I’d planned on starting the year without a lot of controversy. Then an old controversy became a current-events controversy.

So let’s take the New Year’s Polar Bear plunge, and get straight to it. The subject: The H-1B program.

Many of the same talking points have been chasing around the pundit class since at least 2002 (IT rust belt (first appeared in InfoWorld) – IS Survivor Publishing .

Welcome to 2025. And instead of starting with my own opinions, we’ll start with where I think we have common ground. Such as:

As Tech Leaders, one of the debates we face is the sourcing and composition of staff, and especially dealing with work visas, such as the H-1B (or OPT, NAFTA, etc).

There are a lot of non-controversial points that frame this discussion.  (This site offers a great summary)

• • • • • H-1Bs cover a lot of industries, including Healthcare workers, Fashion Models, Accountants, and Information Technology. However, the controversy regarding the H-1B seems to focus exclusively on IT, not on these other professions.
        • It seems that the reason that the IT industry is controversial is that the majority of H-1B visas go to IT—the other categories are quite small in comparison.
        • The national origin of visa holders is concentrated in just several countries.
        • IT jobs in the US generally pay well, and H-1B visas require some sort of evaluation of “Prevailing Wage”. Potential immigrant staff aren’t stupid, and do their own homework about markets, salaries and benefits as well.
        • There is a general demand for skilled IT workers, and that demand, while it has ups and downs, is generally not going away.

So, where is the controversy?

In general, the main concern is a belief that a company is optimizing for cost instead of other optimizations, and that in this optimization,  somebody from abroad is coming to the US, taking a job that should or used to belong to a native born American.   Adding to this concern are additional concerns about salary pressures on jobs, based on H-1B wages being potentially lower, age or other discrimination against Americans, and a general sense that the rules are somehow different, and unfair.

I think there are at least three different types of companies that use H-1B IT staff, and these concerns play out differently in each.

• Big offshore tech consulting companies, and their cousins, small staffing companies, AKA, “Body Shops”. These companies’ business models depend significantly on H-1B staff (as well as any other visa channel available), since their product is IT staff to work on contracted projects. These companies make up a large percentage of the employers that use the visas.    Stories like this one don’t help their reputation.

• Software publishers or tech manufacturers. While these companies hire H-1B staff in large numbers, they also may have offshore R&D offices in other countries. These companies tend to be highly meritocratic, and in their minds at least, are trying to hire the best person they can, regardless of where they live.   Cost may be a factor, but it isn’t the only consideration for them.        (This situation already leads to an uncomfortable question- If we are going to be “economically patriotic”, we need to ask ourselves if we want a software job in the US, albeit with an H-1B developer? Or do we want the job to be abroad, with the same person, not paying US taxes or moving here?”)

• Existing companies that are looking for small numbers of IT experts or specialists that they can’t find locally. To come up with an example, let’s imagine a local manufacturing company that is looking for an expert in system management and development for a functional and fully depreciated AS/400 system—and then think of the local labor pool that can fulfil those needs.  It might be that through some social media investigation, an IT manager can find skilled, talented staff abroad, and come to a suitable arrangement that results in an H-1B and moving to the US.

The scale and potential for abuse is different for these three categories, and the macro outcomes are clearly different as well.  The argument in the press is badly framed, and doesn’t bring clarity to the alternatives or possible solutions.  We will tackle those in the upcoming weeks, focusing on what you, Tech Leader, can manage towards.

Is your contractor who you think they are?

I will admit that this is a question that is pretty new to me.  While we have all seen a scam or two over the years,  I am pretty surprised to discover that there are domestic “Companies” that will facilitate completely fraudulent contractor relationships.

There appears to be two significant goals for the malicious actor-

The first is to get paid market rates as a contractor.  I am guessing that the work performed can be performed remotely, without a lot of supervision, and is specialized or difficult enough to warrant a company looking for a contract employee.  We live in a time where staffing companies are everywhere, doing effective and legitimate work, meaning it is easy to blend in.

The second motive is more dangerous—scanning networks, installing malware, manipulating files, and ultimately exploiting an organization’s systems.    Even great corporation security teams are going to having a hard time managing users who have some sort of internal elevated privileges.  Users, legitimate or not, expect to have access to the systems that companies are paying them a lot of money to use.   Sorting out bad internal actors is the kind of responsibility that gives the Security team in a company (or outsourced MSPs) ulcers.

What was particularly surprising was that these domestic companies knew exactly what they were doing.  It seems like the riskiest way to make a buck that I have ever heard of, and I am pretty sure that the DOJ isn’t going to go lightly on the offenders.

But who knows? Some companies might not want the embarrassment of having fallen for a scheme like this.

So, what is to be done?

1. We might actually have to start reading resumes again, looking for inconsistencies.
2. We probably want real phone numbers, zoom meetings with the cameras on, and availability for check-ins.  Are we FedExing any gear to the address on the resume?  It wouldn’t make sense to send it someplace else, would it?
3. Consider implementing a Zero Trust IT security model.  Adding this layer of security has been shown to prevent data breaches.  Aspects of this model include multi-factor authentication, device access control, least-privileged access, continuous monitoring, and more.
4. Ensure organizational firewalls, security patches, malware prevention devices and software are up to date.
5. Reconsidering reliance on unknown staffing firms and vetting any firms you may work with.  A good, simple check is to ask about business insurance, and getting added as a certificate holder.
6. Finally, a good data backup is your last line of defense.  Modern backup systems can store data on an immutable medium preventing things like ransomware or nefarious actors from altering the data.

Good grief, this is nuts.