Security under the gun: The security skills mirage

Computerworld - After Bruce Lobree, an information security engineer and a 20-year IT veteran, lost his job in October, he decided to work for contracting firms such as RHI Consulting in Menlo Park, Calif., while waiting out the recession. Since then, Lobree has met client after client who wants a jack-of-all-trades—someone who can administer any brand and version of firewall and intrusion detection, is network-savvy, can code and is versed in new technologies like XML, .Net and wireless.

Clients also want someone who can speak in terms of return on investment to sell projects to executives and who knows everything about the client's business, including its regulatory issues.

"I have peers going back for their MBAs," says Lobree, who has spent six months charting cross-industry regulations and standards affecting security and privacy to meet his clients' needs.

Everyone predicted that IT security jobs would be hot after the Sept. 11 terrorist attacks, but the reality is quite the opposite. Would-be employers say that their security budgets are flat, that risk and threats are rising, and that they're being asked to do more with less because of staffing shortfalls elsewhere within their IT organizations.

For example, in addition to network monitoring and intrusion detection, a security analyst might also have the security responsibilities of laid-off Windows NT and Unix administrators, explains David Foote, president and chief research officer at Foote Partners LLC, an IT workforce research firm in New Canaan, Conn.

So rather than focusing on hiring people for their specific security skills, corporate IT managers are looking inside their IT organizations for the right combination of technology and business acumen and then training workers in the ways of computer forensics, intrusion detection and incident response.

"Certifications and technical security expertise aren't my first criteria in placing a security specialist," says Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "I'm looking for other important factors: Do you understand how the business works? Can you put this in perspective of easier, better, faster and then sell it to the company? Are you a team player? Do you understand the technology basics so I can teach you the rest?"

Monitoring and Response

As at other firms, hiring at OppenheimerFunds is flat overall. But that doesn't stop Hager from dedicating existing resources to new security problems. For example, he has sent two of his team members to the University of Denver to study database security.

Hager has been assigning more training in intrusion detection and incident handling, a move that's consistent with what other firms are doing, says Bill Kasko, division director at RHI Consulting's staffing office in Dallas. Although security jobs are scarce, Kasko says he's seeing more client requests for administrators with knowledge of how to handle cyberattacks, network monitoring and intrusion-detection programs.