• United States




How to build a thriving information security function despite the talent shortage

Jun 09, 20165 mins
CareersIT LeadershipSecurity

business people
Credit: Thinkstock

It seems that the industry has reached a nearly unanimous conclusion about a key essential for tight information security — people.

You don’t have to look at online job postings for long to recognize that most of the posted IT jobs relate to information security, with employers attempting to fill many such positions to shore up their cybersecurity posture. As an example, following a  major security breach at the U.S. Office of Personnel Management, the agency announced that it would fill 1,000 information security positions.

Much of the business world now recognizes the challenge in hiring enough qualified information security professionals. As evidence of this, it was reported as part of the 2015 Global Cybersecurity Status Report that 92% of companies surveyed that planned to hire information security professionals, expected to have trouble doing so.

As I mentioned in “Good information security is fun-damental,” many organizations have sought to solve the staffing shortage by spending large amounts of capital on products designed to shore up security. Unfortunately, virtually all of these expensive new products require significant care and feeding. It would be a wonderful world if we could buy automation products that would provide great protection, and with only an on/off switch, but alas, the industry is not there yet. As such, companies are discovering that once they buy that $250,000 security product, they need to immediately hire three people to manage it.

This somewhat defeats the purpose.

There is some hope on the horizon for resolving the talent shortage, with many colleges and technical schools expanding their programs to include security-specific curriculum. Many college students, recognizing the career potential, are taking advantage of those programs. Sadly, this won’t really help for at least a few years.

If you manage information security in an organization faced with this talent shortage, you have likely already discovered that there is no easy button. Fortunately, there are some things you can do to help in the immediate future, including the following: 

Don’t throw money at tools

As I said above, the expensive tools generally require a good bit of care and feeding. While they may be useful in augmenting your security effort, they will in most cases make your staffing issues more acute. Buy tools when they are really needed, but take into account the related staffing requirements. Consider paying the vendor to perform installation and maintenance. 

Do automate and set up procedures

There are many tools and approaches available for automating routine monitoring. My favorite class of tools in this area is log monitoring (Splunk, Greylog, Sumo Logic, etc). These tools require some setup, but once done, you have one place to look for log entries from all of your systems, with some analytics functions that shortcut the monitoring effort.

When dealing with a staff shortage and high turnover rates, it is also critical to have good, tested, written procedures in place for all common functions. Such procedures facilitate cross training, and allow a relatively new employee to come up to speed faster. 

Consider using managers with no security background

I began my career as a systems programmer with IBM working on a complex product. My first manager had come up through the sales ranks. He could talk technology, since he had to sell it. He had never written a line of code and could not have booted the system we maintained. He was, however, a great manager that helped make the product and team successful.

This same technique can be used today when staffing for information security management positions. You can hire proven managers with technical backgrounds, but without strong knowledge of information security, since they will likely be managing analysts and architects that are security subject matter experts. Paraphrasing one of my favorite security podcasts this week, the right question is infinitely more valuable than the right answer. A good manager, regardless of specific background, generally knows how to ask the right questions. 

Use interns

There are many interns looking for some experience in information security as part of their college education. Hiring them can be an invaluable approach to augmenting your security function.

Years ago, I worked with an intern from Georgia Tech, and hired him for a full time position. I proceeded to hire him again at two subsequent companies. He is now one of the top healthcare information security professionals in the country. Do not underestimate the abilities and loyalty of a well chosen intern. 


Many information security functions can be outsourced, thus transferring your talent shortage problem to a vendor. Examples of good outsourcing candidates include security operations and monitoring, firewall management, and patch management.

Outsourcers must be chosen with care, however, because you are turning over a critical part of your operation to them. Make sure you understand the limits of the services the provide, so you don’t end up paying for extras after the sale.  A good outsourcer can significantly reduce your stress level. A bad one can push that stress level off the chart.

Bottom line: Staff shortages in information technology are not a new problem. The specific discipline in short supply may change, but the problem will likely always be with us. By being innovative and using sound management practices, you can thrive despite the lack of talent.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author