Would you trust a carrier with your security services? Surprisingly, the answer may well be “yes.” More than half of the companies I work with say they’re using managed or carrier-based security services. Typically, these are basic services such as firewall management or IDS/IPS. And pretty much nobody has fully outsourced security management; typically these “commodity-management” services operate in conjunction with in-house security.

But most folks say they’d consider expanding their use of managed and carrier-provided security services. Why? The top driver is a lack of skills internally. “The thought was that we could do it just as well ourselves, but it's been made abundantly clear that's not the case,” says one IT executive.

Why are folks having trouble rounding up the skills? A key reason is the high — and increasing — cost of security specialists. Senior-level security staffers command as much as $250,000 per year, due to a chronic shortage of such individuals. The typical senior-level security staffer makes $100,000, and the typical junior-level staffer makes $62,500. By “senior-level” security person, we’re talking a certified information systems security professional (CISSP) or above, someone whose responsibilities focus primarily on policy development and architecture. (A junior-level person is more likely to concentrate on things like log auditing or task management.)

There’s a wide degree of variation, though — both regionally (workers on both coasts command slightly higher salaries than in the heartland) and in terms of ranges (only about 20% of the companies I work with are paying more than $140,000 for a senior security specialist).

But the bottom line is that there are more senior-level security jobs than people, and as a result, companies are willing to pay a premium for the right skills. “They had to break the bank to get me,” says a senior executive of his company — and he’s paying his team of top-tier security people $240,000 per year.

If reading this inspires you to consider shifting fields, you may first want to ponder a few other issues. First is that skills shortages generally respond well to market forces; a few years ago, when routing was a rare discipline, Cisco Certified Internet Engineers commanded top-dollar salaries, but as the number of CCIEs increased, the average salary declined. So shifting your technical focus probably won’t pay off in the long term — if that’s all you do.