Seeking security skills

Across the country, IT shops that want to beef up network security are having a hard time finding network engineers with security expertise.

EBay has been looking to add a security engineer to its 10-person information security team since May. Despite receiving more than 100 inquiries about the job, the leading Web auction site has yet to find a person who has the right combination of experience with firewalls, authentication, operating system security and network security.

“The hiring manager has high standards,” says Connie Bustillo, a recruiter for eBay. “Overall, we’re not finding enough people that have the security experience we need.”

EBay is not alone. Across the country, IT shops that want to beef up network security are having a hard time finding network engineers with security expertise.

The demand for network security specialists is strong despite the sluggish economy and widespread cutbacks in corporate IT spending.

CIOs anticipate a slowdown in the hiring of IT professionals during the fourth quarter of 2002, according to a recent poll of 1,400 CIOs conducted by staffing firm Robert Half Technology. However, these CIOs are moving ahead with network security projects and related hiring.

“I’ve had the opportunity to meet with many, many CIOs and ask them what’s on their to-do lists regardless of the economy,” says Katherine Spencer Lee, executive director of Robert Half Technology. “Eight out of 10 say security. Network security, data security, viruses – it’s everything to do with security.”

Lee says network engineers who have experience with security products from Cisco, WatchGuard Technologies, CheckPoint Software and Internet Security Systems are in the most demand.

Dice.com, which provides online recruiting services for technology professionals, says security skills are being requested in more of the network jobs posted on its Web site. Dice.com listed 6,800 network-oriented job openings at the end of August.

“Some knowledge of security is almost becoming a requirement for all the network jobs,” says Jason Medic, director of marketing at Dice. “We do see some jobs coming in as security specialists, but the lion’s share of what we see are for core network designers and architects with hands-on security experience.”

Having a security certification or two makes candidates for these jobs more attractive, experts say. But IT managers prefer experience to certifications.

“Certifications alone will not work,” Lee says. “You have to have real-world experience and the right attitude.”

Lee advises network professionals interested in security jobs to brush up on their business savvy along with their firewall and VPN skills.

“Individuals who are going to be successful in a security center are not just those with strong technical backgrounds but those that truly take the time to get to know the business,” she says.

Network security specialists also must understand the role that physical security and human resources play in keeping IT systems safe, says Dave Leighton, CEO of Risk Analysis Group, a security consulting firm.

“Companies in the past segmented their security. They had IT security separate from physical security, and they counted on HR for watching people,” Leighton says. “Now we’re seeing companies looking at security strategically.”

Leighton says most security breakdowns occur in operations rather than in network security.

“Companies will spend hundreds of thousands of dollars on IT security to protect themselves against hackers, but they have no operational plan for what to do if an employee leaves,” he says.

The industries that are most active in hiring network security specialists are chemicals, energy, healthcare, financial services, business services and government, observers say.

“Security budgets are one of the few areas of the economy where companies are still spending,” says David Foote, president and chief research officer at Foote Partners, an IT workforce research firm. “The really smart IT people are going into healthcare, insurance and investment banking to get experience with privacy and security.”

One plus for network professionals with security experience is higher salaries. Total compensation for corporate security positions is up 3.9% from the first quarter of 2001 to the second quarter of 2002, according to a recent Foote Partners survey on IT security compensation. This compares with a decline of 9.4% in compensation for 100 IT positions tracked in the survey.

“Security pay is outperforming IT pay for the second year in a row,” Foote says, adding that this holds true for salaries and bonuses.

Four out of six security positions now pay $100,000 or more in average total compensation, the Foote survey found.

“To get a really good person for a director-level job, you have to pay $124,600 salary and a bonus of $29,300,” Foote says. “The director-level job is clearly where companies have to put the biggest carrot.”

Foote says director-level IT security jobs are taking as long as 12 months to fill because it’s hard to find a network executive with a strategic view of security, an understanding of regulatory requirements, and strong management and communications skills.

“Security has never been managed well,” Foote says. “Security people are considered hard to work with because they slow down progress. . . .They’re very tenacious problem solvers and have extraordinary attention to detail, but they question everything.”