.
I am as Indian as they get
I wasnt issuing a blanket statement about all Indian outsourcing firms. I am merely referring to the fact that most of the firms who indulge in outsourcing are plainly jumping on the bandwagon with nary a thought about its implications in the long run. And hence outsourcing isnt here to stay, it will blow over very soon when firms and managers realize that it makes more sense to have the team onsite rather than having someone do most of the work at night when you arent around to manage.
And if your offshore partner is a plain schmuck, like was mine, they will shaft you at every step possible, by overbilling you, by working on other projects in the hour they bill you. Believe me, I have been a witness to this and much more.
Rapid Nirvana
He should sue the outsourcing company for slander and libel (since they probably handed his employer a report stating he was a security risk)
Of course it all depends on what context he was fired for. Are we getting the whole story here? Did you do any activities that could be considered a security risk?
If the IT world had better organisation it wouldn't consist of people being trodden underfoot because they think they are "elite" "indespensible" and "able to stand alone". As a rule of thumb your CEO is smarter than your average 21 year old programmer, and believe me *his* interests don't match yours, however much he swears they do.
India has much much stronger labour laws than the USA on most issues (although enforcement has problems sometimes). Indian IT workers sometimes do belong to unions or labour groups. Interestingly some of them chose not to use the word "union" because they wanted a labour group but didn't want the conflict the word union implies in some parts of the world, but to imply constructive working together
The jobs that went from the USA and EU have something much more important in common. They are low skilled, highly manpower intensive and not subsidized. It has a lot to do with wage costs and very little to do with unions.
Software is manpower intensive, not subsidized and the skills are being developed rapidly to a high level in other countries. The rest follows logically enough.
Welcome to globalization of production. Unfortunately globalisation of buying is a different matter (eg DVD prices in europe , US text book costs, US v Canadian medicine prices).
The scum at Data Networks out of Maryland did the same thing. I had worked for this company for 21 years, and they gave a report to our board that was about 300 pages long of all the security things I was doing "wrong." Most of the pages were wild claims about Linux's and Solaris's lack of security and about the risks of *not* using a cisco PIX firewall. There was pages of silly stuff like the demarc point being too far from equipment room. Well, the board was the ones that decided on which room to install a raised floor and extra cooling. Of course, I got called to the carpet on that one. It wasn't even a problem in the first place since you can extend T1's for 100's of feet without problems, but they claimed the 50' we had was too much. I was accused of "malfeasance" for buying Sun servers rather than buying cheaper Dell's. Most of our Sun's are 5+ years-old and a few are even 10 years-old and chugging along without problem. An old IPC running Debian makes a perfect backup name server. So, Data Networks has convinced them to get involved with the Windows/Dell upgrade from hell cycle and to pay them to rewrite all of the software we use. They also sold them a $40k cisco router they don't need and a $30k (or so) cisco PIX firewalls. Data Networks has also convinced them to sue me over the price difference between the Sun's and an "equivalent" (not that you can buy a Dell that's equivalent to a Sun) Dell server. They're supposed to serve papers sometime early next year. Oh well. It was a great job working with great people for 21 years. It was also the only job I've had since I graduated from Ga Tech.
Are other countries daring them to create jobs?
Pointed Haired Bosses don't think that way. At my last job (one of the big 3 ISP's) one of the NT admin's screwed up and opened our one internal systems to the whole world. One of our techs studing security discovered the hole and reported it our PHB. Who came to our SA team to check and confirm. They were more concerned about the tech finding the hole, than the idiot NT admin who screw up an NT securtiy setting. They were insisting on firing the tech. They said opening up our system to world was less of and issue, than a employee sniffing our network, even if he reported it.
I've worked for too many large corporations don't ever think management is going to think logicly.
I've rarely seen outsourcing go well. Now we're talking about info-sec? You're going to outsource the "guardians at the gate" job to a company whose tactics should be seen as seedy by the dumbest of Pointy-Haired-Bosses??? They'll get what they deserve. Maybe not sooner, but certianly later. Considering they are a financial company, the PR cost alone could be disasterous.
Pardon my language, but f**k 'em. I'd leave cordially but expressing reservation about their tactics and ability to execute. IMHO there's no reason to burn bridges, IT is too close knit to do that. Plus there's no benefit for the guy who got canned. They could come back and beg him to return if there's a bridge left standing
Finally, companies who act like greedy sheep are inevitably led to slaughter. I know, I work for one and we're getting killed for bone-headed accountant-driven decisions very similar to those decribed here...
Computer Science is Applied Philosophy
Yes. Good reply. In fact, this is exactly what I was going to suggest.
But, it wouldn't suggest that a disgruntled IT guy is a threat, insomuch as the "new-an-improved" security is inadequate. Afterall, he wasn't disgruntled until he was fired.
His work should indicate that this ex-employee isn't a threat, because he knows too much about the network... It should indicate that the new security company dosen't know shit. Otherwise, you're going to setup a mutual distrust between the company and the IT people. In other words: The IT people won't trust that their jobs are safe, and the company won't trust that the IT people won't fuck them over because they are mad.
Personally, I wouldn't want to work in a place that's being kept in check by the threat of mutual assured destruction. It's too much tension. Bad for the blood pressure.
The employees should be working on the same team as the management--with the same goals (higher productivity and profits, and all that garbage) If the managers see this quality in an IT person, they become quite invaluable as a bridge between the tech (which they don't understand), and the money (which they want more of).
This sort of activity used to be upheld by the promise of profit-sharing (the more the company makes, the more you make, so if you save the company money, you get it back as a NICE bonus in the end). It's all but gone now, but you can use the same ideas to make yourself a truely invaluable person to the company (with a check to prove it).
I was under the impression their stock was taking a beating because they're the worst IT outsourcing company in the history of IT consulting. They had a bad rep before Brown. Based on my personal experience with EDS, I wouldn't hire them to run a network connection to my dog house. Ask anyone in the Navy how well they like NMCI. The US Navy and 250 million taxpayers taking it up the poop deck on that one.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Until the people that provide that support decide they don't want to do it anymore and go off to another career, leaving a shortage of people to do the job. Not saying that this will happen anytime soon, it's mostly to make the point that people in power must derive their power from somewhere. Things don't happen in a vaccuum.
Karma: Frotzed (mostly due to the Frobozz Magic Karma Company)
you mean like a STRIKE organized by a UNION?
I probably just started a flamewar.
>I'm just waiting for my moment.
And I'm sure that cheerleader from highschool is suddenly going to realize that, after all these years, she wants you.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
The brain would have thought about this and have already prepared to outsource the kidney functions to the liver.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Puff.. Either kick someone's ass the first day or be someone's bitch and the jail time will fly by.
Yes, choose a legal option... do not endanger your future.
:) ). Does this company have only one 'Network Security Analyst'? Even a small company should have at least 2, from a contingency perspective. My financial company employer has a team of 20 on network security, though headcount of the company is under 2000. So what are the rest of your team doing? If they really only had you then they ran a poor show, and if completely outsourced (bad practice IMHO, in-house monitoring must exist at a minimum) a case can be made to monitor.
But something I'm confused is your say this was a major financial institution (well, the story seems to have been edited to remove major, but it was major on first read
Well, you have my sympathies, if this 3rd party consultant really does urge firing all staff (well, replacing staff as the security risk with a 3rd party as the security risk) and not keeping anything in-house as you suggest, then I urge you to name them, sir.
karma karma karma karma karma chameleon, you come and go, you come and go.
A company I used to work for had 2 IT guys: the manager and the worker, and laid off the worker. Before leaving, he fired off an abusive companywide email, messed up the servers, and changed the root passwords. When management found out that the manager couldn't fix the problems, they fired him and rehired the worker, who made less money anyway. No charges, no retaliation, just business.
I always thought it was a good decision.
Yes, the A.C. points to a good article. Now here is link that works.
I work for a company who provides 'Outsourced Network Monitoring and Intrusion Detection' services. Whenever I'm doing a 'vulnerability assessment', or VA, I almost always work with the security professionals at the client site. My job is to help them do their job. The company I work for does a lot of things wrong, but (so far) they haven't pulled that one. If we've provided outsourcing to a client, it's been for something that they don't do already. Take intrusion detection (IDS) for example - most of my clients don't or can't do it effectively. So we come in and do it or them. They look good, we look good, everyone's happy. But your situation royally sucks.
;)
I would brush off the resume and start lookin'. Just don't say that you got fired for being the security risk
Not being a lawyer, but knowing a few, plus having a few who swear by having employment lawyers, I would say that you should definitely talk to one!!
A company who chooses to terminate your employment because of research or inquiries, the results of which are not told to you, sounds quite... well illegal. Were you a regular fulltime employee? Did you sign some sort of disclaimer because you were in "security" that they coudl at any time terminate you because you could be terminated as a "security risk" ???
Get a lawyer now!
On one hand you have frightened entrenched management reacting to what they think is the best fiscal course of action. They are making decisions out of fear. They will outsource like crazy and force domestic rates for similar services to drop as a result.
What will then happen is that the supplying companies will start raising their rates as their clients become more dependent. Additionally, companies will become frightened about increased project management burdens, tying important business-critical development to minimally invested 3rd parties and decreased savings.
Even when the economy is good, we all used to laugh about Coke and IBM who both did the following: One manager gets hired, wanted to pee on every post in sight and exclaim "Oh my god! We need to get rid of these people and outsource it all. It's not our core business. We can save tons in HR costs. We'll save BIG!". Then the next person who sits in his chair comes in, wants to pee on every post in sight and exclaim "Oh my god! Do you realize how much our vendors are ripping us for? We need to bring this work in-house. We can hire the best people for a fraction of the rate their consultants/programmers/etc charge! We'll save BIG!". Rinse. Wash. Repeat.
I think there will be a great balancing out soon. As soon as people get-over the knee-jerk reaction of outsourcing, esp. to India, you'll see things settle down a bit. It's so not the cure-all that desperate managers think it is, but it does have it place.
NE QUID NIMIS
-_-
Now having said all that, I do often find client sites with horrible glaring problems. Indeed I recently heard that an overseas office of (A.N. multinational megacorp that you'd have heard of) actually had their entire network shutdown as a direct result of a thoroughly stinking report I gave them. They got this stinking report because they had a single W2K machine on a DSL broadband connection running (unpatched) IIS, SQL server, PC Anywhere, VNC, FTP, Exchange (yes all on one box!) and a bunch of other stuff, oh yes including all the 137, 139, 445 Windows RPC ports wide open. No firewall at all. My report basically said "this machine is so insecure that the prudent thing to do is pull it off the network and give it a thorough audit - or save some time and just reformat and rebuild from scratch, because this is absolutely the easiest low-hanging fruit that any common-or-garden kiddie could trivially own.")
The funny thing (?) is that I got 90% of that data just from a careful use of Nessus and Nmap. You do need to read the docs and experiment and be sure you know what they're telling you, but running those against your own network from the outside is well within the capabilities of any Unix-head out there and probably the majority of Slashdot readers.
Normally I'd add a disclaimer about making sure you get authorised before you do this, but to be honest if you do "-TPolite " quiet scans from your home connection it shouldn't even get noticed amongst the normal background noise that any arbitary IP gets. (of course it may be a bit embarrassing if your own testing turns up lots of holes when you go to your boss to show them the results and you DIDN'T get authorisation first...)
I'd suggest something like this (using a current Nmap or post 3.45 - -V rocks!)
$ nohup nmap -sSVR -O -P0 -v -TPolite (your-netblock-here) -o sSVR-scan.log &
And then setup Nessus, remembering to turn off DoS and other non-safe plugins, and configure the portscanners carefully, and away you go. If you can provide the same data that my employers would charge your employer several thousand pounds for, perhaps you'll get a raise instead of the sack.
Don't run these internally unless you're 100% certain that there's no IDS anywhere. Otherwise you WILL be sacked (and may have problems getting another job - you can certainly forget a reference!)
hey,wait a sec! Whose side am I on?!
Everything I needed to know about life, I learnt from Blake's Seven
Every society strikes a balance between individualism and collectivism. We're all individuals, but we're also functional units within a larger system that keeps everyone alive.
Interesting way of phrasing that. I would phrase it as follows:
In a society, individuals most choose to specialize in order to obtain the economic benefits of specialization. This requires a degree of trust and cooperation, all of which is motivated by self-interest. Price signals efficiently allocate labor to its most productive role.
Saying that this is due to collectivism implies that people do not participate solely for selfish reasons. I don't think that is the case. Cooperation can be 100% selfish. This is a good thing.
Amazing magic tricks
I'd suggest taking a good hard look at yours skills versus your peers and make sure you measure up. Human nature being what it is, we are inclined to having a higher opinion of ourselves than that which others may hold.
Companies don't pay for 3rd party assessments unless there is some compelling, underlying reason. Most likely, the reason for your replacement is not black and white.
Make it a learning experience for you. Improve any deficiencies you may have. You'll be a better employee and person for it.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
- Look at and modify every file on the servers (changing ownership first, if necessary)
- Change anybody's password
- Shut down services at will
- Open up services and ports to the Internet, or elsewhere
- Modify firewall rules
The list could have been very long. Can you imagine the reaction of the executives when they saw that list?"Oh my god!!! That's a gaping vulnerability! Get rid of him, right now!"
Idiots
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Shane, this sounds like a truly rotten experience. And some of the advice you have gotten here is pretty crappy too.
Before you consider taking revenge, do you think there is anyone in management or H.R. to whom you could have a conversation? The idea that management had had a sudden, abrupt reversal in their confidence in your ability and trustworthiness must be a disturbing one. Perhaps there is someone to whom you can turn to for some reassurance.
"I thought I was doing a good job. I did get a 12.5% merit increase in pay. But the secrecy around how my employment was terminated is disturbing. Is there something in the security report that will cause the firm to give future employers a less than enthusiastic endorsement of my skills? I'd like to know this."
You don't absolutely know the outside consultant's slagged your performance or trustworthiness. And, if I read your account correctly, you don't know that your former employers turned around and hired the consulting firm to replace you.
Good luck.
i went out and got blade-corrected eyes and a 50 inch tv!
after such a botched surgery, it was all i could comfortably watch!
and i'm STILL a network admin! YAY!
>he went out and got a 32" TV and laser-corrected his eyes.
Wow, amazing!! I've been wanting a 32" TV all my life! Are you Amish or something?
I used to work with PriceWaterhouseCoopers where I performed network security auditing. While I worked there, we NEVER did anything like what's reported in the article. We reported things like unpatched systems, firewall holes and often showed how our clients' networks were vulnerable to various threats, but never did we label our clients' network operators as primary risks. -Kevin
>That hot cheerleader from high-school is now 32, has pushed out two kids and packed on 50 lbs -- oh and probably has spend the last 15 years living in a trailer park because the former captain of the football team was too stupid to make anything of himself.
>Time to find another fantasy.
Dude, that IS my fantasy. All I need is to deliver pizza to her and cue the pr0n music!
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
It's always great when people talk so freely about things they know nothing about. I personally know people from the US, France and Germany that work in India. They apply and get work permits, just like in the US. The process may take a little longer in certain cases, but the legal provisions exist.
Next, they are not interested in lowballing jobs out of the rest of the world, and it's not as if the entire nation works in call-centers. If jobs are being sent there, then it is due to the decisions of managers from the US and other countries. So it is AMERICANS or EUROPEANS taking those decisions - blame them! If you stop sending jobs there, all those employed in this business will take up something else. Why don't people understand this?
Next, talking about what you would earn in India. What you earn will definitely see you living comfortably. If you are going to rate standard of life by the exact same parameters you would use to do so in the US, then the difference will definitely be drastic. However, part of moving to another country should be a willingness to adapt to a change in life. It's not so different out there - they have a lot of the same brands we do - but somethings will definitely need getting accustomed to. People there will almost always treat you extremely well and you will never feel unwelcome.
People used to brawl out their differences.
So people banded together. THey called them gangs. Go watch gangs of New York. Tell me if that is how you want to live. Or in the days before The U.S.A split of from the U.K. look at how every major (present day) democracy in the world treated its own citizens. There was a reason the French started axing their own Aristocrats.
Yes, it is still about money and power. But lawyers and insurance firms are a vast improvment over roving gangs with knives and clubs.
It ain't perfect, but it is an improvement.
Open Source Identity Management: FreeIPA.org
Exactly what I was thinking.
Here in Canada, you also can't get fired on the spot (well, not for this). You have to receive at least a verbal warning and/or a written warning first, outlining what it is you are doing wrong.
I don't know what the laws in the US are (or even if you are in the US), but you might want to check with a lawyer. A quick consult shouldn't cost you much, if anything.
Tuus crepidae innexilis sunt.
This assumes hes being on the level
While geeks are smart they dont know the law. If this new company wrongly accused him of incompetence or negligence he has have every right to sue them. The sooner the better..... He doesnt sue his employer thats bad for future employment. He sues this third party and then subpoenas exactly what they told his employer about him.
In addition to libel, and defmation there is also tortious interference with business relation(ie your employment with this company)
Id say he needs to consult with a lawyer
Don't get bitter, it is not good for the health. All ways keep your bridges open because you never know. If I were you I would go to the executive/manager and simply say "even though you might think outsource your network security, I respectfully disagree and here is why." Point out what the potential problems they will face with this new company and simply tell them that your services will be available to them as a contractor. Walk away with your dignity and their respect and you'll probably get a call from them if they ever need you. Of course next time they call, you'll be pulling the strings. In the mean time collect your unemployment check and look for new job. Maybe it is time to start a new hobby or learn something new and expand your horizons.
-----
One is born into aristocracy, but mediocrity can only be achieved through hard work.
I've been downsized and also worked as part of a team of consultants brought in to help a company outsource most of their IT needs so I think I can tell you a bit of what goes on when you see "the consultants" show up.
What a consulting firm is supposed to do (discover problem, suggest solutions) and what the consultants really do (stay for a long time, find ways hire friends) are two different things.
Even if the consultants are honest and full of good intentions you will most likely find yourself either having to justify your job or released from employment. Think about this from the consultant's point of view. "Who has the best solution to any problem? The guys I work and partner with! Who is a wildcard? The guys I don't know! Why that guy sitting next to the server room could destroy the whole company!"
Of course if the consultants aren't honest the situation is even worse.
When you see the consultants show up, don't panic. However don't ignore them either. This is the time when you get your resume updated and call friends with similar jobs "just to see if they heard of anything". Ask people you trust (who don't work with you) about recruiters they like. Compile a list of people who can help you if you find a new job fast.
The consultants might not effect you, but just in case view the situation as if your boss just told you that you have a 6 week warning before you're let go. Trust your gut (for lack of a better term) if you feel up against a wall then you probably are.
Now wait, do everything as you normally would. If the consultants leave and nothing happens you now have a updated resume (which you should have anyway). If you are let go, be pleasant thank everyone for the experience if you think you can get away with it ask for some kind of severance package (or if they could do better if you were offered one). Clean out your desk and never look back.
When punk rock is outlawed, only outlaws will have punk rock.
I'm an employer, not a lawyer, so check with a lawyer to see if what I say is correct, but I believe it is.
;)
If your employer told you (or better yet, put it in writing) that you were fired because you were a security risk, then you may be able to sue. Here is why:
You can be fired for making false statements on an employment application. No matter why you were fired, if you lie on your application your case is lost. So, when filling out future employment applications for the position of security admin you must say you were fired from your last job because they thought you were a security risk. Of course no one will hire you. Get any of them (but perferably four or more) to put in writing you were not hired because your application says you were fired for being a security risk.
Now sue your previous employer and the security company for $10,000,000. Even if your employment was "at will" you can still sue in this instance because they have effected your future employability by claiming your were a security risk. If you are lucky, the security company put in writing (very stupid) that you were a security risk but it isn't necessary that they did so. People frequently win this type of case. Lesson to employers - "NEVER TELL SOMEONE WHY THEY ARE BEING FIRED".
There is only one catch. If you have bad credit then that is proof you are a security risk. You could still win (think jury trial), but it would be harder.
Have fun, be American
"Just don't say that you got fired for being the security risk" brings to mind another problem, which is one of the dreaded "bad" reference.
In this particular scenario (I'm no lawyer), wouldn't it be true to say he was "fired for cause"? When asked the question why he left his last place of employment, he'd almost certainly have to answer honestly because when his former employer is called (and most certainly will be...especially if not listed on references), and asked the question, "Could this person work there again", there answer would have to be, "No".
Of course (I remind you, I'm no lawyer), I also believe that if you are fired for cause, you have a right to see the documentation associated with the decision. Failure to produce that information (granted that it will be used against you for the remainder of your career), if not illegal, is just plain mean.
Actually, that statement is a little untrue from two angles.
1) Shareholders and shareholder agreements do have clauses for removing CEOs.
2) If a significant amount of unemployment in IT crops up, it's quite likely they will work on some project just for something to do. So, this security guy that lost his job, might find a band of other people that have lost their jobs, and join to form their own security company to discredit the first, and take their business.
What if 10% of the people who's job was shipped to India by MS actually work on other projects. The end result is MS's move to India actually had a hidden cost in competition. The question is, how much business do the people take away from MS with their competing projects vs how much MS cuts by moving to India. Immediate gains will be much greater than the long term. Linux doesn't need many more man hours of skilled labor to cause MS harm. This isn't true for just MS, but any company that ships overseas, they leave people unemployed that know how to do a portion of the work that company does.
Also, consider it's not terribly hard for IT people to make a living just by running a computer shop. Hell, even if IT people work at Wal-Mart, they'll be taking some of their frustration out in code.
I've never seen it a wise decision for any company to ship jobs overseas. Forming new companies and devisions overseas is great, but cutting workforce that already knows what they need to be doing is the stupidest idea I've ever heard. As soon as you train these Indian workers, they become more valuable, and thus you have to pay them more (maybe not significantly, but you do). Also, you are driving up labor costs in India via supply and demand. There are WAY to many variables to make that a justified risk. I'm all for expansion, new contracts, etc. taking the cheapest route at the time, but this is just madness so someone can line their wallets with probable kick-backs from Indian CEO's/government. 4-5 people loosing their job from the same company is enough to cause competition. There are successful businesses today that are spinoffs of companies where the employees quit to form their own company, then the parent company had to compete with them. That's why they try to put non-compete clauses that outlast work duration in employment contracts.
Karma Clown
If that's possible then yes, he should sue. It might be extremely difficult however.
I have some experience in this as I was fired as a security risk. The cause? I installed a firewall on my PC. The formal letter stated that this could interfere with their network firewall (a Cisco box that was very over-the-top for a small development company of twenty people).
Of course that wasn't the real reason. It was the refusal to work unpaid overtime and perhaps a tendancy to correct my boss that got me out. However, how do I go about getting this fixed in court? No matter how expert I am in IT (and I am quite expert), they can through an 'expert' back at me in court, and how will a judge know the difference.
And aside from that, what would be the charge? I'd already resigned and was working out my notice. The sole result is that any reference from my former employer now states that I was fired for 'Gross Misconduct.' The burden is on me to convince people that it wasn't fair.
A very nasty situation all round.
I wish the poster good luck if he finds a way to sue, but beware of getting into a credentials battle with various "experts," because most courts wont be able to assess your case on the basis of technical details.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
Absolutely True! It's the hardest thing to do at the time not to strike back, but I've been asked to return to mis-managed projects that I started on several occasions. Geeks tend to be one of society's less-agressive (at least on the surface) types.
Here's a question I always wish I could ask managers, whenever the topic of 'outsourcing' comes up: if dealing with programmers overseas is more appealing to the bottom line, why not let your programmers work from home for 50-80% of their current in-office pay?
My entire team of systems administrators work at home for 100% pay. In fact, we're a bit of pioneers in this regard, but we've been on this track for a year now. Maybe 1% work from office. If we get just as much work done, and we're highly available, why not? And the company does acknowledge the money saved in office space. And that we're more able to work during sick time. Mind you, this isn't company policy, but a pocket within a very large company.
Part of what we do, as a team, is to emphasise the benefits of having American employees. Good relationships with our customers. We question things that are given to us and not just blindly follow orders. We collaborate to build best of breed policies and designs.
I personally think that Americans in fear of outsourcing are missing the boat. They shouldn't become more like their foreign cousins. They should embrace and accentuate their own cultural strengths (which they themselves may not even understand).
Stay American, and become Ultra-American. A cultural change is an important part of that, but I enjoy being part of an environment where there isn't danger in speaking out... in fact, the danger is in NOT speaking out!
There's a policy that doesn't make sense? Talk about it. A subject which is difficult to talk about? Acknowledge it is a difficult subject, and give it a try. Someone posts a document to the group? Read it, critique it, and add to it.
I think that an ultra-American can beat outsourcing becaue you're no longer comparing apples to oranges. Foreigners have a much tougher time questioning 'authority', even after assertiveness training. We can produce a different intellectual product which exceeds the value of what they produce.
and the lesson is ... If employee morale is rock bottom, there's generally a damn good reason at the top. Look for a job elsewhere before its too late.
As for offering to work from home in place of outsourcing? Are you nutz You would just be proving that womeone could do the job remotely ... ie in some place that is beyond even the third world. Lets face it, India and China are now complaning about jobs being ousoureced. Obviously the work is being done by krrgs from the planet Zog.
Sent from my ASR33 using ASCII
That was a risky play. Don't try this at home kids, you could end up with legal problems. Criminal and civil.
Well maybe some of these libetarians should find out what Adam Smith was really about. His model of capitalism is based in an agrarian society with independent artisans and traders. His idea of a free market is exactly that - where everyone has equal access to market and equal information.
Equal and Free are not the same thing. A free market is one in which individuals are not prohibited from taking action based on their own personal information, opinion and resources. "Equal access to market and equal information" flies in the face of a Free market because in order to make everything equal, you have to take from some in order to give to others.
Without inequalities in the market, there would be no oppertunity for profit, and no motivation for anyone to do anything. Adam Smith was most certianly not talking about an "equal" market. That is much closer to Marx's notion of "From each according to his abilities, To each according to his needs". And if you want to know why that is bad, follow the link in my signature...
First off, sorry to hear you lost your job. The economy is biting a lot of folks in the ass.
Second, see if you can get an assessment of the nature of the security risk. They are probably show you as a "single point of failure" (ie. exploitable either financially or otherwise).
Third, write a counter proposal to the security consultant's assessment. Be sure to include any achievements, successes, etc. that your time there. It may be too late for this one.
I think that being a "security risk" is only part of the reason you got. Office politics and the economy being what they are, you need to constantly sell yourself to your manager and show the benefits of having someone like you around. Lots of geeks are really terrible about the interpersonal skills and with a title of "Network Security Analyst," you're ripe for being downsized. You're only visable and important to them when they get attacked. They don't alwasys know or understand what you're doing in the background. It's up to you to sell yourself and keep your supervisors and managers up to date on what tasks you are performing and how that benefits the company. Without it, you're just a guy taking up a high salary for doing nothing.
Forget revenge. Forget the other company. Leave your number with your manager and ask if you can use him as a reference. See if you can improve your skills between jobs.
Remember this experience and build on it.
Best of luck.
"I may be Love's bitch, but at least I'm man enough to admit it."
and file for unfair dismissal. That should increase your settlement significantly...
Comment removed based on user account deletion
> Before leaving, he fired off an abusive companywide email, messed up the servers, and changed the root passwords.
That cocksucker is a major liability, and not someone I'd want working on my network. What if I had a legit reason for firing him, say he installs WinXP on my Linux cluster, then I gotta worry about passwords and e-mails, etc.
Can I get an eye poke?
Dog House Forum
...I would subpoena the report to see what criteria "surfaced" that convinced his employer to replace him with the new guys. This could win the case for SafariShane, if there were no other "problems" with his history at the company.
[Please sign here]
Good question. I mean, if the outsourced company found his unsecured FTP address that he used to up/download his MMORPG character stats and his biology homework, he probably *was* a risk.
However, I tend to think that the sort of scam he got burned by is real. And management is usually stupid enough to buy into crap like this. But I doubt it's actionable, since the outside company would have a valid argument that because he knows the network and all the passwords (or other entry methods/points) he IS a risk, even if he isn't INCLINED to use the information in a negative way.
However, by the same argument, THEY are now the biggest security risk to the network and because they are not employed, they have little interest in protecting the network (at least, less than HE did, since is only paycheck was derived from protecting that network). If his former company were to suffer an intrusion and as a consequence go belly-up, the outsourced company merely loses a single client, not their entire livelihood.
Nitewing '98
Everything works...in theory.
This is a very bad business model. In order to sell themselves to the clients, they generally need to have GIAC or CISSP certifications. Those certifying bodies have codes of ethics. What you have described does not fit into those general codes of ethics. If anyone representing the outsource firm is a CPA, CISA, or CIA (the accounting world certifications for this sort of work), they have broken a really basic ethical requirement. This is followed more in the breech, but accounting firms that audit for security are not supposed to advise clients on how to fix the problems. The idea is that you cannot honestly audit a company for which you have provided or will provide other services. If they represented the work they did as a SAS70 or other public assurance audit and then took over the jobs of people they assessed, they can be censured by any number of regulatory bodies. The biggest problem today is that there are flocks of us security folks out of work. I have 10 yrs experience, but no CISSP or CISA, and am considered "too senior" for the jobs that don't require certs. Charitably, I assume that they are referring to me having opinions about process and procedures. Privately, I am less naive.
Personally, as a small home based computer consultant, have been asked to do assessments for companies. I think it's just my general lack of common sense or morals that play into it, but, when I've found holes I can drive a Mack truck through, the first person I have went to is the current admin, showed them what I've found, and helped them fix it. Yeah, stupid buisness decision on my part, but it kept the following intact:
1) Person kept their job
2) I consequently got more buisness in doing further checks and consulting
3) Everyone was happy and the admin was upskilled
This was a win/win in my opinion. Everyone was kept happy and safe and the admin got some more skill to put under his belt. I just don't believe in fear mongering. If there is a problem, the current admin (if there is one) should be the first to know and given the tools to help fix the problem on the spot. Now, it's a whole different ballgame if it's outsource company against outsource company where there is no true full-time admin involved but we won't go there. :)
sigs are like a box of chocolates, they all suck remove the underscores to email me
Comment removed based on user account deletion
COntrary to the belief by many people, business's do not exist to provide a job to any particular person, excepting perhaps, the owner. A business exists for the sole purpose of making money for the people who own it. The fact that they provide jobs to other people is mearly incidental. As such, the owners or management can choose who they want working for them.
Anybody who doesn't see it this way should try to put themselves into the position of the owners. Try to imagine owning a company. If you are the boss and you don't want a particular person working there any longer, you would fire them, right?
If you don't like people having that sort of power over you, start your own business.
Now, don't get me wrong, I do feel that what the company did was most likely a bad move, and certainly was not a good way to repay a person who seems to have been a good employee.
Any way you look at it, the management is responsible to the owners, be it private parties or stockholders. Their job is to make money for them. It is not to provide the employees with work.
Sorry for the rant, but I get irritated when people think the their employer OWES them a job, they don't.
Hockey - Canada's gift to the world
That's what I did. My former employer of five years spent several times my salary-to-date on consultants from Gartner, who convinced management that everything I'd built was wrong and they should spend my salary for the next five years on Microsoft products. I helped them roll it all out, they showed me the door... and now (from what I hear from a few friends there) they are hurting. {shrug}
I am not a security geek - so can not comment on the issue of having a security audit cost me my job.
On the other hand, I do have some thoughts on increasing your likelyhood of finding or keeping a job in this tough IT marketplace, that can be found here...
The executive summary: diversify your skill base, and become a jack of all trades; coupled with that, look at other means to increase your ability to satisfy your user community better and faster than the competition.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
This isn't about outsourcing software development overseas, this is about security at a company and outsourcing security and network administration. If a company has one person who holds all the keys to the security kingdom, even if he or she is doing a great job so far, you have an insecure system. Any system the depends on the knowledge or integrity of one person is an insecure system.
That said, firing that person is not the first best answer. The first best answer is to properly distribute the responsibility and oversight. It isn't right to put all you trust in an outside vendor either.
I don't know any specifics about this particular situation, but if I encountered a person who had all such controls in his or her hands and who regarded any distribution or surrender of authority or oversight as wrong or something to be resisted, I would consider replacing that person.
No system designed around a single point of failure is a reliable system.
"At my last job (one of the big 3 ISP's) one of the NT admin's screwed up and opened our one internal systems to the whole world. One of our techs studing security discovered the hole and reported it our PHB. Who came to our SA team to check and confirm. They were more concerned about the tech finding the hole, than the idiot NT admin who screw up an NT securtiy setting. "
Then one of two things.
He could have gone to the "idiot"(a hint here. It's not good to go to a person with your prejudices. It could have been an honest error), and told him about the problem and let him correct it, with the boss being none the wiser, and his "image" intact.
He could have fixed the mistake, with no one the wiser. If everyone is as clueless as you state? Then this should have been an easy task.
The main thing that stories like the above demonstrate is that geeks make lousy diplomats. There's a right way and a wrong way to present "difficult" news. Learn how (among other things) and you'll do well in life, and work. Forget how, and you're the subject of a story on Slashdot.
While my real job title is QA Manager, I also manage the security plan at my company (located in Canada), who makes export control restricted products (products restricted by either or both the Canadian govt and/or the US Govt). When doing security assessments on this side of the border, the citizenship requirements of the Controlled Goods Program (CGP) are far more lenient than those of the US International Traffic in Arms Regulations (ITAR). Still, because we export our products to the US, I have to take citizenship into account (i.e.: I have to in some specific cases meet the US requirements). That means in the case of specific individuals, they must be removed from projects and found alternate work. If alternate work cannot be found, then they must be let go. There's nothing the company can do about it - it's a federal requirement of employment to work for a company that designs these specific kinds of products. I will assume you are in the US, in which case a third party, such as the government or someone waving wads of cash around, has set some specific requirements for personnel working on their products. For some reason you didn't meet them. You do have a reasonable "right" to find out what specifically was the issue - was it citizenship? was it political affiliation? was it all those nights you've been downloading pr0n? Your employer should have made an effort to find you alternate work within the organization. If they didn't even try, then you might be able to make a case for wrongful dismissal. However, if they did try, or such an option simply is not feasible (and this is what it sounds like, how can you be an effective SysAdm when you can't access huge chunks of the network?), then they are within their legal bounds to let you go.
.
IANAL (but I've paid for their kids' dental work and sailboat), but there are two issues here: I think you have excellent grounds for proving damages to your reputation in the industry (from both the consultancy and your employer), in addition to wrongful termination if you were let go with prejudice (fired for false or misrepresented cause and denied unemployment). However, the real money is in the first part, so go for a libel/slander lawyer with knowledge of labor, not a labor lawyer who's heard of slander and will sue to get your job back. What you really should want from this is to (a) clear your name, (b) collect monetary damages, and (c) walk away. Dunno about FL law, but you should get all your lawyer fees back as well if you file the suit properly...
I have (unfortunately) some experience in picking a lawyer for similarly hostile and unpleasant situations. In a recent situation that involved an insurance company, I turned to my own insurance carrier (home, personal liability, auto etc) and asked to be put in touch with a couple of senior examiner/adjusters. When I reached them (no easy task), I asked them the following question:
"Who is the meanest son-of-a-bitch you never want to be across a table from?"
Both people gave me the same name, and I hired that person as my lawyer. Yeah, the hourly rate was kinda frightening, but when your lawyer scares the piss out of the other party simply by name, the proceedings tend to be much shorter, and more to your advantage.
How does that apply to your case? Call a libel/slander *defense* lawyer, and ask him/her the question above. Two votes for one name, and voila, you have your counsel.
My personal advice is not to be shy about this. There's a time to shrug and walk away from an employer who lays you off for stupid reasons (I did a few months ago), and there's a time to fight like hell against something that could drown your career. This seems to me like the latter. What will you say in a few years, when a potential employer asks "If you weren't a security risk, why didn't you fight it?"
Jon Espenschied
I think not...(*poof*)
> Every society strikes a balance between individualism and collectivism.
He he. What a wonderfully pompous post! But I take your point about the social cohesion thing.
If we bring it down to a different level though, I've sometimes wondered whether our CEO has ever woken up in the middle of the night and thought "Shit! I own this company, but the Ops Manager knows the root passwords to ALL our systems... and I don't!"
Maybe I'll show him your post one day if I see him hanging around the server room looking nervous. It might calm him down.
"And the meaning of words; when they cease to function; when will it start worrying you?"
As an InfoSec auditor it appears that this company has seriously impaired independence in this case. An auditor must (to quote the ISACA Code of Professional Ethics):
Perform their duties in an independent and objective manner and avoid activities that impair, or may appear to impair, their independence or objectivity.
-- ISACA Code of Professional Ethics (Links to a Word Document)
If the same company is both providing audit or assessment services and offering outsource services to the same client then there is a serious breach of professional objectivity.
lizardb0y
http://www.vintage8bit.com/
My spouse once had a job with a small political newsmagazine. She was the typesetter on an old obscure setup. Every word went through that machine. Since it was such a rare system, they needed her pretty badly to meet publication deadlines, and that meant that she had an editorial veto. She exercised it directly once: simply over the capitalization of an artist's name--who generally insisted that it be lowercase--and she demanded they respect his wishes. There was a standoff--editors backed down when they realized the stakes--they approached her to sound out controversial decisions after that. It helped that she was good at her job. The whole deal was a revelation for me.
This is gonna sound syndicalist (though it isn't, really, just basic strategy): the wielders of tools can exercise final power over those tools, even if they don't officially own them--because posession is more powerful than abstract ownership. Of course, being a social species, working in concert makes us far more powerful.
Damn those pesky terrorists
I used to do assessments for a company that wanted to do them to discredit the existing IT and replace them. After awhile it really bothered me because we went after some good, hard working, dedicated people.
I decided to get some certs and marketability and find a job less 'stressful'. In studying the Code of Ethics for the CISSP, I realized that it should be my job to help dedicated people hang on to their job with instruction, training, learning, awareness.
I now work at companies with the idea that I will locate 'vulnerabilities' and correct them with the resources they currently have. I know its a stretch for some to adopt that line of thinking but in the long run, this attitude is paying off.
Now, it is starting to be seen at the fringes of management, as seen in the current article below from Red Herring. Yes, this is for the advance guard investor audience, but it is still the begnning of the pendulum swinging the other way.
Top 10 trends: Outsourcing backlash
Comment removed based on user account deletion
Comment removed based on user account deletion
I have read that there is a security issue with having a single person as the abministrator. thiss would imply redundancy not sacking. Is Australia there are extra payments for redundance like 1 week per year of service. It also is better than "sacked' (but still not great).
From the point of view of the sacking the company is legally obliged to tell you in detail what you did wrong so that you can study and correct those faults and not be doomed to repeat them. Ask for an "exit interview", this interview should discuss in detail the technical reasons why you failed to provide the service. You could ask for a copy of the security report under a non-disclosure agreement to supplement your knowledge of what went wrong. The company may (rightly) refuse to provide a copy of the report but you should ask.
Discuss with management that you were "outsourced" not fired and discuss with them that they should correctly reflect this to potential employers. Advise them that if you caan you are willing to assist them with problems or provide independant audits of their security at a reasonable consultant rate. It is better to leave them in a friendly frame of mind:
a) It will be reflected in your reference.
b) It gives you a slim chance of picking some extra consulting work.
c) Asking for details of security problems is a positive and should be reflected by you to your potential employers.
Don't under estimate the fact that you may have been a problem. You have given us no indication whether you followed security alerts, whether you configured your boundaries properly, etc. This may not be the case but we cannot judge your performance.
Sorry to hear you are jobless. In my opinion, some companies are moving the wrong way. I have been the CIO/CFO for almost a year. I don't know if my opinion is right since I am relatively a newbie to the position, but I would NEVER outsource security or any other confidential type work. How does a company justify paying a third party rather than an employee. I can understand adding dollars to the bottom line, but building a team of employees / co-workers is much more important. The problem with tech jobs is the people signing your paycheck and doing the hr work dont know sh*t about your job. In my area, central nj, tech jobs are steadily on the rise. I am about to start looking myself ;) Look at it this way. It's an opportunity to move onto bigger and better things. A company that does not value its employees is doomed to failure. Good luck.
I don't know that you'd want to fuck them. keep in mind, he said he worked for a financial institution. assuming that means a bank/credit union/savings&loan, etc, that is putting peoples money at risk. maybe even your fellow slashdotters. so you want to fuck your fellow slashdotters life savings huh?
I audit financial institutions for IT security. But I do it from the state government regulatory side. I'm not passing judgment on SafariShane, but I would certainly have questions for the financial institution of why they fired their IT Security guy. My job allows me to demand answers like that and then write them up if they haven't done their due diligence or refuse to answer me.
I'm good with numbers -
The current issue has two articles of interest: the NAFTA shortcomings and the IRS targeting executive compensation accounting. There's a third article on a gent who buys distressed industries and was able to re-open a steele mill because the workers agreed to work for just-below-union wages. I bet he buys an IT something or other and re-employs US IT workers at a percentage below what they formerly earned. It's an iPods tune waiting to be activated.
This seems to be a wise thread. I was laid off a few years ago for "cost cutting" reasons. I was very nice to my managers afterwords(days later). I told them where recent code was that they didn't know they needed and how to (and why) to make use of it. In the mean time I got a cool contract working on a StrongARM embedded Linux job(for less money). As luck would have it, when the contract was almost complete they asked me to come back for the same pay. I asked why they wanted me back and they mentioned my kindness(and their sorrow).
A(nother) suggestion for your problem would be to watch for up coming security matters that might effect them such as an exploit or virus and warn them of it right away. Just be careful how you warn them, some warnings can be taken as threats. You might even add how to combat the threat.
Just a thought... it worked for me.
1. Just Wardrive em, create a report and outsource your security skills to them. :)
2. Make it your life long mission to make sure the company doesnt succeed in any way.
3. Send them LOTS OF PORN!
4. Find a new job.
I got bumped out of a job a few months ago decided that if I couldnt beat to join them. I started my own tech firm and consult to small businesses and individuals. Im making more money now than I ever did working for someone. Its suprising how equip, software and hourly rates add up to a lot of money coming in. Good luck, I feel your pain. Rich
I wuold agree with the parent post that reviewing slashdot (though not for five hours as the grandparent post "suggested") on a daily basis is a good thing. That it shows that you are tracking the risks and threats in the environment at large.