Last year, David Saul, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company\u2019s firewalls. They did a good job limiting the damage, but it took two days?two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. "We want to be in a safety zone that doesn\u2019t require that kind of immediate mobilization," he says.That\u2019s why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganizing and reassigning IT people to security. "Good security equals prevention, detection and reaction," says Saul, who is based in Schaumburg, Ill. "If you\u2019re not going to staff to make the process work, then your exposure to security breaches is higher."That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 percent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 percent of those respondents acknowledged suffering financial losses.In fact, there\u2019s no limit to the damage evildoers can inflict. Sept. 11 proved that. In this environment, many people believe that it\u2019s sheer madness to have an IT staff handling information security on an ad hoc basis. "It\u2019s a hard-and-fast rule, in my opinion," says John Hartmann, vice president of security and corporate services of Cardinal Health, a $47 billion health-services provider in Dublin, Ohio. "If the two roles are shared, business priorities will drive security to a lower priority."Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company in Princeton, N.J., disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organized into a team?as his are?carrying out a coherent security program that sets out specific responsibilities and requires regular meetings. A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader. Finding skilled security professionals to carry out this mission can be tough, and the alternative?training in-house IT staffers who are security novices?can be costly and time-consuming. (Outsourcing security is another option. To read a cautionary tale about the pitfalls of outsourcing security, check out "Exposed," at www.cio.com\/printlinks.) But whichever route you choose, here are some ways to enhance your chances of success.A Shopper\u2019s GuideCIOs looking to hire skilled, experienced security people could be in for a rude awakening: There aren\u2019t many out there. The gap between supply and demand is the largest among all IT skills, says David Foote, president and chief research officer of Foote Partners, an IT-workforce research consultancy in New Canaan, Conn. "Employers can fill only one out of 13 jobs," he says. Nonetheless, the market has improved during the economic downturn; it\u2019s much easier to hire skilled security people than it was a year ago. "[In early 2001], we were paying a lot of headhunter fees for recruiting," says Bruce L. Murphy, CEO of Vigilinx, a security services company in Parsippany, N.J. "Now we don\u2019t need to." But even in a buyer\u2019s market, CIOs need to know how to compete for the best candidates. Here\u2019s what you can do.Analyze your needs. No self-respecting security professional wants anything to do with a company that\u2019s clueless about why it\u2019s hiring him, says Lee Kushner, CEO of L.J. Kushner and Associates, a Freehold, N.J., recruiting company that focuses on security personnel. So figure out what your company needs, either through an in-house assessment or with the help of a consultancy. But be warned: Help doesn\u2019t come cheap. Outside evaluation can run up to $500,000 for a full-blown examination of a global organization. Look smart. The security industry is very insular, says Kushner, and potential employers need to know the secret handshakes. Specialized recruiters are the best way in. Unlike large general recruiting companies, specialized recruiters have deep and wide contacts in the security community. "I\u2019ve tried all kinds of firms," says Denis Verdon, first vice president and global head of information risk management for Instinet, a $1.5 billion New York City operator of an electronic trading network for institutional investors and brokers. "And usually it\u2019s the specialists who provide higher rates of good-quality r\u017dsum\u017ds."CIOs who strike out on their own have to find their own leads. Bill Boni, chief information security officer for Motorola, the $30 billion communications equipment manufacturer in Schaumburg, Ill., says the military is a particularly good source for security people. Find them through newspaper ads in cities with large military populations, such as San Antonio and San Diego. Eddie Schwartz, former senior vice president of Guardent, a security-services company in Waltham, Mass., suggests contacting outplacement personnel at military bases. Universities are a good source of entry-level people. Schwartz points to Bowling Green State University in Ohio, Purdue University, James Madison University and Virginia Tech, as having good IT programs with information security offerings. Contact their career placement offices for help. Alan Paller, director of research for the SANS Institute, an information-security training and professional organization in Bethesda, Md., suggests that CIOs raid the security-services companies they\u2019re using. "There are so many consulting firms, and so few that are doing well," he says. "Many of their consultants are desperately looking for jobs in the real world." Boni agrees, adding that, of course, the CIO should inform vendors that they\u2019re in the market for personnel. Once the vendors know that, he says, those looking to downsize will be only too happy to help. And placing their consultants with the companies they do business with has an upside. "Now they\u2019ve got an ongoing relationship with alumni inside your organization, who are well-positioned to identify other opportunities," Boni says.You\u2019ve Got \u2019Em?Now What?Once you\u2019ve found the workers you want, you need to keep them. Tools, recognition and salary are the glue that will make them stick with you. Tools talk. Tools are crucial. Security professionals strive to be what they call masters, people at the top of the security pyramid. Making cutting-edge technology available to them will help them feel that they\u2019re achieving that status. "If you make them work with old tools?mainframe applications and Novell, for example?you\u2019ll really frustrate them," says Paller. So if you\u2019ve got a sophisticated IT environment, flaunt it. Some of the most desirable toys for security folk, according to H. Michael Boyd, a Walpole, Mass., HR consultant, include Nessus (a cutting-edge network scanner), Snort (a leading intrusion-detection tool) and RAT (a system-tester for routers).Make \u2019em feel loved. CIOs looking to woo candidates can offer to pay for training, certification and conference attendance. Recruiter Kushner says he\u2019s negotiated conference attendance into employment agreements. Promising to send security people to at least one good conference or training program a year should keep them happy, says Paller.Security people also thrive on recognition, says Paller. This recognition should be more than a pat on the back or a "thank you" e-mail. It has to be public. A good tactic is allowing security people to present their work at a conference so that they get external validation too. Security professionals can lose motivation if they don\u2019t feel they have management\u2019s support. That is true for any employee, but the stakes are a lot higher when you\u2019re dealing with people who have top-level access to your systems. Within reason, CIOs need to back security people in conflicts between security and business needs.Money talks too. Don\u2019t forget to keep salaries competitive. Line security engineers command anywhere from $60,000 at the lowest levels to the high-five figures at the top, and heads of security can command between $130,000 and $180,000, says Maria Schafer, program director for human capital management at Meta Group in Stamford, Conn. The best way to benchmark salaries is by talking to specialized recruiters and networking among peers who\u2019ve hired security people, says Murphy, pointing out that in an evolving field like security, salary surveys are usually out-of-date by the time they are published.Inside MovesIf you don\u2019t want to go out on the open market, Paller suggests looking to your systems and network administrators. They\u2019ve got great technical skills and probably good (albeit uneven) knowledge of security concepts and issues. And they\u2019ve likely tinkered with the security of their environment and responded to incidents as part of their IT duties. "They\u2019re just waiting for you to say, \u2019We care enough about security to let you do it full-time, and we\u2019ll keep your skills honed too,\u2019" says Paller. Consider giving them the training to become dedicated security staffers. But how do you get started?First, ask for volunteers. Boni, who\u2019s built nearly his entire security staff by repositioning IT people, says that has worked best for him. "I\u2019ve found that they just come out of the woodwork," he says.When deciding whom to take, don\u2019t just look for technical skills. Check for honesty and ethics (consider making a background check if they didn\u2019t have one when they were hired) and look for interpersonal skills. You want someone who will work out differences with internal customers over security needs versus business requirements. "An individual with a collaborative touch will listen to what the business needs are and find a solution without falling back on a right\/wrong, black\/white approach that will anger the user," says Cardinal Health\u2019s Hartmann. Once you\u2019ve identified the best candidates, get them trained. At the very least, they need training in general Security 101 issues, such as network security and security forensics, says Steve Katz, former chief information security and privacy officer of Citigroup and Merrill Lynch, and now an independent consultant in Melville, N.Y. Then they can learn more discrete specialties, such as firewall administration and intrusion detection. There are several ways to train them, including the following.Have consultants train your staff. Train- ing your new security people could take months. In the interim, someone has to handle your security needs, and most likely that will be a consultancy. That same company can be a great training resource, says Hartmann, who\u2019s had security companies and Big Five companies train some of his security people. This training can be largely hands-on, and most companies will be happy to negotiate it into the contract, says Verdon. Offer certification courses. Experts say certification isn\u2019t necessary for security professionals?it\u2019s really experience and skills that count. Nonetheless, putting your staff through certification courses can be valuable, and it doesn\u2019t have to be expensive. Organizations such as Computer Security Institute, Information Systems Audit and Control Association, International Information Systems Security Certification Consortium and SANS offer broad-based training that can ultimately lead to certification. Have vendors provide training. Security products vendors such as Check Point Software Technologies, Cisco Systems and Symantec all provide extensive training on their tools, some of which lead to their own certifications. Paller says this kind of training is as important as conceptual training. But he warns that vendor training is expensive. Check Point certifications, for example, can cost up to $4,300.Organize internships. Boni recommends sending security people to other companies to have them intern with more experienced professionals. It\u2019s easier if your company is affiliated with a larger organization, he says, but other companies might also offer this opportunity, known as a secondment. "Basically they\u2019ll take your staff person\u2019s effort in exchange for free training and call it even," he says. Keep up with the times. Because security is a rapidly changing field, ensure that your staff takes advantage of online threat-tracking resources such as SANS\u2019s Incidents.org and Bugtraq at Security-Focus.com. Staffers should also attend the most important conferences, such as the RSA Conference and the SANS Conference, where they\u2019ll network with peers. Finally, says Schwartz, security staff should update you about new threats on a weekly basis. "If the CIO gets an e-mail alert and sees something he\u2019s never heard about from his security team, it\u2019s an indicator that things aren\u2019t going as they should," he says.Of course, none of the steps outlined in this article will help you if you don\u2019t establish security consciousness throughout your entire IT organization, says Schwartz. "You can hire a million security people and not solve your problems if security isn\u2019t embedded deep within everything you do in IT."