In today's deep recession, accented by continuing layoffs, it might be hard to believe that good security jobs are hard to fill, but they are. Or maybe it's more accurate to say that it's hard to find good security people for those jobs.
I recently helped hire a Web security analyst for a client with a large number of IIS and Apache Web servers. After filtering out hundreds of inexperienced candidates, I settled on a half-dozen people with relevant experience, education, and credentials. (I care about qualifications in that order.)
During my interviews with all six hand-picked candidates, I was surprised to find out how much they did not know about Web security. They couldn't tell me the difference between a XSS (cross-site scripting) attack and a cross-domain attack. Most were unaware of how to harden the base Web server OSes, and most were unable to describe a SQL injection attack. Only one knew how to isolate different Web sites from others using security accounts and application pools. On a positive note, at least two of them had heard about banner ads being used for malware distribution.
When I informed the candidates aware that they would be responsible for keeping up with the latest ASP/ASP.Net and PHP attacks and vulnerabilities, all to a person expressed surprise that PHP or PHP apps had any vulnerabilities. After the third candidate said this, my jaw dropped. Upon hearing this from the very last candidate, I was just depressed. Where have these people been living? Do they read beyond Facebook and Twitter?
I ended up hiring the only candidate that seemed to express genuine interest in learning more about PHP vulnerabilities. I was doubly depressed that this interview mimicked one I gave a few years ago. Times had changed, but not the quality of the candidates.