6 mins to read
“Cloud keeps growing, and it is capturing an ever-larger share of information technology spending,” remarked Lee Sustar, from Forrester Inc. “Big banks and other companies aren’t simply migrating existing data and software from private data centers to the cloud. Increasingly, they are looking to cloud companies for unique tools and capabilities, especially when it comes to managing and extracting value from data.”
Cloud computing is proving to be a fast-growing and resilient sector among the larger technology industry, especially in light of hurt performance and revenue of many tech companies during the COVID-19 pandemic.
The cloud is becoming increasingly common and even commoditized, and more large-scale enterprises want to build it into their way of working. Cloud-related job posting increased more than 90% from 2017 to 2020 – a statistic consistent with many anecdotal reports of ubiquitous job descriptions online.
The demand is greater than ever before.
Businesses want to scale and they want to do it quickly, but the problem is there isn’t enough talent to meet cloud initiatives and business aspirations. Right now there is a cloud talent and skills gap. What? Why? How? And what can organizations do about it?
Where is the skills gap?
Engineering & Building
The skill shortage can be broken down into two main buckets: the first being software development and cloud engineering. There are not enough cloud-trained engineers to build or expand upon products at the pace wanted by enterprise leadership.
“Any company is always constrained by something, and our constraint is engineering talent,” remarked CEO of the Cloud database company, Neo4j Inc., Emil Eifrem.
The shortage of talent is forcing the hand of Enterprise leadership to turn down more business than they’d like because they cannot reliably and confidently take on projects.
Taylor Osmun, a software developer at Sonrai Security commented on the shortage, specifically on more senior cloud engineering skills:
“There is a large knowledge gap between developing software using a service, and mastery of multiple services such that it can be optimally interconnected as part of a product. This would be a point of difficulty in finding a senior software engineer or architect. Not only does it take years of experience, but it also requires having been given opportunities to exercise these skills by leading projects.”
Because there is simply a lack of supply to satiate demands, the market is in favor of cloud engineers. Enterprises are offering extremely competitive contracts to acquire talent and speeding up interview processes to ward off competitor offers.One concern fuelling the fire is a lot of confusion over job titles and descriptions in the cloud market.
A Cloud Engineering job description relates to development and maintenance of cloud solutions. The responsibilities include: migrating applications from on-prem into the cloud, debugging software, identifying and remediating vulnerabilities, software efficiency optimization, and of course developing, deploying and improving software. Needed skills are often BAs in Computer Science or IT, proficiency in programming languages like Javascript, Python, C++, and more, and further certifications specific to Cloud Providers.
The ‘Cloud Architect’ refers to the role of actually designing and implementing larger business plans and projects into the technical architecture or cloud solutions. Necessary skills include: Knowledge of operating systems (Linux, Windows, etc.); Knowledge around networking (HTTPS, DNS, IP addresses, etc.); Programming knowledge, Security knowledge; Platform specific certifications like Microsoft Azure Solutions Architect and AWS Certified Solutions Architect.
Both are in high demand.
Security Strategy
The second bucket of talent shortage is centered around more strategic cloud-specific security professionals.
The expansion and dependence on the cloud has left even multi-decade trained security individuals struggling to keep up with the constantly changing tides of the cloud and best practices for securing it.
The procedures, practices, and tools that were once sufficient for securing networks, scanning environments, detecting vulnerabilities, managing identities and protecting data, are no longer holding up in the ephemeral and expansive cloud landscape.
“A lot of CISOs feel confident in updating leadership on strong security based on the number of tickets closed and patched vulnerabilities, but vulnerabilities are just the tip of the spear — how do you know out of the thousands of spears, which is the one to cause the deadly blow? You neeed risk in context. That context is how vulnerabilities tie back to identities and create paths to your data,” remarked Eric Kedrosky, Sonrai Security CISO.
The comment gets at the learning curve, or perhaps hyper-focus, on security concerns more reminiscent of on-prem days. The Cloud brings new problems and therefore calls for new approaches.
There are even new factors to consider for CISOs entering the cloud. Most Cloud Provider’s operate under a Shared Responsibility Model, meaning there is a line in the sand on where their responsibility for security ends and yours begins. Many blindly trust that their organization is secure simply existing in the cloud, the reality is that’s far from the case. There are also new compliance considerations specific to the cloud your organization needs to maintain and attest to, separate from the Provider.
Tips to Land Cloud Security Talent
Invest in current employees.
A report conducted by Osterman Research and sponsored by Sonrai Security surveyed cloud leaders at large enterprises and found almost 50% of respondents stated that their organization is not appropriately funding education and training for the teams, supporting and/or responsible for securing the cloud.
Before you look elsewhere for what you don’t have, consider the advantages of further investing in what you already do have. Upskilling current employees in tangent job roles saves the company resources and encourages the confidence and satisfaction of current employees. In fact, training employees is found to increase retention rates.
Internal training programs are an excellent choice, but are often a burden on time and resources. If you’re a larger enterprise with internal resources, consider a curriculum for certain career paths, alternatively, consider looking at external training programs. This could be sponsoring your employees to gain certifications from AWS, Azure, GCP or schools like Cloud Guru.
Diversify prospects
There is a larger diversity issue in the cybersecurity industry as a whole, as the majority workforce presents as male and white. While diversifying employees brings many cultural benefits, it also brings new experience, backgrounds, thought processes, and problem solving skills to the table.
“If your input continues to be monoculture, you can expect the same outcomes.” – MK Palmore, a director in Google Cloud’s Office of the Chief Information Security Officer.
Hire based off potential and competency
Consider reframing expectations and adjusting job descriptions to meet this skill shortage. Many anecdotal experiences report unrealistic job requirements and skills for technical cloud and security positions. Maybe it is time to hire based on strong potential and competency. Look for candidates with the motivation and desire to grow and be trained. An encouraged, confident, and supported employee can succeed at exponential rates.
“To push back on the ‘cloud skills gap’ rhetoric a bit, a lot of companies put unrealistic requirements on job listings asking architects to have 10 years experience and certifications in devops, security, and cloud simultaneously. If orgs are migrating to the cloud, its important to invest in training for their existing personnel and new cloud talent,” commented Sonrai Security Sr. Product Marketer, James Casagrande.
Connect to academia
Colleges, universities, and programs can be pipelines into the technical workforce. Building relationships with schools near your organization or with specialized cloud and security tracks is a win-win: you gain potential employees, and they can benefit from your organization’s feedback on real world business use cases. This insight helps universities teach coursework that is more experiential and prepares the students for what they actually would be doing in the working world.
