Security - 2017 Salary Guide and Market Report

Welcome to Barclay Simpson’s 2017 Security Market Report - Barclay Simpson has been producing corporate governance market reports since 1990. They produce two reports each year. This one, summarizing and analysing recruitment trends in the risk recruitment market, is supplemented by an employer survey.
 

Living with Brexit

Our report in July focused on remuneration and was released immediately after the vote to leave the EU. At the time, possibly rashly, we predicted that by the time our 2017 report became available, the consequences of that decision would be better known. Unfortunately, six months later, what might practically be achieved in exit negotiations is no clearer.

This report focuses on employment. Whilst the anticipated Brexit inspired recession has not occurred, the UK is about to start negotiations to leave the EU, an action that even those who support Brexit recognise will do short term damage to the economy. Given this, from our perspective as recruitment consultants, the key to a successful Brexit will be to avoid any serious self-inflicted economic damage.
 

Economy continues to turn

Brexit has raised the level of uncertainty, which is no friend of the recruitment market. Companies invest and recruit when they feel confident and sit on their hands when they do not. However, outside of a serious economic reverse, as we predicted last year, the security recruitment market, together with the wider economy, will likely learn to live with Brexit. Our experience during the last six months has shown this. Whilst it is not entirely business as usual, the economy is still turning and recruitment decisions continue to be taken.
 

Recruitment sensitive to the economy

There are very few surveys that do not report how concerned, right up to CEO level, the corporate sector is about security. This is not surprising given the ongoing list of companies that fall foul of security breaches. In terms of cross-border data exchange, third party vendor use, evolving technologies and increased mobile use, there is plenty for CEOs to be concerned about. This leads to the notion that the security recruitment market must be in a constant state of elevated demand with companies throwing money at their security recruitment budgets. Unfortunately, the reality is rather more prosaic. Whilst rising threat levels and well-publicized breaches certainly assist the security recruitment market, the market is in fact more sensitive to trends in the wider economy than the latest security breach. In the immediate aftermath, Brexit temporarily stalled the security recruitment market, but with economic Armageddon seemingly averted, a period of catch up ensued.
 

Recruitment market remains positive

Our survey results, which broadly reflect our own experience, is that whilst the security recruitment market has slowed, recruitment activity and sentiment remain positive. For example: security managers believe they are better resourced to meet the challenges they face with 38% (32% a year ago) reporting their departments are sufficiently resourced; 38% (33% a year ago) have also benefited from an increase in their recruitment budget; and 67% (69% a year ago) report they have recruited or attempted to recruit in the last six months. These are encouragingly resilient findings.

We will avoid predicting that in a further six months all will have become clear. Whilst economic growth and particularly employment have been far stronger post Brexit than all but a few predicted, it is likely that in 2017 the security recruitment market will be facing some steady headwinds. Rising inflation could also have some interesting consequences for security salaries.

 

Vacancy generation quickly recovers from Brexit shock

Prior to the Brexit vote, the rate at which vacancies were being created in information security was broadly consistent with 2015. Demand was notably strong across all sectors for mid-level practitioners, that is "doers" who could quickly deliver. Operational security skills were also in demand as companies looked to bring these skills in-house.

The Brexit vote had an immediate impact on demand. In a knee jerk reaction, vacancies were put on hold, but this hiatus did not last. Within a matter of weeks, the flow of vacancies resumed, together with the added fillip that a number of companies were also looking to recruit against their temporarily delayed recruitment processes. However, by the end of 2016, vacancy generation had eased, perhaps reflecting the headwinds forecast for 2017.

Recruitment drivers in the second half of 2016 included regulation, as sectors outside of banking were subject to increased levels of regulatory attention. Vacancies became more evenly spread across commerce, with smaller companies accounting for a greater proportion of vacancies. Cyber intelligence continues to be a growth area, as do other IT security operational disciplines, such as incident management and monitoring. A number of senior CISO roles emerged with 2nd line security or cyber risk responsibility. Driving improvements from the 2nd line, as opposed to purely providing oversight, is a continuing theme.

Within corporate security, the slowdown we reported in the financial services sector last year has reversed with the adoption of the 3 lines of defence model. Heightened threat levels, particularly across Europe, are helping support demand. Resilience recruitment is steady but down on the recent past. Senior roles are scarce and specific areas of demand include technical areas such as disaster recovery and IT service continuity. Crisis management is a developing area of demand, falling somewhere between corporate security and resilience.

 

Rate of placements slows

To provide a better insight into the dynamics of the recruitment market, this graph plots the rate at which placements have been made across the last four years. It reflects the rate at which candidates are accepting offers of employment.

At the beginning of 2016, a sense of urgency was necessary to recruit sought after security practitioners. In response, companies became more flexible, recognising that if they wished to drive recruitment processes forward they needed to be more pragmatic. At the start of 2017, demand had eased. If companies come to the recruitment market with realistic expectations and sensible budgets, they can expect to fill a vacancy. However, recruiting security practitioners with highly specific, in-demand skill sets remains just as challenging.

In-demand skills include roles that require a combination of business facing softer skills and technical understanding, technical risk assessment and application security roles. Operational IT Security roles in SOCs and architect roles are also remaining vacant for longer and are dragging down the overall rate of placements. There is, however, an active supply of contractors in these areas. Given this, employers have tended to move more slowly and be more selective over permanent hires.

Smaller financial services groups have continued to generate vacancies, as they have come under greater regulatory scrutiny. Whilst they are often uncertain about what they can achieve in the recruitment market, they are generally more nimble, completing recruitment processes efficiently and effectively.

Demand for information security expertise is growing in commerce as more companies receive board buy-in. Unfortunately, their expectations can be unrealistic, with hard to achieve requirements and unrealistic recruitment budgets. Many of these vacancies remain open for long periods.

As there is usually a stronger pool of candidates to select from within corporate security, companies usually take longer to make offers. Despite this, the rate of placements has increased across corporate security, with companies in many sectors demonstrating a greater sense of urgency.

 

Conclusions from employer survey

The demands on security departments and other areas of corporate governance are without doubt becoming greater. 62% of security departments reported they were not sufficiently resourced to meet the demands made upon them. Encouragingly this was an improvement on the 68% who reported they were insufficiently resourced in 2015. However, more departments report their recruitment budget has fallen at a time when the cost of recruiting security practitioners with the skills and experience required is increasing. The consequences of Brexit are yet to come.
 

Departments remain under-resourced

• Only 38% of managers believe their security department is "sufficiently resourced for the demands made upon it" (32% in 2015)
   

Pressure on recruitment budgets remains

• Increase from 33% to 38% in 2016 of security departments reporting an increase in their recruitment budget. 10% now reporting a fall
• Increase in information security budgets (58%) more common than in corporate security (27%)
• Increases now more likely in commerce than in banking and financial services
   

Modest slowdown in recruitment activity

• 67% of security departments have recruited or attempted to recruit in the last 6 months, down from 69% in 2015 and 78% in 2014
• Split between information security at 85% and corporate security at 60%

Fall in departments reporting recruitment difficulties

• 61% of managers report they are finding it difficult to recruit (68% in 2015)
• Split between information security at 74% and corporate security at 48%
   

Salary expectations remain high

• 80% of managers (86% in 2015) report candidate salary expectations to be either excessive, beyond their budget or more than expected
• 20% consider salary expectations to be reasonable (14% in 2015)

External resources widely utilised

• Only 23% of departments report they never or only on a very limited basis use external resources
• 37% report they routinely use external resources and 40% do so to cover specialist skills
• Contractors still most likely to be used for project specific purposes although becoming more widely used as subject matter experts
   

Internal recruitment a significant source of candidates

• 24% (23% in 2015) of managers using internal recruitment as principal source of candidates
• At 39%, external preferred suppliers remain the principal source of recruitment

Replacement recruitment to be main recruitment driver in 2017

• 42% of security departments report replacement recruitment to be their key driver
• At 19% regulation is the second most important
   

Demand set to continue in 2017

• Only 11% (9% in 2015) of managers report they are unlikely to recruit in 2017
• 61% (59% in 2015) report they are likely to recruit
   

Brexit yet to have a meaningful impact

• Only 16% of information security managers report that Brexit is influencing the work they undertake (only 7% in corporate security)
• Just 12% of departments are likely to require additional resource as a result of Brexit
   

Our survey suggests that, despite Brexit and the prospect of a weaker economy, the demand for security practitioners is holding up. Companies seem to recognise the importance of security and recruitment budgets are marginally up. Heads of Security report their departments are better resourced and able to meet the demands made on them. However, it remains a tough market to recruit in with 61% of departments still finding it difficult to recruit. This may explain why security departments are coming to rely on internal recruits and the use of contractors.

More security practitioners appointed internally

The percentage of security practitioners recruited internally has increased in each of the last four years.

Where skills are in short supply, internal recruits can be the solution. There is a breadth of areas covered in information and IT security departments including: change, operations, review, policy, strategy, risk assessment and compliance. As such, there is a wide range of disciplines and people employed outside of security, but within companies, that can potentially bring relevant skills to a role in security. It also helps that an increasing number of people are getting involved as stakeholders and subsequently becoming interested in information security; increasing the potential pool of applicants.

Audit and risk departments have always been a source of recruits and many have valuable transferable skills. Given the importance of cyber risk, it is not unusual for an operational risk practitioners to gain knowledge and even qualifications in cyber or information security. Likewise, computer auditors often routinely take an

interest in cyber security and their responsibilities are not that far removed from review focused information security roles. They too often see the benefit of gaining an information security qualification. Larger banks have regularly recruited information security practitioners into their internal audit departments to ensure their third line of defence has suitable expertise. Some of these auditors are now returning to security and, having focused on cyber threats, already have a relationship with the CISO.

Internal recruitment can also be reactive to a specific need. Security Operations Centres regularly recruit from Network Operations Centres. As one would expect, security functions going through major transformations recruit internally from programme management or business change functions.

It is also not uncommon for a CISO or senior cyber leader to be recruited internally for their leadership rather than their subject matter expertise. They are usually recruited from corporate security, audit, risk and programme management.
 

Market Commentary

Brexit’s modest impact

Although early in the process, our survey asked if Brexit was influencing the work that security departments were undertaking or was likely to impact on the resources their departments required. We were not surprised by the modest impact reported, particularly from security departments within industry and commerce. However, the implications that Brexit could have on freedom of movement may bring into focus the reliance UK based security departments place on European recruits.
 

What’s currently driving the recruitment market?

There are two main drivers.

1. Regulatory developments

General Data Protection Regulation (GDPR) is looming and companies are reacting by pushing privacy changes towards information security departments. They are encompassed as part of wider information security policies and to drive change in the business. This increased workload is creating vacancies and is likely to continue to do so.

Regulators are also increasing the demands made on the financial services industry. Whilst their focus was previously on banking, the wider financial services sector is now having to respond and demonstrate the necessary enhancements and improvement programmes. Recruitment is often focused on creating the capacity for companies to produce the required management information.
 

Regulatory influence is not confined to financial

services. For example, telecom groups have actively recruited from the financial services sector as they adjust to becoming more heavily regulated. Recruits must have the skills and experience to put the processes in place to ensure regulatory requests are handled effectively.
 

2. Rapidly changing threat landscape

Companies are conducting more business digitally. Previously off-line businesses are facing major risks and have had to invest to understand and mitigate these risks. These changes in the way businesses operate present multiple threats. The Internet of Things (IoT) and cloud computing are the most obvious ways in which businesses are changing and need to invest to counter the new level of threats they face.
 

Some further observations

Information security practitioners least likely to be in demand are those who do not have a good technical understanding. Whilst information security is not necessarily a technical discipline, it interacts with technical experts. Purely policy focussed practitioners are struggling in the recruitment market. Many consider their best option is to move into data privacy or data protection.

We have already written that security staff are more likely to be recruited internally and commented on the effort companies will make to retain their staff. One effect of this is that security practitioners are more likely to be promoted earlier. This is resulting in more junior security practitioners being sought at the expense of managers.

Many security practitioners looking for new positions are sensitive about their potential job title and, perhaps not unreasonably, look for titles that reflect greater responsibility. Given the plethora of more junior positions, it is not unusual for companies to inflate a job title with a reference to management where such responsibilities do not exist. Many security practitioners are now sensitive to this and will only settle for a role and a job title that meets their expectations.
 

Sector observations

Financial Services

The mainstay of a significant proportion of demand in information security - the top tier investment and retail banks – recruited at much lower volumes in 2016. Notwithstanding a tougher operating environment, these banks are under siege from a myriad of smaller competitors and the explosion of Fintech groups operating in niche and sometimes completely novel service lines. As already discussed, many of these banks are under pressure to recruit internally. In their absence, their smaller rivals are creating or enhancing their information security and cyber security capability. These greenfield opportunities often require different skills to longer term BAU roles. For those seeking a new challenge this is generally positive as demand is displaced to these smaller groups offering more interesting and broadly based roles.

During 2016, the insurance sector was buoyant with almost unprecedented demand. Clients commented that they: "were playing catch-up with the banking sector" and "recruitment was necessary just to be able to provide the management information required by the regulator". Others in the sector highlighted a need to be as secure as possible, given the risk to their reputations as providers of cyber insurance. Whilst we are expecting demand to wane from larger groups in 2017, smaller, niche groups should remain active.

Security operations continues to be an area of investment as groups look to enhance their outsourced SOCs with internal points of contact. We have seen a range of roles including security operations management, incident response and monitoring analysts. Whilst financial services groups would have seen an external SOC as a satisfactory solution there is now more in-house resource to complement their external SOC.

The broader physical security requirements within the industry have remained steady as financial services groups have traditionally invested in them. However, a focus on intelligence led security is leading to enhanced demand for intelligence focused security professionals.

Resilience is currently on the regulatory agenda, providing a steady flow of what are usually replacement rather than newly established positions.
 

Commerce

Within commerce, information and cyber security now has a significant level of ‘buy in’ at board level. This is being reflected in a higher volume and diversity of roles.

Many more companies are now open to attack. With the development of the Internet of Things and heavy reliance on applications, commercial groups across many sectors are experiencing a massive change in their risk profile.

Whilst the telecoms, pharmaceutical and utilities sectors are, in information security terms, relatively mature sectors, even in these regulated sectors, new CISOs are being appointed with enhanced reporting lines and budgets.

Sectors where information security has historically seen little investment, such as manufacturing and a number of service industries, are now expanding or creating new functions. This is providing security practitioners with greater opportunities to shape their own careers as they develop security roadmaps from embryonic stages.

Salaries remain an issue for many companies. They often have no experience of recruiting security practitioners and come to the recruitment market with unrealistic expectations. This can result in extended recruitment exercises as they exhaust the recruitment market seeking a candidate within their budget.

Many smaller companies establishing information security functions for the first time look for a virtual CISO service or a freelancer to take the lead on a part time basis. Given they will often report to an executive with limited security expertise, this can be sensible and allows greater clarity of what is needed before a permanent appointment is made. It also helps with the formation of realistic job descriptions given the frequent disparity between what a company expects the recruitment market to deliver and what is realistically available.

There is currently less demand for cyber type roles compared to the financial services and consultancy sectors and more broadly based IT / Information Security roles where candidates are expected to be competent across a wider range of areas.

The telecoms sector currently remains the largest recruiter of information and cyber security skills, with the travel and retail sectors expanding. Law firms, no doubt shocked by the Panama Papers, are investing heavily but embedding the changes CISOs advise in a partnership environment is challenging.

Although corporate security does not have the same profile at executive level enjoyed by information security, it is taken seriously. However, along with resilience, this does not always translate into external recruitment.
 

Consultancies and Systems Integrators

Last year we reported that there was a chronic shortage of candidates available to meet increasing demand from the consulting sector. This has not changed.

Despite this, consultancies have not relaxed their recruitment criteria. They remain committed to attracting recruits who are not only able to deliver a service, but also able to help build market share. These are security consultants with

strong commercial skills and a level of technical understanding or consultants who have expertise in areas of technical security, such as SIEM, Penetration Testing, Incident Response and Identity & Access Management.

Salaries are rising as some consultancies are beginning to offer above market rate salaries to attract candidates away from in-house lower travel roles. Some consultancies, who could previously rely on their brand and career development potential to attract candidates, in addition to higher salaries, are offering other benefits such as flexible working hours, home working and fast track progression.

For the first time, salaries in the consulting sector are consistently above those in commerce. However, consultancies are losing candidates to the contract market which is an obvious attraction to consultants already familiar with an assignment based work culture.

With GDPR coming into effect in 2018, there is already high demand for candidates with relevant experience. We expect this to continue as pressure grows on consultancies to ensure their clients are GDPR ready.

Other drivers in the sector are the number of clients looking to move to the Cloud and Digital Transformation projects. Candidates with experience of successfully delivering these types of projects are increasingly sought after.

Demand from corporate security consultancies continues to be hit by the travails in the energy and extractive sectors. There is no shortage of candidates interested in these sectors. Protective security operations are a short step from government service. It is also an obvious move into geopolitical/security analysis for those with relevant Masters Degree programmes. However, the number of potential candidates at junior levels continue to outweigh the number of opportunities.

Whilst resilience consultancies continue to grow, particularly within the Big 4, recruiting candidates with the ability to consult as well as sell remains a challenge. Although UK practitioners are viewed as market leaders, it remains to be seen if high demand from overseas markets will continue.
 

The contract market

Demand for contractors in 2016 was steady and driven by regulatory pressures, the Internet of Things (IoT) and cloud migration programmes. A trend from our survey is that contractors are becoming increasingly likely to be used as subject matter experts rather than for project specific purposes. It is also notable how the routine use of contractors is increasing.

The increase in demand for IoT experience skills is particularly evident within the manufacturing, retail and telecom sectors. With companies under pressure to manufacture and release new products, security is not the afterthought it once was. Demand is often driven by a failure to recruit on a permanent basis, together with the acknowledgement that security specialists who have worked in a number of different environments are more likely to be contractors.

Many of the new roles released at the end of 2016 were regulatory and, in particular, GDPR driven, which we expect to continue throughout 2017 as the May 2018 deadline looms. Replicating the demand for contractors with PCI DSS compliance experience, an uplift of up to 30% is potentially available for contractors with strong Data Protection experience. This is encouraging otherwise permanently employed Data Protection practitioners to become contractors, which in turn creates vacancies that are often filled by contractors!

We anticipate the demand for contractors to be buoyant in 2017 and to be led by regulatory demands.
 

Salary guide

We reported in our main Compensation and Market Trends Report six months ago that the average salary increase achieved by security practitioners changing jobs was 16%, down from 17% in 2015. The increase for those staying with their existing employer rose from 4.9% in 2015 to 5.6% in 2016.

Despite the uncertainty caused by the Brexit vote and a low inflation environment, salary pressures remained in 2016. The response to our survey suggests that salary expectations remain high although marginally down on 2015. 80% of security departments felt that candidate salary expectations were either more than expected or excessive, down from 86% in 2015. This pressure is more keenly felt in information security than corporate security.

Going forward, after a period when the UK economy flirted with deflation, inflation is likely to have a greater influence on the recruitment market than recently. We have been surprised at the number of security practitioners who reported to have received no salary increase for staying with their existing employer or only a marginal one. In 2016, 25% of security practitioners reported their salary had not increased and 23% reported that their increase was below 2.5%. In a low inflation environment, this is possibly understandable, however given that inflation is likely to exceed 2% in 2017, many of these departments will need to offer their security practitioners salary increases at least in line with inflation or their real earnings could materially fall. Whilst many of those who have received no increase will have already concluded that given their poor marketability there is little they can do in terms of changing employer, inflation is likely to have an unsettling effect on the wider security recruitment market. Clearly amongst more marketable security practitioners there is an expectation that their salary will increase, not only in nominal, but also in real terms. If it does not, entering the recruitment market is the obvious solution.

Given the competition for security expertise, particularly for those practitioners with in demand skills and experience, we anticipate the pressure on security salaries will continue. Even for those companies that are creative and efficient in their recruitment processes and are able to offer good career development opportunities and possibly flexible working, when it comes to salaries, it is difficult to successfully recruit without offering at least close to market rates. Market rates are likely to rise further during 2017.
 

This report was published by Barclay Simpson in February 2017. To read the full report and see more information on the Employer Survey results, click here.