Security - Compensation and Market Trends - Mid-Year report 2016
Living with Brexit uncertainty
We wrote at the start of the year that the security recruitment market does not operate in a vacuum. It remains substantially dependent both on the economic environment within which it operates and also the perceived threats and losses that can result from a lack of investment in security. Like many others in the recruitment industry we were anticipating that any demand suppressed by the uncertainty of Brexit, would result in an uptick in demand as the vote was settled in favour of the status quo. Clearly this did not come to pass and the result has only increased the level of uncertainty. For both clients potentially looking to recruit and candidates looking to change job, the result increases the value option, at least in the immediate aftermath, of doing nothing.
Recruitment decisions are still needed
However, our expectation, provided a serious economic reversal can be avoided, is that what is a fundamentally strong security recruitment market will live with the uncertainty caused by Brexit. Even in periods of uncertainty recruitment decisions ultimately need to be taken and for many companies those that relate to the investment in security have a more limited capacity for deferral than others. The consequences of Brexit will no doubt have become clearer by the time we produce our next Annual Report at the start of 2017. In the meantime, this report will focus on compensation and the results of our annual survey. Our survey was conducted before Brexit and it is possible that some of the sentiments expressed in it may have subsequently changed. The compensation data will not.
A buoyant recruitment market
At the start of 2016 real earnings and overall employment numbers in the economy were still growing strongly. Whilst there has been a reported slowdown in the wider economy and other areas of corporate governance in the first half of 2016, these developments were not reflected in our security survey results which were generally positive.
The survey found that the percentage of security practitioners reporting to have changed job increased from 25% in our 2015 survey, to a robust 31% in 2016. The increase in average base salary for those staying with their employer rose from 4.9% to 5.6%. In a low inflation environment this is a good result and one acknowledged in our survey, as more security practitioners reported they felt adequately compensated. It indicates the value companies place on retaining high quality security practitioners.
It’s not all good news
However, there was a rise in the number of security practitioners reporting they were unemployed, with 72% of those not working finding it more difficult to find a new job than anticipated. This is consistent with our Annual Report comments that companies are constantly looking to upskill and the need for security practitioners to grow with these increased demands. Also, whilst salary data was strong, benefits such as bonuses and pensions were marginally down.
How security practitioners feel?
In this year’s survey we have included some questions about how security practitioners feel. Whilst there was a strong sentiment that their skills are becoming more valuable, which is certainly reflected in the general increase in salaries, there is not a universal belief that their employment is becoming more secure; something Brexit will have done little to enhance.
Rate of vacancy generation remains stable
The increase in the number of vacancies reported at the start of the year has followed through into 2016. Whilst the expected increase in demand from the banking sector did not materialise, the wider financial services sector encompassing insurance, asset and wealth management has been strong.
Demand across all sectors is high for mid-level practitioners such as experienced consultants and junior managers. This is a direct result of the demands being made on departments. Without necessarily having the budgets to transform the security profile of companies, CISOs are seeking ‘doers’ who can quickly and effectively deliver what is required. As many companies look to bring these skills in-house, demand for practitioners with security operations skills will continue. Whilst Brexit has the potential to undermine confidence, the scale of the cyber security threat and risks of data leakage will help limit any budgetary constraints.
Vacancy generation in corporate security has slowed in both the banking and the energy sector. However, within financial services the insurance sector is bucking the trend and vacancy generation across other sectors, including FMCG, pharmaceutical, technology and logistics at both senior and mid-levels, remains broadly stable.
Rate of placements holding
To provide a better insight into the dynamics of the security market, this graph plots the rate at which placements have been made across the last four years. The graph demonstrates the rate at which candidates are being offered and accepting jobs.
We reported at the start of 2016 that the rate of placements was mirroring the increase in the number of vacancies and that, outside of banking, companies were filling vacancies in information and cyber security quickly. This urgency has broadly continued. In a limited number of instances departments are moving quickly in fear they could potentially lose the headcount. There are two other factors. Firstly, companies are taking a more flexible approach to the salaries they are prepared to offer, and secondly in a market where the skills companies seek can be difficult to secure, employers are being more flexible in their requirements. Given the increase in the number of unemployed practitioners there is a limit to this flexibility as the standards expected from security practitioners continue to rise.
The urgency reported in information and cyber security is not necessarily replicated in corporate security. Given what is usually a pool of strong candidates to select from, companies are taking the time and opportunity to make offers only to those candidates considered entirely suitable.
Pressure on salaries continues
Prior to the Brexit vote earnings in the wider economy were increasing at the fastest rate for some years. These rises have been reflected in the security recruitment market. Relentless headline grabbing data leakage events such as the ‘Panama Papers’ and emerging cyber threats, such as APT are ensuring information and cyber security retains its high profile and the attention of corporate leaders and governments. Chronic shortages of practitioners with the skills required puts pressure on salaries and this has been reflected in our survey.
Given these increases it is not surprising that a higher percentage of security practitioners are reporting satisfaction with their remuneration, up from 56% in 2015, to 58% in 2016. Whilst salary remains a key issue, in this year’s survey, for the first time we invited security practitioners to report on what they would most like to change about their job. 31% reported salary, another 25% career development and 19% work life balance. Clearly salary is not everything.
Women and security
Women are under-represented in information and cyber security as they are in the wider IT industry. However, there are an increasing number of companies looking to change this with some insisting that shortlists include female candidates to select from. Whilst this can cause difficulties given the under-representation of women, this more welcoming stance might potentially be contributing to the slow but steady rise in the number of female practitioners in our survey, up from 4% in 2014, to 9% in 2015 and 11% in 2016. Given 9% of women have worked in security for less than 2 years, compared to only 3% of men, it should result in the proportion of women in security continuing to rise.
Moves top and bottom
An intriguing more recent development has been the number of almost ‘political’ appointments into senior security leadership roles. Given this, some might feel their chances of promotion are diminished without a successful civil or security service career. Time may tell if those with government sector backgrounds can deliver the required performance or if seasoned commercially experienced CISOs are more effective in these positions. At more junior levels the movement of security practitioners between sectors remains more fluid than in other areas of corporate governance and it is increasingly becoming the norm for security practitioners to move into related departments. For example, cyber risk offers a route into operational risk and internal audit departments are now regularly seeking information or cyber security skills.
No simple message
In another feature of this year’s survey, we gave practitioners the opportunity to share what they might like to say to their employer. If we were hoping for a simple message, it was not forthcoming. There were however some clear messages the most prevalent of which was the need to be valued. This was not just about salary, but about recognition, with many feeling under pressure to deliver in a resource limited environment. More investment and the need for management to listen was important: training, career development and a desire for more flexible working were all there. There was not however a hotbed of resentment and many were grateful to their employers and were satisfied with their employment relationship. Given many CISOs are limited on what they can spend in terms of any strategy to retain their security practitioners, career development, recognition and flexible working would be worth keeping in mind. In spite of this, there are clearly many occasions when security practitioners simply outgrow a department and, for career development reasons need to move.
Two new questions in this year’s survey asked security practitioners if they felt more or less secure than a year ago, and secondly if they perceived their skills to have become more or less valuable. Surprisingly 30% of respondents felt they had become less secure while 67% believed their skills had become more valuable, with only 11% reporting less so. It seems a little at odds that whilst a clear majority of security practitioners believe their skills are becoming more valuable, a significant number felt less secure, something that Brexit will have done little to improve.
In our Annual Report at the start of the year we wrote about the changes in the financial services industry as companies looked to implement the three lines of defence corporate governance model promoted by the regulator. Within the larger banks many of the necessary reorganisations have either been implemented or are close to completion. The sectors that are currently moving vacancies through to completion most effectively are insurance and funds. Both sectors are under regulatory scrutiny and as such priorities are clear with smaller companies in particular having to invest in information and cyber security.
In most demand are mid-level, well rounded Information Security Officers with technical credibility. Currently effective generalists are more valuable than more narrowly focused specialists. Given this, practitioners lacking technical understanding – for example those previously focused on policy creation or for example best practice, will currently find it harder to secure financial sector roles. However, for those with the right skills, many companies in the sector are demonstrating flexibility in the salaries they are prepared to offer.
The trend to bring operational security in-house is continuing with more areas being brought under the control of the internal departments. Penetration testing, “Red Teams” are currently being grown in many financial services groups.
Recruitment from the usually dominant banking sector has slowed. Recruitment freezes are not uncommon amongst Tier 1 banks who are more likely to be affected by the uncertainties surrounding Brexit.
Commerce and Industry
Within commerce, the slow-down in the energy sector continues with limited vacancies and it remains the only sector where redundancies in cyber and information security have been prevalent. Whilst mergers within the telecoms sector have slowed demand, other sectors are either still growing their security functions or are establishing new functions, with demand remaining broadly robust. Another positive is that the size of companies looking to recruit their first information or cyber security specialist continues to fall.
All-round skills are valued
As in the financial services sector, a candidate’s value is often dictated by their all-round skills rather than a more narrowly defined specialism. Those with strong technical skills are often put into previously non-technical roles. If they have the corresponding appreciation of processes and risk management they can drive performance from their technical, stakeholder peers and suppliers.
Whilst the financial services sector has been responding to shortages of candidates with a greater degree of flexibility on salaries, companies operating in the commercial sector are less likely to be flexible and more likely to keep within pre-existing budgets. On many occasions where candidates have expected offers to be increased, they have been disappointed. This is supported by our salary survey where increases achieved by practitioners changing jobs have been 20% in financial services, but only 14% in commerce.
Consultancies and System Integrators
We reported at the start of the year that demand from this sector was continuing to rise with many larger groups undertaking continuous recruitment programmes. However, there was evidence of a slowdown in the sector in the run up to the Brexit vote with a number of consultancies having consultants ‘on the bench’. The vote to leave will not have improved confidence. In spite of this, consultancies are still recruiting although not in quite the same volume.
A tough market
The skills and experience they require are also becoming more focused and specific. It remains a tough market to recruit for, with competition from in-house departments and other consultancies. In our survey we ask security practitioners what they would most like to change about their job. Within the consultancy and SI sector salary was by far the most popular choice. Given this and that consultancies are working hard to retain consultants, salary increases available to those who have stayed with their employer are higher than in any other sector.
A more recent development in the sector is that consultancies focused on aerospace and defence sector cyber work are using their success to break into other areas of commerce and, more notably, the financial services sector. Their experience in the defence sector is proving marketable given the widening threat landscape.
The consultancy and SI sector has grown rapidly recently. Given the uncertainties resulting from the Brexit vote, we anticipate that growth will become more measured.
The contract market
Contracting is an integral part of the security recruitment market and, more than any other areas of corporate governance, it has continued to gain in popularity. A new development however is the change in the taxation of dividends. Higher tax does have the potential to influence security practitioners in their choice between permanent or contract work.
According to our survey information security practitioners are feeling more secure and satisfied than in other areas of corporate governance. Contract rates also remained broadly stable in the first half of 2016. However that does mean there are not concerns. The percentage of contractors who believe the market for their skills is increasing fell from 70% in 2015, to 58%, with 14% believing the market for their skills is deteriorating. As ever, according to our survey, contract rates are the most important consideration when they are considering a new contract.
Cloud migration remains a key growth area and was responsible for a significant proportion of the new contracts that became available in the first six months of 2016. We expect this to continue with growing numbers of companies utilising the benefits of the Cloud. The IoT (Internet of Things) is another growth area, although, it will become more prevalent in some industry sectors than others.
In roles that require fewer technical skills and are more compliance, governance and assurance focused there has been a greater emphasis on recruiting contractors with Data Protection experience. This is primarily due to the EU General Data Protection Regulation which may have an uncertain future given the Brexit vote.
Our Mid-Year Report provides an in depth section on salaries and compensation, designed to provide a much fuller picture of overall remuneration.
The Survey was of security practitioners registered with Barclay Simpson and was conducted in June 2016. It generated several hundred responses.
To read the full report and see more information on the Salary Guide and Compensation Survey, click here.