"I lost a gentleman who doubled his salary when he went to the private sector," Maley says. "For me to get a security expert in, even if I would take them up to the highest step in their pay category, it doesn't come close to what they could get in the private sector." And Maley can't entertain the notion that a given hire will stay with him for the long haul.

What he does to get around having an inexperienced security staff is to hire those who are "a little wet behind the ears" — sometimes right out of college — but who show promise.

The lure for such hires is the chance to work in an enterprise environment where security staffers have the chance to spot cyberattacks as they hatch. In the past six months, for example, his security team has seen three variants of the Storm Trojan come in that hadn't been spotted elsewhere. That's not surprising, given Symantec's April 8 Security Threat Report (download PDF), which cites a shift in attacks aimed at sites that are likely to be trusted by end users, such as social networking or government sites.

"I've got a team that has the opportunity to fight that kind of stuff, analyze it and be on the leading edge in the fight between the bad guys and us," he says. Recruits get hands-on experience on projects that are both significant and "exciting," including a penetration-testing rollout partially automated with Core Security technology in response to repeated interruptions from virus outbreaks, Maley says.

Maley also coaches his green recruits at building their resumes. He knows that eventually they'll leave, but if they're adding to their resumes, having fun and learning in the meantime, chances are they'll stay that much longer — a trick that any revenue-challenged organization can employ to good effect.

Skirting the underskilled

When dealing with a security staffer with limited skills, you've got to limit his potential to blow everything up. This approach is called "putting a skirt on him" by the don't-quote-me crowd, but there's a more positive spin to put on it. Anthony Scalzitti, a security engineer at a major security software company, says it's all about limiting potential mistakes by assigning tasks on less critical systems — for example, investigating suspicious log activity or IDS reports.

Another useful security role that won't get a limited-skill staffer into trouble is to attend meetings of other business teams to make sure the security group is aware of upcoming projects. Having a security representative sit in on team meetings can also help to remind colleagues to build security in from the design phase instead of shoe-horning it in after design and development.