The other approach to dealing with the security skills shortage is to retrain people from other information technology disciplines. Almost no-one goes straight into security.
Bailey says the best source of new recruits tends to be from people with a software development background.
"They will have been developers," he says. "Then they became interested in the security side of the industry and how that works. Normally they will train themselves. There's not much formal training for security specialists. Instead, they get help from the security community which can be supportive.
"They'll find out about the tools they can use and they'll pick up techniques. They'll play around with the ideas and go to conferences. There are lots of forums and blogs where people discuss vulnerabilities. Once they've picked up enough knowledge, they'll try to work for companies like ours."
Working in security turns the usual software developer's work practice on its head. While developers focus on building software, security professionals take it apart.
Bailey says such people think in terms of how many vulnerabilities they can find and how far that gets them into a piece of software.
He says the other big difference is that security professionals need to be multidisciplinary. They need to have a good knowledge across various programming languages and platforms. They need to know mobile as well as web, and must be able to look at networks. Developers, on the other hand, tend to focus their attention. With security professionals, it's about a broader knowledge.
New Zealand's security skills shortage has triggered something of a boom for companies like Aura, which was acquired by Kordia in late 2015.
Bailey says Aura's customers "tend to be larger New Zealand-owned corporations who can't afford for their security to go wrong. They're looking for partners who just do security."
Recent years have seen a big change in cybersecurity, which has moved from being seen as an information technology problem to where it is now viewed as a business risk. Bailey says today's executives and boards have a better understanding of risk in general and view online threats the same way.