Indeed, many companies are looking to expand their security operations because cybercriminals, disgruntled ex-employees and careless current employees with USB drives and laptops continue to increase the risks they pose to corporate data.
There is one other thing almost everyone agrees on: technology alone is not going to fix all security problems.
It's going to take people: engineers to implement technology, consultants to test its effectiveness and managers to devise processes, organise budgets and set priorities.
But while technology is easy to replicate, IT security professionals are a precious resource that can be hard to find, hard to recruit and hard to keep.
"The demand for good people is outstripping supply," says John Colley, former head of information security at the Royal Bank of Scotland and managing director EMEA for non-profit industry education and training body, (ISC)2.
"It has changed only slightly with the recession, with mergers putting a few more people in the job market."
"It is very difficult to find the right people," agrees Neil O'Connor, principal consultant at UK-based security testing company, Activity. "When the right person does come up, you recruit them."
Indeed, Vernon Poole, head of business consultancy for UK-based Sapphire and a member of Isaca's information security management committee, says that many larger companies in Europe are looking overseas, in particular to "younger" countries such as South Africa and Australia, where they "aren't burned by regulations and get on with the job".
Poole says emerging markets, such as South America, Mexico, Japan, Taiwan and India, have similarly talented people, although companies looking to hire staff from these countries might have to "bed them in" because of different language and perspectives.
It is not difficult to find people claiming to be security professionals, despite an increasing number of security qualifications that make it easier to determine who has at least some formal knowledge.
The problem is to weed out those without the right skills or attitude - or indeed to find someone with the right skills, since there is a good chance that anyone sufficiently competent for the job will already be employed elsewhere.
O'Connor says that advertising a job is usually not the best way to get the right sort of candidate. "I have advertised, but I have had a very variable standard of reply," with a large number of poor CVs.
Instead, he uses a variety of methods. He says that clients are a good source of word-of-mouth recommendations, as are his competitors. "There's a friendly rivalry. When you meet someone, you ask if they know anyone looking for a job."
But principally he uses networking and recruitment consultants. "Most people, if they're any good, have got a job already," he says. Industry events such as Infosec are useful networking venues, as are Black Hat conferences, principally because security experts often attend to learn the latest techniques.
But with between 10,000 and 20,000 security professionals in the industry, meeting them all or relying on word of mouth can be problematic.
So recruitment consultants and agencies are the chief port of call for managers. The main international agencies are Acumen, Barclay Simpson and Greythorn, supplemented by other, smaller firms.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
