December 4, 2013 at 3:45 am
Jim P. (12/3/2013)
...But realistically if you hire people without honor, honesty, and respect -- they are going to find a hole in the system to exploit.
We could all do a lot of mischief but where is the fun in that?1 I could easily2 steal money, write digital graffiti, create a virus and so on. So could we all but because we all know we all can do any of it there isn't really any kudos to be had either.
1 I was tempted to pull a lot of cables out when I was left alone in Europe's biggest data centre (a security breach that should not have occurred). The employee of the large IT company bragged about the different clients' websites some of the machines were hosting. I could have made the news, perhaps globally, but for me the little chuckle to myself at that thought was more than enough.
2 Given a bit of time/practice/research etc. It's all out there on the internet - for some things there are even downloadable frameworks and utilities e.g. rootkits.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
December 4, 2013 at 11:05 am
The problem for most (if not all) bigger shops is offshore outsourcing. I had talks with my management (CTO level) concerning the risk of having non-employees, non-citizen offshore residents (meaning they come under a different legal system) having administrator rights to the database. So it really doesn't have anything to do with who **we** hire, but who the outsourcing company hires. Yes, there are legally binding contracts and there are company policies, but the risk of a rogue DBA running amok is a real possibility.
Let me give you an example. I was on a conference call one day discussing a database problem. I could tell from the telephone connection that one of the persons was not local -- also because I detected a southern Asian accent. After we wrapped up the call, I asked where he was from. I was familiar with most of the outsourcing centers in India. He responded "Lahore". Now I am not trying to broad-brush all Pakistanis, but Pakistan is not the model of political stability. I asked my CTO if there was any vetting of the individuals. He believed there was. But I am not talking about technical screening. What I am concerned about is terrorist screening. The CTO said he would take the matter up with the Chief IT Security Officer -- but nothing changed.
Think of all the mission-critical databases your enterprise has to maintain. Even with the best DR policies, there could be the prospect of a catastrophic event caused by a DBA that might threaten the existence of the company. What would happen if it took two weeks to recover? Most businesses would tell you they would have to shut their doors if they were honest.
Returning to our original discussion, audit is very important as the size of the enterprise grows. Sure, I would like to be trusted (and I am). But it is foolish to ignore the separation of duties.
December 4, 2013 at 11:28 am
jim.drewe (12/4/2013)
The problem for most (if not all) bigger shops is offshore outsourcing. I had talks with my management (CTO level) concerning the risk of having non-employees, non-citizen offshore residents (meaning they come under a different legal system) having administrator rights to the database. So it really doesn't have anything to do with who **we** hire, but who the outsourcing company hires. Yes, there are legally binding contracts and there are company policies, but the risk of a rogue DBA running amok is a real possibility.Let me give you an example. I was on a conference call one day discussing a database problem. I could tell from the telephone connection that one of the persons was not local -- also because I detected a southern Asian accent. After we wrapped up the call, I asked where he was from. I was familiar with most of the outsourcing centers in India. He responded "Lahore". Now I am not trying to broad-brush all Pakistanis, but Pakistan is not the model of political stability. I asked my CTO if there was any vetting of the individuals. He believed there was. But I am not talking about technical screening. What I am concerned about is terrorist screening. The CTO said he would take the matter up with the Chief IT Security Officer -- but nothing changed.
Think of all the mission-critical databases your enterprise has to maintain. Even with the best DR policies, there could be the prospect of a catastrophic event caused by a DBA that might threaten the existence of the company. What would happen if it took two weeks to recover? Most businesses would tell you they would have to shut their doors if they were honest.
Returning to our original discussion, audit is very important as the size of the enterprise grows. Sure, I would like to be trusted (and I am). But it is foolish to ignore the separation of duties.
Any organization with an IT department large and funded enough to have a designated CTO and Chief Security Officer should also keep their database and network administrators in-house, well compensated, and on a short leash. You can out-source your web developers, your marketing team, payroll, help desk support, and even members of your executive management... but don't out-source (much less off-shore) they guys who hold the keys to your data. I'd much rather deal with the aftermath of a rogue graphic artist or accountant than I would a rogue database administrator.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 11, 2013 at 7:48 am
Eric ... I would heartily agree. Unfortunately, executives in publicly held companies listen to Wall Street, not the common sense from subordinates. If Wall Street says a particular metric is too low (or too high), the CEO sets the goals and barks out orders. You might at the higher levels get to ask questions for clarification, but you generally don't get to challenge the decision (I mean, you can, but that will last as long as you stepping in front of a train).
What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack). Law enforcement wouldn't let people back in to their offices and there some small firms went out of business as a result of having no DR plan. After that, DR became a big deal and DR validation tests were mandated in many companies. After 9-11, some firms still were hit hard with poor DR planning. This same financial services company I worked for at time (located in lower Manhattan) went into insanity mode because of all the non-IT business departments in a location near Ground Zero had their own SQL Server database systems. They had offsite backup tapes, but no real DR plan. The insanity lasted for about a month restoring SQL Server databases (that we in IT didn't manage) in alternative locations.
Would top management have eventually seen the light without these disasters? Yeah, eventually, but not with the same urgency or sense of need. But to go back to your comment, I would agree that there are some IT functions that are too critical to outsource.
December 11, 2013 at 9:05 am
jim.drewe (12/11/2013)
Eric ... I would heartily agree. Unfortunately, executives in publicly held companies listen to Wall Street, not the common sense from subordinates. If Wall Street says a particular metric is too low (or too high), the CEO sets the goals and barks out orders. You might at the higher levels get to ask questions for clarification, but you generally don't get to challenge the decision (I mean, you can, but that will last as long as you stepping in front of a train).What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack). Law enforcement wouldn't let people back in to their offices and there some small firms went out of business as a result of having no DR plan. After that, DR became a big deal and DR validation tests were mandated in many companies. After 9-11, some firms still were hit hard with poor DR planning. This same financial services company I worked for at time (located in lower Manhattan) went into insanity mode because of all the non-IT business departments in a location near Ground Zero had their own SQL Server database systems. They had offsite backup tapes, but no real DR plan. The insanity lasted for about a month restoring SQL Server databases (that we in IT didn't manage) in alternative locations.
Would top management have eventually seen the light without these disasters? Yeah, eventually, but not with the same urgency or sense of need. But to go back to your comment, I would agree that there are some IT functions that are too critical to outsource.
What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack).
If we need a calamity to use as an example for why database administrators should not be outsourced, I'd present as evidence Edward Snowden. This guy was not even a federal employee of the NSA, he as a contractor hired to manage the SharePoint website and file share network where the NSA held classified documents.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 11, 2013 at 9:34 am
Eric M Russell (12/11/2013)
jim.drewe (12/11/2013)
Eric ... I would heartily agree. Unfortunately, executives in publicly held companies listen to Wall Street, not the common sense from subordinates. If Wall Street says a particular metric is too low (or too high), the CEO sets the goals and barks out orders. You might at the higher levels get to ask questions for clarification, but you generally don't get to challenge the decision (I mean, you can, but that will last as long as you stepping in front of a train).What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack). Law enforcement wouldn't let people back in to their offices and there some small firms went out of business as a result of having no DR plan. After that, DR became a big deal and DR validation tests were mandated in many companies. After 9-11, some firms still were hit hard with poor DR planning. This same financial services company I worked for at time (located in lower Manhattan) went into insanity mode because of all the non-IT business departments in a location near Ground Zero had their own SQL Server database systems. They had offsite backup tapes, but no real DR plan. The insanity lasted for about a month restoring SQL Server databases (that we in IT didn't manage) in alternative locations.
Would top management have eventually seen the light without these disasters? Yeah, eventually, but not with the same urgency or sense of need. But to go back to your comment, I would agree that there are some IT functions that are too critical to outsource.
What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack).
If we need a calamity to use as an example for why database administrators should not be outsourced, I'd present as evidence Edward Snowden. This guy was not even a federal employee of the NSA, he as a contractor hired to manage the SharePoint website and file share network where the NSA held classified documents.
I take exception to your statement above. Do not cast all of us contractors to Edward Snowden. That was a failure in the vetting process and lack of ethics on the part of Edward Snowden.
December 11, 2013 at 11:09 am
Lynn Pettis (12/11/2013)
Eric M Russell (12/11/2013)
jim.drewe (12/11/2013)
Eric ... I would heartily agree. Unfortunately, executives in publicly held companies listen to Wall Street, not the common sense from subordinates. If Wall Street says a particular metric is too low (or too high), the CEO sets the goals and barks out orders. You might at the higher levels get to ask questions for clarification, but you generally don't get to challenge the decision (I mean, you can, but that will last as long as you stepping in front of a train).What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack). Law enforcement wouldn't let people back in to their offices and there some small firms went out of business as a result of having no DR plan. After that, DR became a big deal and DR validation tests were mandated in many companies. After 9-11, some firms still were hit hard with poor DR planning. This same financial services company I worked for at time (located in lower Manhattan) went into insanity mode because of all the non-IT business departments in a location near Ground Zero had their own SQL Server database systems. They had offsite backup tapes, but no real DR plan. The insanity lasted for about a month restoring SQL Server databases (that we in IT didn't manage) in alternative locations.
Would top management have eventually seen the light without these disasters? Yeah, eventually, but not with the same urgency or sense of need. But to go back to your comment, I would agree that there are some IT functions that are too critical to outsource.
What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack).
If we need a calamity to use as an example for why database administrators should not be outsourced, I'd present as evidence Edward Snowden. This guy was not even a federal employee of the NSA, he as a contractor hired to manage the SharePoint website and file share network where the NSA held classified documents.
I take exception to your statement above. Do not cast all of us contractors to Edward Snowden. That was a failure in the vetting process and lack of ethics on the part of Edward Snowden.
Certainly there can be a role for consultants and contractors, when it comes to the design, development and troubleshooting of databases. Often times it makes sense to outsource all of that.
However, I totally don't see why an organization or government agency with a large IT department would outsource a full time administrative or operational position. I also don't see why a contractor would even be interested in doing admin stuff for a client full time, not when there are so many other more creative and lucrative gigs available out there. Here again, I'm distinguishing administration and operations as somthing different from architecture and development.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 11, 2013 at 4:55 pm
Eric M Russell (12/11/2013)
Lynn Pettis (12/11/2013)
Eric M Russell (12/11/2013)
jim.drewe (12/11/2013)
Eric ... I would heartily agree. Unfortunately, executives in publicly held companies listen to Wall Street, not the common sense from subordinates. If Wall Street says a particular metric is too low (or too high), the CEO sets the goals and barks out orders. You might at the higher levels get to ask questions for clarification, but you generally don't get to challenge the decision (I mean, you can, but that will last as long as you stepping in front of a train).What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack). Law enforcement wouldn't let people back in to their offices and there some small firms went out of business as a result of having no DR plan. After that, DR became a big deal and DR validation tests were mandated in many companies. After 9-11, some firms still were hit hard with poor DR planning. This same financial services company I worked for at time (located in lower Manhattan) went into insanity mode because of all the non-IT business departments in a location near Ground Zero had their own SQL Server database systems. They had offsite backup tapes, but no real DR plan. The insanity lasted for about a month restoring SQL Server databases (that we in IT didn't manage) in alternative locations.
Would top management have eventually seen the light without these disasters? Yeah, eventually, but not with the same urgency or sense of need. But to go back to your comment, I would agree that there are some IT functions that are too critical to outsource.
What it will take is for a calamity of the highest order to hit a major corporation before the investment bankers will include it on their checklist. Just as I used DR as an example in my previous post, there are plenty of companies which did not survive the 1993 World Trade Center bombing (the prelude to the 9-11 attack).
If we need a calamity to use as an example for why database administrators should not be outsourced, I'd present as evidence Edward Snowden. This guy was not even a federal employee of the NSA, he as a contractor hired to manage the SharePoint website and file share network where the NSA held classified documents.
I take exception to your statement above. Do not cast all of us contractors to Edward Snowden. That was a failure in the vetting process and lack of ethics on the part of Edward Snowden.
Certainly there can be a role for consultants and contractors, when it comes to the design, development and troubleshooting of databases. Often times it makes sense to outsource all of that.
However, I totally don't see why an organization or government agency with a large IT department would outsource a full time administrative or operational position. I also don't see why a contractor would even be interested in doing admin stuff for a client full time, not when there are so many other more creative and lucrative gigs available out there. Here again, I'm distinguishing administration and operations as somthing different from architecture and development.
Well, I and my coworkers serve in such positions here in Afghanistan. By being here the military can focus on what the military does best. I am proud to be here serving a vital service for my country, the military, and my company. I still take exception to your portrayal of all contractors based only on the actions of a very select few.
December 11, 2013 at 5:09 pm
Perhaps I should have clarified what I said, "non-employees, non-citizen offshore residents' and used the conjunction "and" rather than a comma. This would have clearly stated a contractor working in a foreign country. My apologies on the slip-up.
As in my example, there are many non-Western countries that are unstable. Just because they are cheap sources of labor, doesn't make for a good mix with mission-critical data in belonging to Western firms. The accountability just isn't there. If a person from one of the non-stable countries becomes hostile, serious harm could be done and the person could disappear from their criminal justice system. Seeking indemnity from their civil system would probably be fruitless.
From my experience, sensitive positions such as DBAs (as opposed to say, web developers), onshore contracting typically involve a certain balance between the contracting firm and the enterprise. I didn't see a small contracting firm running critical systems for a large enterprise (it might happen, I just didn't see it). Again, it would be a matter of accountability. The small firm could not compensate a large firm for a catastrophe they might cause unless they posted a very large bond.
December 11, 2013 at 6:02 pm
Lynn
I normally don't follow up on these types of tracks, but I think what I was trying to say (and presumably what the other gentlemen was also trying to say) is your ***typical*** outsourcing arrangements.
I am an ex-Marine (Vietnam era) and my son served both as an infantryman and contractor in Iraq (Ramadi, 2007-2008). I am not going say that every type of outsourcing is an audit risk. Military campaigns by nature invoke risk. After all, you are trading lives for real estate. You cannot compare IT in an active military theater with IT in New York or London. So, yes, what you are doing falls outside the scope of what type of outsourcing arrangments I am referring to.
December 11, 2013 at 7:53 pm
jim.drewe (12/11/2013)
LynnI normally don't follow up on these types of tracks, but I think what I was trying to say (and presumably what the other gentlemen was also trying to say) is your ***typical*** outsourcing arrangements.
I am an ex-Marine (Vietnam era) and my son served both as an infantryman and contractor in Iraq (Ramadi, 2007-2008). I am not going say that every type of outsourcing is an audit risk. Military campaigns by nature invoke risk. After all, you are trading lives for real estate. You cannot compare IT in an active military theater with IT in New York or London. So, yes, what you are doing falls outside the scope of what type of outsourcing arrangments I am referring to.
I haven't taken exception to any you have said, Jim. I have taken exception with the comments made by Eric regarding contractors and comparing them to Edward Snowden. I feel he has lumped us all in the same bucket with a few bad apples.
December 12, 2013 at 7:15 am
Lynn Pettis (12/11/2013)
jim.drewe (12/11/2013)
LynnI normally don't follow up on these types of tracks, but I think what I was trying to say (and presumably what the other gentlemen was also trying to say) is your ***typical*** outsourcing arrangements.
I am an ex-Marine (Vietnam era) and my son served both as an infantryman and contractor in Iraq (Ramadi, 2007-2008). I am not going say that every type of outsourcing is an audit risk. Military campaigns by nature invoke risk. After all, you are trading lives for real estate. You cannot compare IT in an active military theater with IT in New York or London. So, yes, what you are doing falls outside the scope of what type of outsourcing arrangments I am referring to.
I haven't taken exception to any you have said, Jim. I have taken exception with the comments made by Eric regarding contractors and comparing them to Edward Snowden. I feel he has lumped us all in the same bucket with a few bad apples.
My point is that I don't understand why a government agency or corporation would out-source a database or network administrator. Why pay a contractor $100,000+ a year to shuffle your backup tapes and network logins, when they could hire a full time staff member for half that cost?
I'm not saying they shouldn't do it; it's just that to me the risk / reward and return on investment doesn't seem to work. Having an outsider in an operational position, handling your most sensitive data, adds risk to the equation but adds no value.
I'm not comparing all contractors to Snowden; I've on the contracting side of IT in the past, and could potentially assume that role again in the future. But both contractors and employees both have their strong and weak points. Like I said earlier, the guys who manage your most confidential data should be kept on a short leash. If a contractor gets fired, then he can just move on to the next gig. However, if an employee gets fired, then he's screwed much harder. That power which an organization has to screw an employee who does something really stupid, like intentionally or carelessly leaking sensitive data, is just another tool that the organization can leverage to insure that they data is kept as secure as possible.
That said, there is plenty of room for contractors in the realm of information technology.
Hiring a contractor to architect the data warehouse or re-write the
application and then hand it over to in-house IT staff - yes, definately.
Hiring an expert contractor to spend a couple of weeks performance tuning the sql queries or network topology - yes, definately.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 12, 2013 at 9:15 am
Eric M Russell (12/12/2013)
...Why pay a contractor $100,000+ a year to shuffle your backup tapes and network logins, when they could hire a full time staff member for half that cost?
...
And the government wouldn't be able to hire me as a direct FTE for less than $100,000. They need people with the experience and knowledge like I have to more that shuffle backup tapes and network logins. If the only way to work for the government doing what I do and get paid for my knowledge and experience is as a contractor, then that's what I will do.
December 12, 2013 at 9:28 am
Lynn Pettis (12/12/2013)
Eric M Russell (12/12/2013)
...Why pay a contractor $100,000+ a year to shuffle your backup tapes and network logins, when they could hire a full time staff member for half that cost?
...
And the government wouldn't be able to hire me as a direct FTE for less than $100,000. They need people with the experience and knowledge like I have to more that shuffle backup tapes and network logins. If the only way to work for the government doing what I do and get paid for my knowledge and experience is as a contractor, then that's what I will do.
They need someone like you or me for our architectural expertise and development skills, they don't need us to handle their backup tapes, email, and SharePoint documents. It's the routine operational aspect of database administration that I believe shouldn't be out-sourced. For example, we can design a data warehouse and ETL process for a government agency and even spend several months developing it, yet still never handle the actual production data itself. There are people within the organization that can fill that role, and if not, they can easily hire someone full time to do it.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 12, 2013 at 11:34 am
Eric M Russell (12/12/2013)
Lynn Pettis (12/12/2013)
Eric M Russell (12/12/2013)
...Why pay a contractor $100,000+ a year to shuffle your backup tapes and network logins, when they could hire a full time staff member for half that cost?
...
And the government wouldn't be able to hire me as a direct FTE for less than $100,000. They need people with the experience and knowledge like I have to more that shuffle backup tapes and network logins. If the only way to work for the government doing what I do and get paid for my knowledge and experience is as a contractor, then that's what I will do.
They need someone like you or me for our architectural expertise and development skills, they don't need us to handle their backup tapes, email, and SharePoint documents. It's the routine operational aspect of database administration that I believe shouldn't be out-sourced. For example, we can design a data warehouse and ETL process for a government agency and even spend several months developing it, yet still never handle the actual production data itself. There are people within the organization that can fill that role, and if not, they can easily hire someone full time to do it.
Problem is that many times hiring a baby sitter isn't what is needed. A baby sitter can't do the things necessary to performance tune a database. Happens to be one of the reasons I managed to get my position extended after the company I work eliminated my position back home 2.5 months ago. They learned that they needed a specialist like me to help make the improvements to the database that are needed to enhance performance. They realized they needed more than a baby sitter.
Viewing 15 posts - 16 through 30 (of 30 total)
You must be logged in to reply to this topic. Login to reply