As a traveling computer security consultant for over 20 years, I’ve had the chance to visit a lot of different operations and see what works and doesn’t work. I’m always looking for common denominators for successes and failures, and I share these lessons as I learn them.
But I realize I’ve unconsciously absorbed one home truth without realizing it — and it’s about contractors. The outsourcing of jobs to third-party companies has continued unabated for years. It’s not unusual for me to learn that almost nobody in the team running the place is an employee. One contractor manages the network, another deploys and manages PCs, another handles directory services, and another handles security.
[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]
Here’s what I’ve learned: Too many contractors can be detrimental.
I say that despite the fact that, in many cases, contractors are smarter and more skilled than the employees they replace. When they come with specialized skill sets for a special project, they’ll get a project done quicker than regular employees can. Contractors are absolutely necessary, but there’s a limit.
After all these years of observing environments, the strongest and best protected companies tend to be those with the highest percentage of full-time employees versus contractors. Why?
Easily one of the biggest reasons to use employees is to keep the history and experience of a team within a company over the long haul. Contractors come and go; often an entire team is replaced with one new contract. Whatever contractors learn is gone when they walk out the door.
A full-time, long-term employee collects experience that benefits the team. I can’t tell you how many times someone has suggested what sounded like an awesome solution to a problem, only to have a longtime employee rebut the solution with something no one else had thought about. Sometimes it’s an employee who simply tells the team how to navigate a political situation no one else understood. Every team has an employee who knows where the bodies are buried.
When something needs to get done ASAP, give me a long-term employee who knows who we need to call. Want to know why that weird script is kicking off every night on every server, or what that computer covered in dust in the back of computer room is doing? Talk to an employee who’s been there. Documentation is better — but you have to find it first!
When you’re sitting in a darkened computer closet wondering what that piercing beeping sound is, ask an employee. Want to know why that DNS server’s operating system hasn’t been updated in a year …? (You get the idea.)
New employees and contractors always start with the same quantity of institutional knowledge: zero. It takes time to educate them about the systems they’ll be handling, to show them where the documentation is hiding, and to cover what they need to do and why. The more contractors you use, the more you need to do that again and again as they rotate in and out.
For one client, I spend a few weeks each year educating the most recent new contractor on how to operate the company’s PKI. It takes one to two weeks to provide a complete education. So far, I’ve repeated this process consistently for 10 years. My employer, a contractor, certainly doesn’t mind me charging those hours for education, but so far the only PKI consistency at this client is me — another contractor.
Most contractors have specific obligations and don’t like to deviate very much. In fact, they can get in trouble for deviating. But narrowly specific duties, without the ability to work freely, can have unforeseen consequences.
For example, I was once hired to assess a very large organization’s Active Directory security and patch management processes. During that assessment, I came across very harmful malware spread across most of the company’s servers. The patch management contractor admitted noticing the malware for the last year.
I asked why nothing had been said about it. The reply: Their job was patch management and they’d gotten their hand slapped for talking about something beyond their contractual duties. Turned out the company was completely and utterly owned by an outside foreign entity and had been for years.
No matter how much a contractor likes working for a particular customer, that individual’s loyalty will be to the organization that signed the paycheck. If there’s a conflict between the customer and the contractor’s employer, you can be sure which side the contractor will choose.
Incentive to hide weak co-workers
I’ve also seen teams of contractors who end up “hiding” the weakest among them. They know this person is ill-suited for the role he or she is supposed to perform, but that person has been been touted as a “subject matter expert” with a bill rate to match. Typically, a weak player can be covered for pretty easily, particularly if the job is relatively short term.
Right now, I know many contractors reading this are shaking their heads in sad agreement.
It’s different with full-time employees. We’ve all tolerated weak co-workers, but we have no incentive to hide them. Peers will eventually bring a weak employee’s poor performance to management’s attention.
The insider threat
I’ve only worked on a dozen or so insider threat cases in my career, but several involved subcontractors. Typically, those subcontractors learned logon credentials and how to remotely access systems, which they abused either during or after their employment.