Compensation and Market trends Interim reports 2015 - Security
Salaries not quite booming
When the President of the United States makes reference to cyber threats as a national emergency, there may well be a feeling of precedence for those working in security – that they have the good fortune to be working in the right profession, at the right time.
There is little doubt that most companies recognise it is not a question of if they will be attacked but a question of when and how they will respond most effectively. No surprise then that at the start of 2015 our Employer survey reported that companies remained short staffed and anticipated an overwhelming need to recruit in 2015.
The UK, at the mid year point, has navigated a general election, which has delivered a stable government and has a growing and seemingly successful economy. Intuitively most readers might expect us to report a rising demand for security practitioners and compensation packages to match. The reality is more mundane.
Vacancies have plateaued
Whilst both demand for security professionals is robust and the overall number of security practitioners employed in the economy is rising, in fact, the number of vacancies being generated has plateaued. Vacancies come from two principal sources: new positions and, more importantly, those that are generated as security practitioners either move internally or between employers. In our last compensation report in 2014, 38% of respondents to our survey reported they had changed job in the last 12 months.
The comparable number in 2015 is 25%, representing a clear slowdown and possibly not what would have been expected. In 2015, the most important source of vacancies has slowed.
Security profession well supported
Overall the security profession is well supported and it is accepted that the risks and threats it looks to respond to will only continue to grow. However, does this make for a boom in the salaries and compensation packages paid to security professionals? Although there are areas where salary pressures are acute and salary awards have been substantial, these are by no means universal. The average salary increase for security practitioners staying with their existing employer rose from 3.8% in 2014 to 4.9% in 2015; and for those changing job to 17.1% from 16.8%. This is comparatively low by the standards set by other areas of corporate governance. A further quick reality check is that 20% of security practitioners staying with their employer received no increase at all. Bonuses and other benefits that go to make up compensation are broadly flat.
Vacancy levels set to rise?
Given this, it is perhaps not surprising that salary satisfaction levels have fallen amongst security practitioners who have stayed with their existing employer. However, for those who have changed job in the last 12 months satisfaction levels have increased to 74%. Given this, we might expect more security practitioners to look to change jobs and therefore the number of vacancies to increase during the second half of 2015.
Rate of vacancy generation high and stable
The number of vacancies generated in security has plateaued, albeit at a high level. The reason is that the rate at which security practitioners are changing jobs has slowed. After the Euro crisis in 2011, many security practitioners who would have otherwise changed employer and created vacancies stayed with their existing employer. The recruitment market effectively stalled. Once confidence returned in the second half of 2013, a period of catch up took place which boosted the number of vacancies. In 2015 the security recruitment market is now experiencing more natural levels of turnover and therefore vacancies.
Demand is currently strong from the financial services sector where restructuring exercises amongst the big banks are creating multiple vacancies in security and resilience. Second line information security risk and technology risk departments are continuing to react to regulatory pressures. Demand is also increasing in commercial sectors such as energy, telecoms and manufacturing. Security operations and cyber
intelligence is active, whilst a new wave of demand is being driven by new PCI-DSS requirements. The number of CISO and Head of Information Security vacancies is more subdued. After an extended period when new departments were regularly established, those companies who wish to do so already have established departments. The number of security departments is broadly stable.
Rate of placements
Rate of placements stalled
To provide a better insight into the dynamics of the security market, this graph plots the rate at which placements have been made across the last four years. The graph demonstrates the rate at which vacancies are being filled.
Having noticeably quickened in the second half of 2014 as companies urgently recruited, the rate of placements appears to have stalled in recent months. In many respects it is not because companies do not have vacancies or do not wish to recruit, there are often simply not the available candidates. Extended recruitment processes are not helping and for many prospective recruits, opportunities with their existing employers are sufficiently interesting and challenging to keep them engaged. For most, salary is not the key driver, but other factors such as career progression, job interest and lifestyle. The companies most likely to be successful in their recruitment are those that are prepared to be flexible in their requirements; who adopt line management led recruitment processes; who are able to move quickly with minimal ‘touch points’ and are then able to swiftly make realistic offers. Often smaller, more entrepreneurial companies have greater success with these steps, avoiding the sometimes slow, unresponsive recruitment processes of some larger companies.
Security a cost of doing business
We made the point in our last market report that there was a change of emphasis underway in the security recruitment market. It may go some way to explaining why salaries have lagged in security compared to other areas of corporate governance and why this may ultimately change. Historically companies have set their security budgets and recruitment strategies based on their perceived assessment of the risks and their risk appetite.
However, with increased government and regulatory oversight, decisions regarding the investment in security are becoming less company centric and more likely to be subject to external influences. A regulator that is capable of imposing swingeing fines and even closing a business, as the banks and wider financial services industry have discovered, ensures the necessary recruitment budgets are available. As security threats increase exponentially, levels of security, as is happening in critical infrastructure, will not be simply left to the discretion of management. In future, whilst companies may not be directly regulated, customers and service users will require them to be compliant. As in financial services there will still be significant costs involved.
Regulation driving recruitment
Regulation and changes in best practice are already driving demand in a range of security and resilience areas. A notable example is PCI DSS version 3.1, which is currently driving demand in penetration testing, reporting and also roles focusing on training and awareness. Originally updated to address vulnerabilities within the Secure Sockets Layer, companies are responding to this regulatory requirement by recruiting specialists, often on a contract basis, to liaise with QSAs and generally represent the best interests of the company. This is with the aim of achieving 3.1 compliance with minimal disruption to productivity levels. A lack of understanding and training around PCI DSS is still prevalent across many industry sectors and security practitioners with proven experience of raising awareness within both the business and IT are highly valued in the contract market.
Changes to the EU Data Protection Act contain several new data protection requirements. There are severe penalties for non-compliance, as well as a requirement that organisations notify users and authorities about data breaches within 24 hours of them happening.
Businesses are taking action to assess the extent to which they may need to make adjustments to meet the new legislation. Roles with titles such as Data Governance Manager are appearing as companies strengthen their in-house expertise. Banks and financial services companies continue to react to the threat of possible regulatory penalties for not having robust and effective 2nd line Information Risk functions in place.
As a consequence, many functions have been split and re-organised, reporting lines changed and external recruitment undertaken.
Moves away from London
Much is currently made of how Londoncentric the UK economy has become and how the government desires to influence and boost economic development in the regions. Within corporate governance and security specifically, the pressure on desk space in London and lower costs in the regions is making it practical to employ security practitioners outside of London. The major banks have historically located their processing centres in the regions and, whilst IT security staff have often been employed there, information security risk practitioners generally have not. However, the banks, other financial services companies, utilities and telecom groups are increasingly looking to employ security expertise elsewhere in the UK. The results are mixed and it may take time. Local talent pools are often underdeveloped and the concentration of expertise required simply does not always exist. For the moment, when such positions go unfilled for an extended time, it is not unusual for a London recruitment option to be considered. In the meantime, the direction of travel is clear.
Given candidate shortages and the expanding number of positions available, we would expect an influx of new recruits into security. Whilst we would not pretend that our survey is entirely representative, it is surprising that only 11% of respondents had less than five years experience and almost 70% claimed to have over 10 years experience. Compared to other areas of corporate governance, such as compliance, that have experienced similar levels of growth, the low percentage of less experienced practitioners is unusual. In regulatory compliance, having put in place compliance focused training schemes, some banks have specifically targeted new graduates. Given there is no shortage of graduates with relevant MScs in security, perhaps similar initiatives are required to provide the work experience and training that many graduates need.
Demand for security expertise remains strong across the sector. The larger retail banks continue to be embarrassed by system failures and the subsequent regulatory consequences. In security terms, they are still restructuring and strengthening their second line of defence functions. Many have also needed to deal with the consequences of spinning off parts of their retail operations to create new ‘challenger banks’, which then require security expertise of their own. The challenges and consequences of ring fencing retail and trading operations are ongoing.
Demand in financial services has noticeably broadened. Investment management groups, the insurance sector and particularly smaller companies and private banks who might previously have employed only stand-alone ‘one person’ departments, have been investing heavily and expanding their security departments. As a consequence, many mid-level varied roles are being generated. Security practitioners whoare technically credible and have risk management awareness and policy development skills are in-demand. For some candidates this is leading to a choice between the more specialist roles offered by larger groups (notably the banks) and the more varied roles offered by smaller security functions. For some, salary is the decisive factor and for others it is more likely to be the intrinsic interest and challenge an opportunity offers. An advantage that security practitioners have, often denied to their colleagues in other areas of corporate governance, is the relative ease with which they can move between different sectors.
The banking sector is currently a growth area for corporate security, particularly at mid-senior levels. Resilience roles within financial services are also becoming more common. As a result of regulatory pressures, companies are now focusing more broadly on Resilience rather than pure Business Continuity or Disaster Recovery. There is an increased demand for candidates who have experience of working with regulators.
Commerce and Industry
Unlike the financial services sector where recent change has been driven by regulatory demands, companies operating in commerce are still more likely to be driven by their response to their own threat assessments and by developments in the wider economy. Where this is the case, and where confidence in the economy is key, companies from a number of sectors are responding positively and are increasing headcounts in both corporate security and resilience.
Within corporate security there is a strong bias towards ‘intelligence-led’ functions. This is resulting in demand for more junior candidates with analytical skills together with those with military intelligence or intelligence services backgrounds. There is slightly less focus on technology resilience outside of the financial services sector, while broader business continuity and crisis management skillsets are in greater demand.
In technical security there has been a focus on IT operational security, with telecoms, utilities and other areas continuing to invest in their in-house capabilities. IT and information security vacancies are remaining open for longer than in the financial services sector. Security vacancies in commerce are proportionally more likely to be located outside of London. Some can be difficult to fill on a permanent basis and, given the sector mobility that many security practitioners enjoy, and the growth in contracting more generally, many commercial IT and Information Security departments are currently dependent on contractors.
Consultancies and Systems Integrators
Demand for security practitioners within the Consultancies and SIs continues to be strong. At the start of 2015 we reported that a number of consultancies were not only looking to increase headcount but some had plans to significantly expand and even double headcount. This is currently happening, resulting in a buoyant and competitive market. A number of consultancies are sensitive that their salaries remain competitive but, at the same time, they do not wish to offer salaries above the perceived market rate. Many are therefore looking to be more creative in their employment packages to attract and retain consultants. Flexible working hours and meaningful performance related bonuses are now common.
Given the level of demand and staff retention in this area, there is generally a limited pool of candidates with the sought after skills. Whereas both candidates from the EU and non-EU overseas candidates have helped other areas of corporate governance meet demand, the necessity of being security cleared makes this less of an option than in other disciplines. The skills sought are a mix of technical security and business consulting skills. Demand is primarily at mid to senior levels, although roles can often be created for exceptional candidates at Senior Management/Director level. There is significant demand for candidates who are CCP (CESG Certified Professional) certified, especially given it is a prerequisite for the new CLAS scheme introduced in June 2015.
The demand for Penetration Testers continues to be strong at all levels and we have noticed a significant increase in demand for Incident Response specialists. This is not surprising when considering companies appear to accept that they cannot comprehensively protect their networks from attack and therefore need to consider effective response measures.
Within corporate/physical security, government services and the military provide the main source of candidates, together with those from competitor consultancies. Although the skills sets are similar, moving from an in-house corporate security function to a consultancy is unusual. The multimillion dollar contracts in traditional high-risk markets of Iraq and Afghanistan are winding down and consultancies servicing these markets are focusing on new markets and the challenge of identifying candidates with relevant skills. Intelligence/Geopolitical consultancies continue to grow and there is a well trodden entry path for well-qualified graduates or those with government intelligence experience.
THE CONTRACT MARKET
Contracting is an integral part of the security recruitment market. It is gaining further popularity, as more security practitioners withdraw from permanent roles to become contractors. This rather perversely is reducing the number of permanent candidates in the recruitment market and, as vacancies go unfilled, is increasing the number of contract roles. The ability to work flexibly and have greater control over when to work is important to contractors. For many, there is a feeling that as they get more senior and better compensated, security professionals become more satisfied with their compensation but less satisfied with the broader demands their positions make upon them.
There is currently a decrease in the number of CISO level contract roles, where permanent recruitment is materially more cost effective. As a result, some CISO level contractors are currently prepared to accept less senior roles at lower rates. The majority of the contract roles continue to be created out of change / transformation programmes, many focusing on regulatory best practices. The focus on PCI DSS v3.1 is an example of this, as well as ISO 27001/2013 where applicable.
The number of security practitioners contracting within the corporate security market continues to be limited. Regardless of cost, corporate security functions prefer to use established security consultancies for interim assignments. Contractors responding to our survey have reported higher levels of satisfaction in 2015.
Although contract rates have come under pressure recently, almost 80% of respondents to our survey believe they are adequately compensated (a significantly higher level of satisfaction than amongst permanent practitioners); and 87% are satisfied with their existing contract. Nearly 60% achieved an increase when they secured their existing contract. Over 85% of respondents reported they are currently in work and none have been without work for longer than 3 months. Only 30% report that it is more difficult to find work than they anticipated and overall 70% of contractors believe the market for their skills is improving.
Our Mid-Year Report provides an in-depth section on salaries and compensation, designed to provide a much fuller picture of overall remuneration packages.
Most security practitioners are keen to know their market worth. This is not always easy to address. Two otherwise similar security practitioners may enter the recruitment market and accept materially different salaries. We provide this caveat because we are aware that the security recruitment market is sufficiently diverse that it defies simple categorisation. However, security practitioners and their employers want guidance and this is what we attempt to provide.
As recruitment consultants we are involved in the negotiations that take place between employers and prospective employees. We are aware that whilst salary is usually the most important consideration, a number of other factors combine to make up total remuneration. In addition to the data we gather from the placements we make and the recruitment work we do, including contact with security and human resources departments about salaries and other benefits, we have also conducted a Compensation Survey to provide specific detail on all different types of remuneration within security.
The Survey was of security practitioners registered with Barclay Simpson and was conducted in June 2015. It generated several hundred responses.
To read the full report, follow the link here.