Demand for cybersecurity services is rising fast, says Aura Information Security general manager Peter Bailey.
That's because most companies prefer not to employ their own in-house technology specialists. Apart from anything else, they don't necessarily fit well with corporate culture. They are also hard to find.
Bailey says good cybersecurity specialists spend a lot of time researching their subject area. They read blogs and information sites, attend conferences and take part in online forums. To many employers, that doesn't look like work.
At the same time, there is a limited market for skilled security specialists in New Zealand. Some of the right people are here, but they are all employed. Most of them work for security service companies such as Aura.
Many security people are brought in from overseas to fill the gaps.
The other approach to dealing with the security skills shortage is to retrain people from other information technology disciplines. Almost no-one goes straight into security.
Bailey says the best source of new recruits tends to be from people with a software development background.
"They will have been developers," he says. "Then they became interested in the security side of the industry and how that works. Normally they will train themselves. There's not much formal training for security specialists. Instead, they get help from the security community which can be supportive.
"They'll find out about the tools they can use and they'll pick up techniques. They'll play around with the ideas and go to conferences. There are lots of forums and blogs where people discuss vulnerabilities. Once they've picked up enough knowledge, they'll try to work for companies like ours."
Working in security turns the usual software developer's work practice on its head. While developers focus on building software, security professionals take it apart.
Bailey says such people think in terms of how many vulnerabilities they can find and how far that gets them into a piece of software.
He says the other big difference is that security professionals need to be multidisciplinary. They need to have a good knowledge across various programming languages and platforms. They need to know mobile as well as web, and must be able to look at networks. Developers, on the other hand, tend to focus their attention. With security professionals, it's about a broader knowledge.
New Zealand's security skills shortage has triggered something of a boom for companies like Aura, which was acquired by Kordia in late 2015.
Bailey says Aura's customers "tend to be larger New Zealand-owned corporations who can't afford for their security to go wrong. They're looking for partners who just do security."
Recent years have seen a big change in cybersecurity, which has moved from being seen as an information technology problem to where it is now viewed as a business risk. Bailey says today's executives and boards have a better understanding of risk in general and view online threats the same way.