Finding Pros for IT Security

E-biz demand for experts far exceeds supply

Soured economy or no, you still have to have the skills of a sleuth to find information security professionals.

How bad is the dearth? Lee Kushner, CEO and founder of L.J. Kushner & Associates LLP, an executive recruiting company specializing in information security, estimates that the number of unfilled jobs requiring skilled security professionals is between 25,000 and 50,000 in the United States alone.

Many point to this lack of trained security personnel as the cause of increasing numbers of successful hacks and intrusions, the costs of which a recent Computer Security Institute/FBI survey reported as being up nearly 50 percent over last year.

So, with the stakes so high, how do you go about finding the security experts your e-business needs?

First, experts say, if yours is a small or midsize company, consider using security service providers rather than competing with larger, richer enterprises or consultants for security pros. But, if you do require in-house expertise, youll need to tap into security-focused recruiters and develop close ties with universities so you can pluck budding security experts as they graduate. And, most important, youll have to be patient. It can take months to find even low-level security professionals, experts say.

Its not surprising, then, that many e-businesses are looking outside to security service providers for expertise. According to Boston consultancy The Yankee Group Inc., the managed security services market will swell from last years size of $1.4 million to $1.7 billion by 2005.

One company turning to managed security service providers is TangibleData Inc. The Thornton, Colo., digital publishing company employs eight full-time staffers, yet it needed to provide secure customer access to digital content 24-by-7. That, company officials said, would have required three full-time security professionals. Like many enterprises, TangibleData has no security expertise in-house nor does it want to spend time getting it. "Perhaps down the road we might hire security people, but for now, weve found it to be a very specialized field," said CEO Blair Zykan.

So the company in March went with OneSecure Inc., of Sunnyvale, Calif., for managed security. "A company thats handling multiple networks [such as OneSecure] is just a more efficient way to get it done," Zykan said.

Outsourcing security doesnt make sense for all enterprises, however. Officials at large, global financial concerns such as Barclays Capital Inc., for example, facing new security regulations such as those imposed by the Gramm-Leach Bliley Act of 1999, said they believe retaining control of security in-house is far preferable. Its even worth the time and money it takes to find the talent, said Paul Raines, global head of Information Risk Management at Barclays Capital, in New York. Raines heads an in-house security group formed at Barclays six months ago.

Of course, the amount of time it takes to find these professionals depends on the skill level needed. Senior-level security executive searches can take at least three months through a specialized agency, according to Raines, who was plucked from a post as vice president of electronic security for the Federal Reserve Bank of New York after a six-month search. Even low-level jobs take an average of a month to fill.

The problem with finding security pros goes beyond simply tight supply-and-demand conditions. When enterprises seek security skills, Raines said, they tend to look for a very specific set of skills and certifications, with the Certified Information Systems Security Professional being the most sought after. The need for such specific skills can make it tougher to fill security positions than, say, programmer jobs.

"There are so many different aspects of security," Raines said. "You might want one [position filled by a person] with a background in programming to work with people designing applications or one with a background in networking because so much comes up with connectivity."

Where should enterprises go fishing for elusive security professionals? Raines relies heavily on networking within the industry and scouting for new university graduates. For low-level skills, he went with search agencies.

In addition, a full one-fourth of his group was taken right out of school. While at the Federal Reserve, Raines relied on Rensselaer Polytechnic Institute as a source of recruits with solid skills, whereas at Barclays hes had luck looking specifically to schools with good information security programs.

That list includes Carnegie Mellon University, Stanford University, Massachusetts Institute of Technology, George Mason University and Royal Holloway University of London.

What else can you do to find these elusive pros? Scout conferences and get involved in organizations such as the System Administration, Networking and Security Institute and its Web site, Both are places where security experts congregate to rub shoulders and display their work.

And it cant hurt to get started now. IT hiring managers said the dearth of information security skills is only going to get worse as e-business grows.