Would you trust a carrier with your security services? Surprisingly, the answer may well be “yes.” More than half of the companies I work with say they’re using managed or carrier-based security services. Typically, these are basic services such as firewall management or IDS/IPS.

But most folks say they’d consider expanding their use of managed and carrier-provided security services. Why? The top driver is a lack of skills internally. “The thought was that we could do it just as well ourselves, but it’s been made abundantly clear that’s not the case,” says one IT executive.

Senior-level security staffers command as much as US$250,000 per year, due to a chronic shortage of such individuals. The typical senior-level security staffer makes $100,000, and the typical junior-level staffer makes $62,500.

If reading this inspires you to consider shifting fields, you may first want to ponder a few other issues. First is that skills shortages generally respond well to market forces; a few years ago, when routing was a rare discipline, Cisco Certified Internet Engineers commanded top-dollar salaries, but as the number of CCIEs increased, the average salary declined. So shifting your technical focus probably won’t pay off in the long term — if that’s all you do.

What does pay is a willingness to assume both risk and responsibility. Increasingly, the top-level security specialist in many organizations is a member of the board, which means he or she is personally liable for attacks.

Moreover, security is gradually morphing into an overall “risk-mitigation” specialty, which means security teams are doing more, and wielding more authority, than ever before.

And the assumption of risk and responsibility doesn’t get commoditized as rapidly as technical skills — so doing so is a good long-term bet.