I learned a long time ago that you should always keep your options open.  So naturally I always keep my resume updated and for the most part available on the job boards.  Over the last year or so I've gotten a number of calls/emails for various security jobs.  I would say many are contract based but there were a good number that were full time, only on the other side of the country.  So it is safe to say, there are many jobs out there for Information Security pros ("you're welcome" - Capt. Obvious).  When I made my way over to this career from the general IT Infrastructure realm, I always figured I would stay on the defensive side.  I never considered I would have the skill to be a full time pen-tester, though I do enjoy the feeling of the challenge.  I always figured I was better tooled for defense. 

Then I had a phone interview with a local security firm.  The admin who contacted me didn't mention anything about the job she was contacting me for.  I asked, she still didn't say.  The fact that this particular firm was calling me was enough to peak my interest.  So I had the interview, honestly as phone interviews go, it went pretty good.  We had a good conversation and even after telling them I wasn't interested in the commute, they still tried to pull me in.  Now the job was for pen/vuln testing, again told them I wasn't really looking for that type of position, but they persisted.  So they gave me their "technical" interview.  It consisted some questions about Nessus which apparently required me to just know how to use it.  I then proceeded to tell them a story of a recent assessment I did at work and mentioned SQLi.  They asked me about that.  So I mentioned about inputting javascript/SQL code into form fields to see if it returns data and that was apparently enough for them to consider me worth pursuing.  Mind you I only know of the process of how these things are carried out and how to protect a site against them.  So the call went on with them asking how far I was from another city and that they were thinking of opening an office roughly 30 minutes from me.  They even suggested I still come in to meet them and such.  Figured they get the hint that I wasn't interested.  Then I get a call the following week to schedule an in-house interview.  I declined and apologized if I lead them to believe I was interested (even though I said I wasn't on the original call).

Could I have done the work?  Don't know, I imagine if I made it my focus, I probably could.  Is it something I would like doing?  At this time probably more than what I am currently doing, but not for an almost 2 hour commute along with regular travel around the country.  Just thought I would share.  There is plenty of work to be had out there.  The population of skilled InfoSec pros is growing, but not as fast as the job openings.  If you have "security" anywhere in your resume, you will most likely get a call from some outsourced recruiter or a company who doesn't really know what they want but someone says they need a security guy.  Anyway sorry for the book, but figured I'd share the story.

Good luck out there!

In my area a saw a lot of security analyst jobs, if I compare tot he last year it grew a lot.

The problem with a lot of offensive positions is that you often have to be willing to relocate and/or travel. We've struggled filling the couple positions we've opened over the last year, and I know many other organizations are having the difficulty. MaXe literally moved halfway around the world for the gig he's at now. Working out the logistics may be more challenging than actually finding a position.

I think at this point the demand is so high that companies are moving away from trying to find the expert to looking for someone with the ability to become the expert.  The experts are all hired and hopefully happy.  But there are plenty of new guys out there just aching for a chance to get into the field.  I think the biggest thing teachers like Grendel can do is emphasize the learning doesn't stop and the employer may not always be willing to send you off to the $4K SANS course.  Like any career if you want to succeed you need to work at it on and off hours.  A friend of mine tells me I need to unplug but I don't think he quite gets the fact that when I come home and fire up the lab, that is me unplugging.  I can't do somethings I want to do at work, so I do them in the home lab.  It also is me educating myself on what is new out there in the world of InfoSec.  I will say that the actual unplugging is me grabbing the camera and the hiking boots to head off into the hills for some fresh air.  I tend to appreciate that more when I've spent the week working and learning, the brain needs to switch gears every so often.

Also for those of you with students, one more thing to recommend...  If they want to find opportunities, they need to get out there and network.  Go to the local security groups (ISSA, Hackerspaces, etc...).  Get to events like B-Sides and even venture into local user groups for like Linux or OWASP.  Not only will they have the opportunity to learn something or even teach something, they will get to know some people in their area.  Another suggestion is to work your way to doing a talk.  It gets your name out there and hopefully shows people you know a thing or two about something.  The same friend of mine that tells me to unplug also tells me I should do a talk.  Though I still have no idea what it would be about.

Anyway glad I sparked some discussion.  Oh and on the topic of Telecommuting, I have a total of 2 hours of driving a day for my job.  So luckily my current position allows for me to either work from home or work from our SOC which is much closer than my office.  I think the idea of telecommuting is great but I also thing face time in the office is also important.  There are somethings that are best collaborated on in person.