If all you did there was security, then you were in a bad position to begin with. Security should be a part of everything that is done, not handled simply by one person somewhere.
Network engineer - The person or persons responsible for designing, managing, and maintaining the enterprise network should be the ones responsible for its security through all aspects of their work. Security has to be designed in to begin with, so that the network has the absolute minimum exposure and still provides a maximum ability for authorized staff to monitor and control it, while all other authorized staff can make full intended use of the network.
Systems administrator - The person or persons responsible for selecting, installing, configuring, operating, and administering computer systems, both servers as well as workstations and desktops, should be the ones responsible for its security through all aspects of their work. Security has to be part of all the procedures so that the systems have the absolute minimum exposure while allowing authorized staff to perform the functions the systems are intended for.
Programmer/analyst - The person or persons responsible for designing, programming, testing, and deploying new applications, or changes to existing applications, should be the ones responsible for its security through all aspects of their work. Security has to be designed into the way the application works, into its program code, properly and thoroughly tested, and then further verified once the application is up and running. And this has to be done while the application can still be fully used by all authorized staff, clients, customers, etc.
Get the picture?
Sorry to burst your bubble, but there should not be just one person who handles security. Depending on the nature of the business, one person might be the one who handles security coordination, but that isn't a techie/geek job; it should be more along the lines of an auditor who would be a paper pusher kind of person at businesses like banks and investment firms.
As to your current situation I advise the following:
Hire a lawyer. Have this lawyer contact the company pretending to be your new potential employer, and ask them for reference information about you. Actually do this twice (be sure completely different people call and pretend to be completely different companies). In one case your "new" position should basically be described as one similar to what you had at the company that outsourced you out. In the other case your "new" position should basically be central to your non-security skill set, such as a network administrator or network engineer (or whatever is appropriate for you). If they give you a good recommendation, then move on with your life and don't worry about it (just don't open your own personal accounts there, etc). However, if they give you a bad recommendation (such as "he was assessed to be a security risk") then discuss with your lawyer that situation and determine what can be done (you may have a case for a defamation lawsuit against either your employer or the outsourcing company).
Be aware that most companies do tend to try to pretect themselves from lawsuits when giving references. They may very well not specify any problems. But that can also be interpreted by future employers as a problem, if they didn't give you a glowing recommendation. You'll have to determine how that will affect your career future.
You might want to start your own small "security management and monitoring services company". There are lots of smaller businesses that will need this kind of service (whether they know that or not... but that's a salesman's job to work on), but are too small to hire someone full time, and not big enough to hire the big security contracting firms. In a few years, as the big security firms expand to the smaller businesses (to keep up equity growth as their big business market saturates), they may come along and offer to buy up your business. If you play your cards right, you could end up being more "successful" than the managers of the financial institution that fired you.
If all you did there was security, then you were in a bad position to begin with. Security should be a part of everything that is done, not handled simply by one person somewhere.
Do you think that somewhat indepedent review is unnecessary, especially in the area of security? And who decides where required security features are implemented? Just to give an example: Sometimes, it's not cost-effective to provide the required protection level entirely on the network layer, but it can be implemented on the a
They very well could be. That's what the references probe would help find out. If the employer never reveals that information to anyone in any form, then it would not be defamation of character. The actual report, which is apparently unseen, might very well have just stated that a security risk exists when security is handled exclusively by a single person (which I might tend to agree with, too). OTOH, if they turn around and hire someone else for that position, that would change the picture of this.
Hire a lawyer. Have this lawyer contact the company pretending to be your new potential employer, and ask them for reference information about you. Actually do this twice (be sure completely different people call and pretend to be completely different companies). In one case your "new" position should basically be described as one similar to what you had at the company that outsourced you out. In the other case your "new" position should basically be central to your non-security skill set, such as a network administrator or network engineer (or whatever is appropriate for you). If they give you a good recommendation, then move on with your life and don't worry about it (just don't open your own personal accounts there, etc). However, if they give you a bad recommendation (such as "he was assessed to be a security risk") then discuss with your lawyer that situation and determine what can be done (you may have a case for a defamation lawsuit against either your employer or the outsourcing company).
Good theory, but I suspect that a lot of lawyers might balk at misrepresenting themselves in this way. The other issue it that it likely won't get any information. Because of this very scenario, many companies will not offer "recommendations" for former employees; they'll verify start and end dates for employment, salary, etc. -- factual information -- but won't provide anything that might be considered subjective for fear of a lawsuit like this.
I'll also echo another poster in saying that while your situation does suck and was clearly handled badly, it may not be that you personally represented the security risk. If (and I don't know this to be the case) you were the sole person responsible for security, or your group couldn't provide 24/7/365 active monitoring (real eyes reviewing data at all times, not just responding to specific types of alerts), then the very existence of your job could be viewed as a security risk. It's the company's fault for setting things up that way in the first place, but they may well be right to change their approach to security management.
This doesn't mean that the company will provide better services, of course, simply that the decision may have reflected an attempt to correct a bigger problem...only time will tell whether the correction itself creates more problems for them.
No, but I'm generally familiar with the actual story that inspired the movie [lawbuzz.com]; in rough terms, toxic waste generated by PG&E had contaminated the groundwater around Hinkly, CA, with disastrous effects on the health of the citizens. PG&E tried in a variety of ways to deny any responsibility for the effects of decades of dumping on the area's population, but eventually lost the suit in spectacular fashion.
Erin Brockovich (who worked for a law firm but was not a lawyer),
The lawyer might not actually do so; a private investigator can do it. Anyone "can" consider hiring the guy. Saying they are a company that they are not could be a bad thing, depending.
As for the employer not providing information, you are correct that lots of them won't provide any but the basic facts (which makes references rather useless to the extent that is true). If you contact HR, that's almost surely what will happen. If you contact the direct report manager, you may get another story. Doing t
Security as everyone's job is an admirable idea, and one that I'd love to see implemented everywhere. My experience, though, as a security analyst myself has been that if security gets in the way of a project, then there won't be any security unless someone insists.
I've had that same experience myself. But that clearly indicates that security is not being considered properly by everyone involved. If you happen to be in a project like that, a good "risk exposure analysis" would be a good thing to have. But for manager types, it will need to be expressed in terms of dollars lost vs. saved.
Promptness is its own reward, if one lives by the clock instead of the sword.
Network Security Analyst - bad position (Score:5, Insightful)
If all you did there was security, then you were in a bad position to begin with. Security should be a part of everything that is done, not handled simply by one person somewhere.
Network engineer - The person or persons responsible for designing, managing, and maintaining the enterprise network should be the ones responsible for its security through all aspects of their work. Security has to be designed in to begin with, so that the network has the absolute minimum exposure and still provides a maximum ability for authorized staff to monitor and control it, while all other authorized staff can make full intended use of the network.
Systems administrator - The person or persons responsible for selecting, installing, configuring, operating, and administering computer systems, both servers as well as workstations and desktops, should be the ones responsible for its security through all aspects of their work. Security has to be part of all the procedures so that the systems have the absolute minimum exposure while allowing authorized staff to perform the functions the systems are intended for.
Programmer/analyst - The person or persons responsible for designing, programming, testing, and deploying new applications, or changes to existing applications, should be the ones responsible for its security through all aspects of their work. Security has to be designed into the way the application works, into its program code, properly and thoroughly tested, and then further verified once the application is up and running. And this has to be done while the application can still be fully used by all authorized staff, clients, customers, etc.
Get the picture?
Sorry to burst your bubble, but there should not be just one person who handles security. Depending on the nature of the business, one person might be the one who handles security coordination, but that isn't a techie/geek job; it should be more along the lines of an auditor who would be a paper pusher kind of person at businesses like banks and investment firms.
As to your current situation I advise the following:
Hire a lawyer. Have this lawyer contact the company pretending to be your new potential employer, and ask them for reference information about you. Actually do this twice (be sure completely different people call and pretend to be completely different companies). In one case your "new" position should basically be described as one similar to what you had at the company that outsourced you out. In the other case your "new" position should basically be central to your non-security skill set, such as a network administrator or network engineer (or whatever is appropriate for you). If they give you a good recommendation, then move on with your life and don't worry about it (just don't open your own personal accounts there, etc). However, if they give you a bad recommendation (such as "he was assessed to be a security risk") then discuss with your lawyer that situation and determine what can be done (you may have a case for a defamation lawsuit against either your employer or the outsourcing company).
Be aware that most companies do tend to try to pretect themselves from lawsuits when giving references. They may very well not specify any problems. But that can also be interpreted by future employers as a problem, if they didn't give you a glowing recommendation. You'll have to determine how that will affect your career future.
You might want to start your own small "security management and monitoring services company". There are lots of smaller businesses that will need this kind of service (whether they know that or not ... but that's a salesman's job to work on), but are too small to hire someone full time, and not big enough to hire the big security contracting firms. In a few years, as the big security firms expand to the smaller businesses (to keep up equity growth as their big business market saturates), they may come along and offer to buy up your business. If you play your cards right, you could end up being more "successful" than the managers of the financial institution that fired you.
Re:Network Security Analyst - bad position (Score:3, Interesting)
Do you think that somewhat indepedent review is unnecessary, especially in the area of security? And who decides where required security features are implemented? Just to give an example: Sometimes, it's not cost-effective to provide the required protection level entirely on the network layer, but it can be implemented on the a
Re:Network Security Analyst - bad position (Score:1)
Re:Network Security Analyst - bad position (Score:2)
They very well could be. That's what the references probe would help find out. If the employer never reveals that information to anyone in any form, then it would not be defamation of character. The actual report, which is apparently unseen, might very well have just stated that a security risk exists when security is handled exclusively by a single person (which I might tend to agree with, too). OTOH, if they turn around and hire someone else for that position, that would change the picture of this.
Re:Network Security Analyst - bad position (Score:4, Insightful)
Good theory, but I suspect that a lot of lawyers might balk at misrepresenting themselves in this way. The other issue it that it likely won't get any information. Because of this very scenario, many companies will not offer "recommendations" for former employees; they'll verify start and end dates for employment, salary, etc. -- factual information -- but won't provide anything that might be considered subjective for fear of a lawsuit like this.
I'll also echo another poster in saying that while your situation does suck and was clearly handled badly, it may not be that you personally represented the security risk. If (and I don't know this to be the case) you were the sole person responsible for security, or your group couldn't provide 24/7/365 active monitoring (real eyes reviewing data at all times, not just responding to specific types of alerts), then the very existence of your job could be viewed as a security risk. It's the company's fault for setting things up that way in the first place, but they may well be right to change their approach to security management.
This doesn't mean that the company will provide better services, of course, simply that the decision may have reflected an attempt to correct a bigger problem...only time will tell whether the correction itself creates more problems for them.
Re:Network Security Analyst - bad position (Score:2)
Re:Network Security Analyst - bad position (Score:2)
Ever seen Erin Brockovich?
No, but I'm generally familiar with the actual story that inspired the movie [lawbuzz.com]; in rough terms, toxic waste generated by PG&E had contaminated the groundwater around Hinkly, CA, with disastrous effects on the health of the citizens. PG&E tried in a variety of ways to deny any responsibility for the effects of decades of dumping on the area's population, but eventually lost the suit in spectacular fashion.
Erin Brockovich (who worked for a law firm but was not a lawyer),
Re:Network Security Analyst - bad position (Score:2)
The lawyer might not actually do so; a private investigator can do it. Anyone "can" consider hiring the guy. Saying they are a company that they are not could be a bad thing, depending.
As for the employer not providing information, you are correct that lots of them won't provide any but the basic facts (which makes references rather useless to the extent that is true). If you contact HR, that's almost surely what will happen. If you contact the direct report manager, you may get another story. Doing t
Re:Network Security Analyst - bad position (Score:3, Insightful)
Re:Network Security Analyst - bad position (Score:2)
I've had that same experience myself. But that clearly indicates that security is not being considered properly by everyone involved. If you happen to be in a project like that, a good "risk exposure analysis" would be a good thing to have. But for manager types, it will need to be expressed in terms of dollars lost vs. saved.