South Africa's Critical Skills List acknowledges a challenge faced around the world: there simply aren't enough high-level information security skills available to meet demand.

Our current Critical Skills List, including designations such as IT security specialist, anti-virus specialist and network specialist (security), underlines the key security skills lacking in South Africa.

But designations don't tell the whole story: to effectively mitigate risk, South African organisations need IT security professionals with a broad range of skills.

To be truly effective, an IT security professional needs to have a background in networking, experience across a range of vendor products, and strong incident management skills, among others.

Security professionals must understand how hackers think and how they penetrate the network; they should have programming and scripting skills to integrate and automate solutions; and they should ideally have some analytical skills to interpret and understand attack patterns. At a higher level, these IT security professionals also need management experience and the communications skills to engage at board level.

Cyber criminals share knowledge willingly, collaborate regularly and are constantly learning.

Acquiring all of these skills can take years. Unfortunately for South African enterprises, a brain drain appears to be taking place among experienced and highly qualified professionals, who are moving abroad for more opportunities and higher salaries. We are seeing high-level skills emigrating, and even moving their entire IT security businesses offshore to countries like Australia, the UK, United States and The Netherlands. At the same time, the talent pipeline is not delivering enough new skills to fill the gap.

Adding IT security skills to our Critical Skills List is a stopgap measure at best: imported consultants come at a high price and may not be in place long enough to transfer the necessary skills to local workforces.

Meanwhile, with a critical shortage in the cyber security workforce, security operations teams are frequently overworked and understaffed, which can result in their failing to adhere to cyber security best practices, or making careless errors. Ultimately, the organisation risks significant losses as a result.

Where are all the high-end security skills?

Globally, organisations are grappling with a similar challenge. According to a workforce development survey, 59% of organisations have unfilled cyber security positions, with Frost & Sullivan forecasting a shortfall of 1.5 million by 2020. The 2018 (ISC)2 Cyber Security Workforce Study puts the cyber security workforce gap at over 2.9 million globally.

Indeed, the only sector that appears to have ample high-end skills is the cyber crime sector. Cyber criminals are thriving and getting better and better. With cyber crime estimated to be worth $1.5 trillion last year alone, this is clearly a booming sector.

And based on what we know of cyber criminals, this sector differs from legitimate business on several fronts: its IT skills share knowledge willingly, they collaborate regularly and they're constantly learning. In addition, their work is challenging and exciting, and usually very lucrative. All of which serves to produce a sector that is highly sophisticated and a force to be reckoned with.

In contrast, many legitimate organisations are loath to invest in ongoing skills development, their IT security professionals often work in isolation, and in many cases, their work is tedious and repetitive.

To address the skills gap and stem the brain drain, legitimate organisations could take a few pointers from cyber crime syndicates.

Building high-powered IT security teams

IT professionals, and specifically IT security professionals, are often a special breed. They enjoy a challenge, and find it gratifying to master new skills.

Organisations should be investing in ongoing training and skills development, enrolling their teams for courses in ethical hacking, vendor solutions and more, and they should facilitate the collaboration and peer interaction their teams need.

Considering the potential costs of not doing so, organisations should be investing heavily in ensuring job satisfaction for their IT security professionals, allowing them to explore new technologies and offering them challenging work, additional responsibilities and clear career progression plans to keep them excited in their roles.

Despite the fact that times are tough, organisations should be offering highly competitive remuneration that makes it worthwhile for high-end skills to stay within the organisation and for enthusiastic newcomers to enter the field.