Ask HN: Does My Company Think I'm a Cybersecurity Risk?
A quality engineer faces restrictions on code access, hindering essential tasks and increasing communication inefficiencies. They question the decision's rationale and seek colleague input to understand potential implications.
A quality engineer at a mid-sized firm has been instructed to remove the code repository from their machine and refrain from accessing the codebase. This decision significantly impacts their ability to perform essential quality engineering tasks such as debugging, troubleshooting, and testing pull requests. The engineer notes that the new restrictions require additional communication with developers, leading to inefficiencies and potential delays. They also highlight the financial implications of needing dedicated testing environments due to limited resources in the continuous integration pipeline. The engineer questions the rationale behind this decision, especially as the company aims to reduce expenses, and considers various possibilities for the motivation behind it, including a lack of technical understanding by decision-makers or concerns about cybersecurity risks. They seek input from colleagues to better understand the situation and prepare for potential outcomes.
- The removal of access to the codebase hampers essential quality engineering tasks.
- Increased communication with developers leads to inefficiencies and wasted time.
- The decision may result in higher operational costs for testing environments.
- The engineer is uncertain about the motivations behind the decision.
- They are seeking feedback to clarify the situation and prepare for possible outcomes.
11 commentsFrom the details you do provide, I can see how a non-tech person would interpret many of your actions as "concerning".
But the key issue remains: Do you have a technically competent CTO you directly report to? If so, that person should be responsible for resolving your issue. On the other hand, if you have a tech team without a competent technical manager overseeing operations, then things are likely to get screwy from time to time. Misguided attempts at cost saving being just one of many.
I view it vastly more likely that this isn't anything personal, it's just a new corporate decision to limit who has access to the code. If someone's job is a bit more complicated, but they can still do their work, while the company is far more protected, that is a good trade-off for lots of folks.
Also, your company "looking to reduce expenses" doesn't mean anything. Every company is. You will hear that, in some form or another, in almost any organization. If they have to increase spend for cybersecurity, they will.
1. I’ve been asked to keep my camera on in most meetings. 2. Like many in the tech world, I generally prefer to keep it off. 3. I was pulled aside over concerns that my LinkedIn profile "looked suspicious." 4. Admittedly, my LinkedIn does look suspicious to anyone who doesn’t communicate with me regularly or hasn't met me recently. 5. As with many developers, I place a premium on privacy, and some of my actions to safeguard it might appear suspect. 6. I’m involved in the cybersecurity community, participating in conferences and learning platforms. 7. The individual who asked me to remove the repository is non-technical. 8. The company I work for is not a tech company. 9. My direct supervisors and decision-makers are also non-technical. 10. I maintain strong relationships with technical team members. 11. I’ve had difficulties navigating remote work dynamics with non-technical colleagues. 12. I speak up less than I used to—this could be interpreted as disengagement. 13. In the past, I struggled to make measurable progress or explain setbacks, which hasn’t reflected well on me. 14. I’ve made no secret of the fact that Quality Engineering is not my passion, preferring development work instead—a comment that’s occasionally thrown back at me: "I know you’d rather be doing X, but..." 15. I have fewer than 10 years of experience in the industry and appear quite young. 16. I’ve been with the company for several years. 17. I work remotely. 18. I attempted to explain our CI/CD pipelines, the importance of QE, and why I believe I need access to the repo.
They think you're a poor performer in your assigned role and it's because you're too interested in the code. They assume you can do the job if they remove the distraction.
Or:
Your manager knows you want to go over to software engineering and if you appear to know and understand the codebase you could be poached to the other team.
Either way it looks like your manager wants you to fit the role you have been given and to stay there. The anxiety about linkedin points to this. You expressed preferences to be doing something else. You're a flight risk and they are trying to limit your options.
Edit in some unsolicited advice:
You don't need to quit over this but you should quit your job if it's not leading you to where you want your career to be, which it obviously isn't. The first 10 years of experience sets you up for your career beyond that and if it's going in a direction you don't enjoy you're going to be miserable in your job. Find a development job if that's where you want your career to go, there is no time to waste.
If you can trace it to a particular unusual customer, be vocal about the consequences. If it is due to regulations, sorry, there is nothing you can do. Otherwise, if there is no external reason for the "security" tightening, complain to the person who made this wrong decision and to his manager.
In any case, giving you the tools that are necessary for your work (and by "work", I mean not just being a glorified messenger), like a separate test environment, must be a priority for your manager, even if those tools cost 100000 USD.
Not as a complain but to genuinely ask why these things may have happened and how it is making your job challenging, furthermore how it is also making you feel that you are being siloed.
You aren't going to get a solid answer here, but only from the people you work for.