Part of the challenge is not only finding candidates that are book smart but have street smarts. Understanding the risk management framework from NIST and how it applies in the real world is the difference between a compliance analyst and an IA Risk Manager. Sad thing is that I don't see to many other IA Risk Managers out there. The kids coming out of school don't seem to have a clue as to how information assurance/security functions in the federal space. It's very frustrating trying to find even entry level folks who can apply theory in a functioning enterprise.