I'm a software engineer doing a lot of security analysis (vulnerability assesments, penetration tests, security policy development, etc.) projects for my company, and it seems to be companies are taking more focus on their security. As far as what makes a good security person, well, that varies. The vulnerability assessment portion of an analysis is pretty easy, and any experienced network adminsitrator should be able to do it. However, it really takes a hacker mentality to have the foresight into potential holes. Determining existing holes is easy, as that's fairly automated, it's determining how something might get exploited that takes skill. One needs to have a profound understanding of most protocols, both high and low level, and a programming background is almost absolutely essential. If you can't build your own tools, or modify existing ones to fit your scenario, you're pretty limited.