So when his Pilot rep told Hennessy he was going to get firedthat afternoon, Hennessy was able to set the plan in motion,and the transition to in-house 24/7 security was done in fivehours. He credits the quick shift to his engineering team,whom he ranks somewhere between "real strong" and "the bestin the world."

The cost of doing it all in-house was and will continue to bemassive, of course. Hennessy won´t deign to put a number onit, but he readily accepts the fact that he´s paying apremium for in-house security. "It´s definitely far moreexpensive doing it in-house," he says. "On the other hand,there´s far less risk. I´m paying to sleep well."

Why is it more expensive? To begin with, recruiting talent ishard. There´s little out there, and there are plenty ofposers. Some experts put the ratio at about one real expertfor every 10 claiming expertise. Certifications are partly toblame. A résumé with a dozen security certifications mightlook impressive, but it´s misleading. Some certifications aresimply for specific products and teach nothing about bestpractices or security policy. A firewall "expert" might knowhow to configure the box but have no knowledge of whatpolicies should be enforced or even where the firewall oughtto be placed in the context of a specific network.

Paying talent sufficiently is even harder than findingit. Stephen Northcutt, founder of the Global IncidentAnalysis Center and security consultant, says securitycontractors demand up to $500 per hour. Salaries are 5percent to 10 percent higher than what standard IT staffearn.

Keeping talent is the hardest task of all. Northcutt saysmany true security experts are hopping jobs six times a year,upping their salaries $5,000 at each post. Len Cibelli, aformer sales executive at Pilot, expects to get a 20 percentraise from his next employer.