SBN

4 Tips If You’re Struggling To Find (Good) Cloud Talent

Reading Time: 6 minutes

“Cloud keeps growing, and it is capturing an ever-larger share of information technology spending,” remarked Lee Sustar from Forrester Inc. “Big banks and other companies aren’t simply migrating existing data and software from private data centers to the cloud. Increasingly, they are looking to cloud companies for unique tools and capabilities, especially when it comes to managing and extracting value from data.”

Cloud computing is proving to be a fast-growing and resilient sector among the larger technology industry, especially in light of hurt performance and revenue of many tech companies during the COVID-19 pandemic. 

The cloud is becoming increasingly common and even commoditized, and more large-scale enterprises want to build it into their way of working. Cloud-related job posting increased more than 90% from 2017 to 2020 – a statistic consistent with many anecdotal reports of ubiquitous job descriptions online.

The demand is greater than ever before.

Businesses want to scale and they want to do it quickly, but the problem is there isn’t enough talent to meet cloud initiatives and business aspirations. Right now there is a cloud talent and skills gap. What? Why? How? And what can organizations do about it?

Where is the skills gap?

Engineering & Building
cloud talent gap

The skill shortage can be broken down into two main buckets: the first being software development and cloud engineering. There are not enough cloud-trained engineers to build or expand upon products at the pace wanted by enterprise leadership.

“Any company is always constrained by something, and our constraint is engineering talent,” remarked CEO of the Cloud database company, Neo4j Inc., Emil Eifrem.

The shortage of talent is forcing the hand of Enterprise leadership to turn down more business than they’d like because they cannot reliably and confidently take on projects.

Taylor Osmun, a software developer at Sonrai Security commented on the shortage, specifically on more senior cloud engineering skills:

“There is a large knowledge gap between developing software using a service, and mastery of multiple services such that it can be optimally interconnected as part of a product. This would be a point of difficulty in finding a senior software engineer or architect. Not only does it take years of experience, but it also requires having been given opportunities to exercise these skills by leading projects.”

Because there is simply a lack of supply to satiate demands, the market is in favor of cloud engineers. Enterprises are offering extremely competitive contracts to acquire talent and speeding up interview processes to ward off competitor offers.

One concern fueling the fire is a lot of confusion over job titles and descriptions in the cloud market. 

A Cloud Engineering job description relates to development and maintenance of cloud solutions. The responsibilities include: migrating applications from on-prem into the cloud, debugging software, identifying and remediating vulnerabilities, software efficiency optimization, and of course developing, deploying and improving software. Needed skills are often BAs in Computer Science or IT, proficiency in programming languages like Javascript, Python, C++, and more, and further certifications specific to Cloud Providers.

The ‘Cloud Architect’ refers to the role of actually designing and implementing larger business plans and projects into the technical architecture or cloud solutions. Necessary skills include: Knowledge of operating systems (Linux, Windows, etc.); Knowledge around networking (HTTPS, DNS, IP addresses, etc.); Programming knowledge, Security knowledge; Platform specific certifications like Microsoft Azure Solutions Architect and AWS Certified Solutions Architect.

Security Strategy
cloud talent gap

The second bucket of talent shortage is centered around more strategic cloud-specific security professionals.

The expansion and dependence on the cloud has left even multi-decade trained security individuals struggling to keep up with the constantly changing tides of the cloud and best practices for securing it.

The procedures, practices, and tools that were once sufficient for securing networks, scanning environments, detecting vulnerabilities, managing identities and protecting data, are no longer holding up in the ephemeral and expansive cloud landscape.

“A lot of CISOs feel confident in updating leadership on strong security based on the number of tickets closed and patched vulnerabilities, but vulnerabilities are just the tip of the spear — how do you know out of the thousands of spears, which is the one to cause the deadly blow? You neeed risk in context. That context is how vulnerabilities tie back to identities and create paths to your data,” remarked Eric Kedrosky, Sonrai Security CISO.

The comment gets at the learning curve, or perhaps hyper-focus, on security concerns more reminiscent of on-prem days. The Cloud brings new problems and therefore calls for new approaches.

There are even new factors to consider for CISOs entering the cloud. Most Cloud Provider’s operate under a Shared Responsibility Model, meaning there is a line in the sand on where their responsibility for security ends and yours begins. Many blindly trust that their organization is secure simply existing in the cloud, the reality is that’s far from the case. There are also new compliance considerations specific to the cloud your organization needs to maintain and attest to, separate from the Provider.

Tips to Land Cloud Security Talent

Invest in current employees.

A report conducted by Osterman Research and sponsored by Sonrai Security surveyed cloud leaders at large enterprises and found almost 50% of respondents stated that their organization is not appropriately funding education and training for the teams, supporting and/or responsible for securing the cloud.

Before you look elsewhere for what you don’t have, consider the advantages of further investing in what you already do have. Upskilling current employees in tangent job roles saves the company resources and encourages the confidence and satisfaction of current employees. In fact, training employees is found to increase retention rates.

Internal training programs are an excellent choice, but are often a burden on time and resources. If you’re a larger enterprise with internal resources, consider a curriculum for certain career paths, alternatively, consider looking at external training programs. This could be sponsoring your employees to gain certifications from AWS, Azure, GCP or schools like Cloud Guru. 

Diversify prospects

There is a larger diversity issue in the cybersecurity industry as a whole, as the majority workforce presents as male and white. While diversifying employees brings many cultural benefits, it also brings new experience, backgrounds, thought processes, and problem solving skills to the table. 

“If your input continues to be monoculture, you can expect the same outcomes.” – MK Palmore, a director in Google Cloud’s Office of the Chief Information Security Officer.

Hire based off potential and competency

Consider reframing expectations and adjusting job descriptions to meet this skill shortage. Many anecdotal experiences report unrealistic job requirements and skills for technical cloud and security positions. Maybe it is time to hire based on strong potential and competency. Look for candidates with the motivation and desire to grow and be trained. An encouraged, confident, and supported employee can succeed at exponential rates.

One outlook summarizing this concept came from the Lightspin CISO, Jonathan Rau:

“Companies are far too selective. When I was hiring I knew I wanted junior talent and put 0-2 years. It’d be great if you knew about at least one of the 3 major public clouds, and could use the CLI or Python but if not I can teach you. That said, I had a solid corps of “lieutenants” who could handle admin & day-to-day while I was ramping up the teams. I think a lot of places shy away from that since their security teams are too small as it is and they just want to bring in 1 or 2 folks to work all sorts of miracles.”

Connect to academia

Colleges, universities, and programs can be pipelines into the technical workforce. Building relationships with schools near your organization or with specialized cloud and security tracks is a win-win: you gain potential employees, and they can benefit from your organization’s feedback on real world business use cases. This insight helps universities teach coursework that is more experiential and prepares the students for what they actually would be doing in the working world.

*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Tally Shea. Read the original post at: https://sonraisecurity.com/blog/strong4-tips-if-youre-struggling-to-find-good-cloud-talentstrong/