After Bruce Lobree, an information security engineer and a 20-year IT veteran, lost his job in October, he decided to work for contracting firms such as RHI Consulting in Menlo Park, Calif., while waiting out the recession. Since then, Lobree has met client after client who wants a jack-of-all-trades-someone who can administer any brand and version of firewall and intrusion detection, is network-savvy, can code and is versed in new technologies like XML, .Net and wireless.

Clients also want someone who can speak in terms of return on investment to sell projects to executives and who knows everything about the client's business, including its regulatory issues.

"I have peers going back for their MBAs," says Lobree, who has spent six months charting cross-industry regulations and standards affecting security and privacy to meet his clients' needs.

Everyone predicted that IT security jobs would be hot after the Sept. 11 terrorist attacks, but the reality is quite the opposite. Would-be employers say that their security budgets are flat, that risk and threats are rising, and that they're being asked to do more with less because of staffing shortfalls elsewhere within their IT organizations.

For example, in addition to network monitoring and intrusion detection, a security analyst might also have the security responsibilities of laid-off Windows NT and Unix administrators, explains David Foote, president and chief research officer at Foote Partners LLC, an IT workforce research firm in New Canaan, Conn.

So rather than focusing on hiring people for their specific security skills, corporate IT managers are looking inside their IT organizations for the right combination of technology and business acumen and then training workers in the ways of computer forensics, intrusion detection and incident response.

"Certifications and technical security expertise aren't my first criteria in placing a security specialist," says Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "I'm looking for other important factors: Do you understand how the business works? Can you put this in perspective of easier, better, faster and then sell it to the company? Are you a team player? Do you understand the technology basics so I can teach you the rest?"

Monitoring and Response

As at other firms, hiring at OppenheimerFunds is flat overall. But that doesn't stop Hager from dedicating existing resources to new security problems. For example, he has sent two of his team members to the University of Denver to study database security.

Hager has been assigning more training in intrusion detection and incident handling, a move that's consistent with what other firms are doing, says Bill Kasko, division director at RHI Consulting's staffing office in Dallas. Although security jobs are scarce, Kasko says he's seeing more client requests for administrators with knowledge of how to handle cyberattacks, network monitoring and intrusion-detection programs.

"Companies are looking at vulnerabilities across every bit of their organizations, even in their wireless systems," he says. "That takes a basic understanding of network topology in addition to an understanding of legal and compliance issues, which must trickle all the way down to the security analyst level."

Despite the specialized technical nature of IT security work, employers are more concerned with soft skills. For John Hartmann, vice president of security and corporate services at Cardinal Health Inc. in Dublin, Ohio, key skills include the ability to learn, build relationships and understand business requirements.

Hartmann has provided his staff with training in security policy development and implementation, compliance (particularly with the Health Insurance Portability and Accountability Act) and best practices that are the foundation of the company's vulnerability assessment program. Because he possessed the core skills Hartmann considers prerequisites, Ed Daniels was propelled from telecommunications networking manager to information protection director two years ago at Cardinal, a $49 billion medical supplies and services conglomerate. His networking management work put him in daily contact with other business units, so critical relationships already existed. On top of that, Daniels has a passion for learning, says Hartmann.

Daniels builds his own staff using a similar approach. The company's intrusion-detection analyst, who transferred from Cardinal's pharmaceutical automation group, was picked for his diverse systems and customer service background. The vulnerability assessor came from another Cardinal division, where she provided Unix and database support. She was hired for her writing and relationship-building skills. Even the two analysts hired from outside the firm had little security background.

"All my analysts have diverse backgrounds that would add something to the team," says Daniels.

Cardinal and OppenheimerFunds aren't alone in their approaches to skills building. Because of layoffs and budget cuts, IT managers are being forced to retrain existing staff on security issues, says Alan Paller, director of research at the SANS Institute in Bethesda, Md. More than 12,000 students went through the SANS Global Information Assurance Certification program last year, and Paller said he expects that number to be about 16,000 this year.

Meanwhile, the roles of senior-level security managers are also expanding, according to Tracy Lenzner, founder and CEO of security executive search firm Lenzner and Associates in Las Vegas. As is the case with other IT positions, there's very little hiring of security managers going on, she says, and those who still hold security jobs are picking up global responsibilities, particularly where government liaison and international legal issues are concerned. Security professionals with these types of responsibilities are earning salaries of $150,000 to $300,000 per year, says Lenzner, who adds that a handful of executive-level jobs even command seven-figure salaries.

"Security executives must be expert in government regulations, cyberterrorism protection, private-/public-sector partnerships like the critical infrastructure and homeland security, even physical security," she says. "So a lot of these candidates come from government backgrounds."

One such person is Charles Neal, vice president of managed security services for business hosting provider Exodus, a unit of Cable & Wireless PLC. Neal, who was promoted to the position six months ago, having joined Santa Clara, Calif.-based Exodus as director of its cyberattack "tiger team," had been a special agent in the FBI's computer crime squad in Los Angeles.

"There's great expectations within the FBI to work with embassies around the world, a necessity in the borderless Internet world," says Neal. "There's a lot of carry-over from the FBI to the private sector that people wouldn't expect."

Like his peers at Cardinal and OppenheimerFunds, Neal also looks for business and soft skills from his technical team. When he finds articulate security professionals who are good at relationship-building and have a strong work ethic, he mentors them to take over some of his own workload.

Team-building through mentoring and training are critical first moves in preparing a staff and building loyalty for what Foote predicts will be a "hiring bubble" in the first half of next year. That's when he expects CEOs, under pressure from shareholders, to fund more information security, he says. But with a short supply of IT security professionals who are savvy in both business and technology, IT security leaders should be planning their hiring strategies now, he adds.

Says Foote, "If you're not putting your rebranding plan together in security right now, that small pool of talent of hybrid security workers will be long gone when your CEO is ready to sign that check."