Indeed, many companies are looking to expand their security operations because cybercriminals, disgruntled ex-employees and careless current employees with USB drives and laptops continue to increase the risks they pose to corporate data.
There is one other thing almost everyone agrees on: technology alone is not going to fix all security problems.
It's going to take people: engineers to implement technology, consultants to test its effectiveness and managers to devise processes, organise budgets and set priorities.
But while technology is easy to replicate, IT security professionals are a precious resource that can be hard to find, hard to recruit and hard to keep.
"The demand for good people is outstripping supply," says John Colley, former head of information security at the Royal Bank of Scotland and managing director EMEA for non-profit industry education and training body, (ISC)2.
"It has changed only slightly with the recession, with mergers putting a few more people in the job market."
"It is very difficult to find the right people," agrees Neil O'Connor, principal consultant at UK-based security testing company, Activity. "When the right person does come up, you recruit them."
Indeed, Vernon Poole, head of business consultancy for UK-based Sapphire and a member of Isaca's information security management committee, says that many larger companies in Europe are looking overseas, in particular to "younger" countries such as South Africa and Australia, where they "aren't burned by regulations and get on with the job".
Poole says emerging markets, such as South America, Mexico, Japan, Taiwan and India, have similarly talented people, although companies looking to hire staff from these countries might have to "bed them in" because of different language and perspectives.
It is not difficult to find people claiming to be security professionals, despite an increasing number of security qualifications that make it easier to determine who has at least some formal knowledge.
The problem is to weed out those without the right skills or attitude - or indeed to find someone with the right skills, since there is a good chance that anyone sufficiently competent for the job will already be employed elsewhere.
O'Connor says that advertising a job is usually not the best way to get the right sort of candidate. "I have advertised, but I have had a very variable standard of reply," with a large number of poor CVs.
Instead, he uses a variety of methods. He says that clients are a good source of word-of-mouth recommendations, as are his competitors. "There's a friendly rivalry. When you meet someone, you ask if they know anyone looking for a job."
But principally he uses networking and recruitment consultants. "Most people, if they're any good, have got a job already," he says. Industry events such as Infosec are useful networking venues, as are Black Hat conferences, principally because security experts often attend to learn the latest techniques.
But with between 10,000 and 20,000 security professionals in the industry, meeting them all or relying on word of mouth can be problematic.
So recruitment consultants and agencies are the chief port of call for managers. The main international agencies are Acumen, Barclay Simpson and Greythorn, supplemented by other, smaller firms.
Colley says the agencies vary in quality. "Some go rooting through the house for CVs, while others do a much better job of matching CVs to the position. But if people don't meet the requirements, you just say 'Please don't send any more'."
Graeme Cox, MD and co-founder of Edinburgh-based managed service provider, dns, relies on graduate recruiters for entry-level jobs and on Harvey Nash IT director for Scotland, Rhona Hutchon, for senior posts.
"I've built up a relationship with Rhona over many years and I value somebody who understands the culture of my business, so I don't get swamped with useless CVs. If I interview someone, I want there to be a significant chance of success."
Cox says Hutchon's willingness to operate as part of his team means that he has continued to use her, even as she has moved between firms.
Before contracting her five years ago, he had used other recruiters in a more ad hoc manner, and wasn't as close to them, viewing their services as a commodity.
As a result, they weren't successful. He says he receives calls from at least five recruitment companies a week, offering candidates, and that he would be "swamped" if he tried to deal with them all.
Hutchon says that the secret to her finding the right people is networking and industry knowledge. "Sometimes, the people on the market aren't the top percentile of talent.
Through networking, you know who the trusted individuals are and which organisations are the ones that develop good staff." She also uses online advertising, user groups and attending relevant security events.
Another small UK-based recruitment agency, Computer People, has a database of 400,000, mostly from CVs sent in, from which it draws its list of security professionals.
The firm then employs a vetting procedure, including aptitude tests and competency-based interviews, to identify candidates' skills.
The result, says Mohammed Lakhanpal, who heads the company's security recruitment team, is that most candidates he puts forward are hired on the strength of a phone interview.
The qualities people are looking for vary from job to job, with some roles requiring technical knowledge and others more business-oriented skills. However, Lakhanpal usually offers candidates with track records on long-term projects that have been on time and on budget.
As with most security recruiters, though, his main criteria include integrity, reliability and an "enthusiastic pride in what they do, someone who's still in love with their job. If it's someone in testing, they want to break something then make it unbreakable."
O'Connor agrees. "They have to have an interest in security and bring an enthusiasm to it. If it's just another 9-5 job, then they're not the right person."
Cox says that despite the trend towards people with business experience but little technical background, he still wants someone with IT experience. "They need to be able to connect with the IT security team. I won't hire technophobes who struggle to open their own laptops."
Getting someone and keeping them, when skilled people are at a premium, isn't easy.
Generally, says Hutchon, most security professionals are motivated by self-development and the content of the job - and to a lesser extent by money - so giving employees the chance to work on new things and developing a suitable training package can not only keep an employee but attract a new one to the job.
With flatter management structures in IT meaning promotions are rare, recognition among peers that they have sector expertise can be a rewarding alternative, as can the chance to speak at conferences.
Developing this training package in conjunction with the employee lets them expand their career the way they want and helps with morale.
Cox highlights one graduate employee who left dns after three years to get more money. However, he returned within a year, Cox says, since the new firm didn't value security in the same way as dns.
The expanding market for IS skills means that experienced, talented professionals are as hard to find as ever, despite the recession. However, with the right techniques, they can be found and with the right package and nurturing they can be hired and enticed to stay.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
