Despite the growing threat of attacks, and thefts via the Internet, corporate and government Internet security managers are reluctant to confront the reality of how difficult it is to hire the most competent Internet security experts. The problem is that many of the most capable Internet security people are self-taught or the product of informal training programs. These experts rarely have college degrees and sometimes have a police record (for hacking, drugs, or other offenses). The lack of a college degree often keeps many good people out of corporate and government jobs while any hint of past legal problems will prevent you from getting a security clearance (essential for many government Internet security jobs). It is worse when you realize that most of those people with proper credentials, like a college degree in network security are the product of college-level courses taught by people who know little about the nuts and bolts of hacking or protecting networks from attacks. Those who do know about such things and are willing and able to keep their skills current in a rapidly changing field prefer to make big money working for Internet security firms or criminal organizations that pay a lot better and are not concerned about people who are self-taught and have shady backgrounds.
These self-taught slightly dirty Internet security aces do not go without work. Some firms, mainly smaller ones, do hire the “irregulars” and then send them out to work as consultants for corporations or the government. For those few who can get a security clearance there is regular highly paid work as security consultants for government and military organizations. Otherwise the uncredentialed can only get short term government assignments (when bureaucrats are desperate enough to ignore the insufficient credentials in order to get a large mess fixed). The much higher cost of consultants, and the requirement of a security clearance for military and many government jobs, means that a lot of the best people simply cannot work on government projects. That’s one reason commercial organizations have much better security. A related reason is that commercial firms can pay for much more competent managers, who are quicker to spot Internet security problems and implement effective solutions.