On that note, Etrade layed off their entire net sec team a few months back.
I don't trade there no more. 
Fewer and fewer companies are paying attention to network security with
the right mindset. They all want peopl who have been in the field for
7-10+ years, with 10+ years of general systems admin skills.
I'm 21. I have 5 years of combined network security and sysadmin
experience. No-one is interested.
I spent 5 months looking for a job, applied at at least a few hundred
locations, only to be told each time that I didn't have enough experience.
I know around 100 other security admins, and I think 2 have that much
experience.
It's semi-understandable when a MNC wants that kind of experience, but
when your run of the mill start up wants to too, it gets rather sick.
These people aren't going to get what they're looking for.
They'll realise it too late I guess.
I dropped out of security and went back to sysadmining.
I prefer the job I have now to any I've had in the past, and I wouldn't
trade it for a security job with some of these firms in 10 lifetimes.
I attended my first IETF meeting in 1991. There were 384 attendees.
There are very few people who really have 10+ years experience in this
industry.
If I was looking for top security talent, what would I ask for whether
I was hiring directly or outsourcing? Do I want a bunch of ex-miltary,
ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
of which have existed for 10 years, published papers, can answer tricky
questions about checkpoint firewalls (why is a confusing firewall
configuration a good thing?), a college degree in crypto, big 5
accounting firm (or is that now big 4 accounting firm)?
The problem right now is if you advertise for a job, you will get
blasted with literally tens of thousands of resumes. What should I
be telling the HR department to look for?
Likewise, if I was going to outsource. What should I be looking for
in a security management provider?
The best information security person I've ever met/worked with/etc was
at Disney Imagineering. I've yet to find anyone at a security consulting
firm or other company that came close to matching him.
Surely you're looking for someone who can tell you what they are trying to
protect from ie hacking, DoS, DDoS and how and why that is a security
problem..
Then I guess you want them to have had sufficient experience to know how
the different security products address these issues.
No other major points really..
Product specialisations must be a distraction - if their knowledge and
training comes from Checkpoint training then they may not know the details
of the attack method and are more familiar with config'ing a checkpoint
than what it is doing and in what areas it lacks..
And qualifications should never outnumber instances of hands on
experience, what good is an academic with little knowledge in the field!
Steve
Let me guess, eBay is moving into securities trading next.... Your "facts"
about eTrade are wrong, very wrong.
-Jim P.
:If I was looking for top security talent, what would I ask for whether
:I was hiring directly or outsourcing? Do I want a bunch of ex-miltary,
:ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
:of which have existed for 10 years, published papers, can answer tricky
:questions about checkpoint firewalls (why is a confusing firewall
:configuration a good thing?), a college degree in crypto, big 5
:accounting firm (or is that now big 4 accounting firm)?
I would ask for personal referrals. They are generally the only thing
worth counting.
The accounting firms have brand recognition, but the way the business
works, you are rolling dice the same way you would using a boutique.
Certifications are handy from a diligence perspective, but shouldn't
be a deal breaker. Product knowledge is handy, but doesn't demonstrate
expertise. Published papers will show expertise, but not indicate
reliability or business focus. Industry specific experience will
demonstrate business focus, but not neccesarily show clue. Academic
credentials will show persistance and some clue, but probably won't
ultimately help you sell more widgets.
:Likewise, if I was going to outsource. What should I be looking for
:in a security management provider?
Track record over the last 3 years, and personal referrals. This on
top of whatever criteria you have for requiring one in the first
place.
Brands mean very little in the face of a referral from someone
you trust, or have paid enough to trust. Services companies only real
asset is their staff, and many will debase their brand by diluting
their talent pool to deliver a more reliable recurring revenue stream
to investors.
This means fewer high clue people delivering complex but high return
services, and more middle to low end consultants delivering simple
managed services to a much broader customer base. Think of it as a
race to the bottom.
So, it depends on the solution you need. If you need enterprise network
architecture, customised IDS and incident response solultions, and
bleeding edge technology to defend your network against theoretical threats
and imagined hostile governments, find a geek-boutique of people
who speak at blackhat briefings, tell spook stories, and can show signifigant
contributions in openbsd change logs. I hear some will even throw in a tinfoil
hat, gratis.
If you need reasonably reliable, cost effective anti-virus, managed
IDS, and a checkmark or smiley face on your next audit, but aren't
terribly concerned about specific threats, read some Gartner Group
reports and pick one that seems reasonable.
I suppose this could just have been summed up by saying, get a personal
referral, as the industry hasn't been around long enough to really judge
from track records, who can provide the best service.
Finally, people who agree with me.
How many management personnel are out there who don't have degrees? Very
few I imagine.
How many techies are out there without degrees? Quite a high number.
This industry is such that (IMHO) experience is *FAR* more valuable than
any piece of paper.
A piece of paper won't tell you what to do what you have someoen in your
system, how to watch them, what to do, who to call..