This news story getting front-(virtual)-page coverage on ComputerWorld , is extremely interesting, and at the same time boring, old news. For years now, we've been debating how the H1-B visa is taking away jobs from US-based workers. Whether you agree with it or not, let's address the issue from a different angle. I would like to turn your attention to how this affects security, and the viability of a company.
Let's assume for one minute that Company A (some big-pharma company) is hiring H1-B "contractors" from off-shore. Let's further assume that they're effectively vetting their employees because they understand the value of knowing everything about the people you hire to help stem insider security threats. Now, maybe I'm reaching a bit here, but here is how I see a company effectively vetting their employees:
- Employment history check (calling previous employees)
- Criminal background check
- Drug testing
- Credit check
- Extensive background check (military-grade) for those who work in security or super-secret labs making the next wonder-drug
What does that mean to you, the hiring manager at Company A? It means you're hiring a threat. Period. It doesn't matter how you try to word-smith your contracts, the fact is you're hiring an unknown, and in security unknown equals threat. If you don't know what's in the box, odds are you're not stupid enough to allow it into your perimeter. But - the fact is, we allow contractors we haven't fully vetted into our environment all the time. We then give them access as system administrators, customer service representatives, database administrators, researchers, lab assistants and many, many other sensitive positions.
So let me summarize. The article is interesting in that it brings back up an old debate which has raged on for years and will likely not be settled by you or I, but rather by greedy politicians who cede positions and votes to lobby groups headed up by Oracle, Microsoft, and other greed-based organizations who's goal it is to hire the absolute cheapest labor, period. But that's not the point. The point is that we're allowing threats into our environment, nae, we're asking for threats to come into our environments. That's a security issue. That we need to raise.