2009

Market Report
INFORMATION SECURITY
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

Barclay Simpson Market Report 2009

INFORMATION SECURITY

CONTENTS
01. Executive summary

02. Information Security – market analysis

03. Information Security – salaries

04. Appendices

I. Sample structure

II. Graphs of key indicators

III. Data tables by specialism

01|25
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

01. EXECUTIVE SUMMARY

Welcome to Barclay Simpson’s 2009 Information Security Market Report.
This is the 19th year we have produced a market report summarising and
analysing recruitment trends in corporate governance and the fifth year we
have published a specialist report on information security.
We place great value on professional reaction to the Report and would
appreciate your comments.

TOP LINE CONCLUSION

At the start of 2008, with the effects of the
credit crunch already a number of months old,
few people, certainly if market commentators
and investor behaviour are to be trusted,
anticipated that the banking sector and
wider world economy would be facing their
current difficulties.
In the space of a year, three out of the five
leading US investment banks no longer
exist as independent entities and two
of those do not exist at all. A significant
portion of the UK banking industry has
been partially nationalised, as it has in
other countries. The UK economy and the
economically developed countries of the
world are now in recession and the only
questions are how deep and
how long?
If it was not clear before, it certainly is now,
that the UK economy did not undergo some
politically inspired economic miracle. After a
protracted period of low inflationary growth,
risk was mispriced. The cost of money was too
low, the willingness to take risks increased and After a protracted period
leverage became unsustainably high. Bubbles of low inflationary
growth, risk was
inflated, most notably in equity, raw material,
mispriced. The cost of
property and housing. A stressful period of money was too low, the
de-leveraging is now underway. willingness to take risks
increased and leverage
Unfortunately, the problem was not contained became unsustainably
to the financial services industry. The re-pricing high. Bubbles inflated,
of risk and withdrawal of credit is now taking most notably in equity,
raw material, property
its toll on the wider world economy, as both
and housing. A stressful
wealth and demand fall. What is the extent of period of de-leveraging is
the problem in the UK? Whilst the government now underway.
wants bank lending to return to 2007 levels,
which may well sound reasonable, it would still
be twice the average of the previous ten years.
It is likely that the de-leveraging process is
set to continue and asset prices will decline
further. Ultimately, the financial systems in
North America, Europe and other parts of
the world will need to be recapitalised as
all losses are eventually recognised. A short
sharp recession does not appear to be the
most likely outcome.

02|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
TOP LINE CONCLUSION continued
However, the pertinent question for this report
is how the economic environment will affect
the employment prospects of those working
in corporate governance. Employment is a
lagging indicator. Usually, unemployment only
starts to rise significantly once an economy
is in recession and is often slow to respond
positively once growth re-commences. In the
final months of 2008, it became abundantly
clear that the rate at which jobs were being
lost in the UK economy was accelerating,
with most days bringing announcements
of redundancies.
Whilst employment in corporate
governance will broadly follow trends in
the wider economy, as a discipline it will
do better than many others. Provided a
company remains viable, its corporate
governance resources are likely to remain
intact. That does not mean that people who
leave will be replaced or that redundancies will
not occur. The problem for those who are made
redundant (and if your employer no longer
exists then you will be made redundant), will
be to secure another position. For many, that is
likely to become increasingly problematic.
ECONOMIC HIGHLIGHTS
• The UK economy, together with the
developed economic world, is already in
recession. This is forecast to continue into
2009. The median estimate is for the UK
economy to contract by a further 1.5%
in 2009. A worse outcome is possible.
World economic growth is likely to be
less than 2%.
• At almost 6%, unemployment has already
reached an 11 year high and is climbing
The UK economy,
rapidly. It will shortly exceed 2 million and, together with the
with plenty more bad news on employment developed economic
to come, is forecast to be significantly world, is already in
higher by 2010. There are some predictions recession. This is forecast
that it will approach 3 million. Total to continue into 2009.
The median estimate
employment in the UK economy, is for the UK economy
which peaked during 2008 at 29.5 million, to contract by a further
is now declining. 1.5% in 2009. A worse
outcome is possible.
• Inflation, which only six months ago was
perceived to be an economic threat, has
fallen from a 16 year high and is likely to
fall significantly further. Commodity prices
have fallen steeply and with the economy
shrinking, inflation is set to undershoot its
2% target during 2009. The prospect of
deflation cannot be ruled out.
• The UK budget deficit is currently forecast
to be £78 billion in 2009 and £128 billion
or 8% of GDP in 2010. This will represent
the highest level of government borrowing
since modern records began and will take
government borrowing to 60% of GDP. The
potential for a significantly worse outcome
is substantial and ultimately Government
spending will be forced to decline.
03|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
CORPORATE GOVERNANCE - OVERVIEW
The vast sums that have been spent on
corporate governance in the financial services
sector have seemingly done little to stop the
credit debacle.
Whilst it is perhaps convenient to suggest
that the fault lies entirely in sub-prime
lending in the United States, it seems rather
disingenuous when our own Northern
Rock was offering 125% mortgages. Since
1997, and the bail out of Long-Term Capital
Management, and in response to every
economic threat since, low interest rates
and a huge increase in the supply of money
allowed the conditions to exist for credit to be
expanded. Globally, governments created the
monetary conditions that provided the banks
with the opportunity to dramatically expand the
credit they made available. They then seemingly
compounded the error by allowing hedge
funds, structured investment vehicles and other
activities to go unregulated. Credit simply
moved from regulated to unregulated areas.
No doubt there were few votes to be gathered
from a more restrictive monetary policy that
would have saved the economy from asset
price bubbles and its present predicament.
In hindsight, a more restrictive monetary
policy would have provided much
better value in regulating the financial
services industry.
Fortunately, and for the benefit of all of those of
us who make a living either directly or indirectly
out of corporate governance, more regulation
is no doubt on its way. The proverbial cherry
on the cake being the $50 billion alleged loss
at Madoff. Unfortunately, the financial services
industry in the UK is in the process of shrinking.
Ultimately, a smaller more regulated financial
services industry will emerge.
As part of this process, the role of corporate
governance will be re-evaluated. Whilst
governments certainly created the monetary
conditions that allowed the banks to expand
credit, it was the executive management of
many financial institutions, even including
some of the apparently more conservative
building societies, who failed to take
account of the risks they were taking. The
premise that management would be prudent
in their action because of their responsibility to
protect shareholders, has proven misplaced.
A rather more convincing explanation is that For those expecting
incentivised remuneration packages based widespread redundancies,
on short rather than long term performance there is as yet little
caused the interests of shareholders to be evidence. What does
relegated and otherwise unacceptable risks appear to be underway
to be taken. and started over a year
ago, is a protracted
In this context, corporate governance has slow down in corporate
appeared to have a pro management bias that governance recruitment,
a slow down unlike any
has not adequately protected shareholders or
that we have witnessed
the wider economy. The deeper the recession,
in twenty years…
the greater the political response will be.
At the very least better risk identification,
evaluation and reporting will be demanded.
Governance will become more transparent
and form a much greater part of the
reporting process. Corporate governance
is set to become high profile.
This lies in the future. Now it remains a
question of managing the banking and
consequent economic crisis.
So how is it looking in the corporate
governance recruitment market?
For those expecting a knee jerk reaction and
a drive to immediately strengthen governance
functions, it is yet to happen and is most
likely many months away. However, for those
expecting widespread redundancies, there
is as yet little evidence. What does appear to
be underway and started over a year ago, is a
protracted slow down in corporate governance
recruitment, a slow down unlike any that we
have witnessed in twenty years…
04|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
In recent years, many ‘crises’ have blown up,
often seemingly from nowhere, which have
gripped the corporate governance recruitment
market almost overnight and brought
about head count and recruitment freezes.
Governments have invariably responded with
lower interest rates and in a matter of months
the market has regained its composure and
moved on.
The difference now is that whilst the current
economic crisis dwarfs all others, it has
built up slowly. Sub-prime and credit crunch
entered the vernacular two years ago. Market
participants seemingly became immune to
bad news. Whilst the market has slowed and
the pockets of weakness that we described
in our interim report are spreading, it is clear
from our various surveys that the corporate
governance recruitment market has not
ground to a halt. However, the economy is
continuing to contract, the rate at which the
economy is losing jobs is accelerating and
further declines in corporate governance
recruitment activity will occur.
Here is a brief summary of the individual
corporate governance markets:
internal & Computer Audit
Demand for internal auditors only started to There is little doubt
decline steeply during the last quarter of 2008. that demand for
However, as we reported last year, a slowdown internal auditors will
in recruitment seemingly started in 2007. be subdued in the
short to medium term
To date, there have been few redundancies and that the number
in internal auditing and a lower number of redundant internal
than in other areas of governance. The auditors will rise. To what
redundancies that have occurred have primarily extent, is dependent on
been in sectors such as house building, retail developments in the
wider economy.
and financial services where corporate failure
has resulted in the closure of resident internal
audit departments. There is little doubt that
more failures and closures will occur. The vast
majority of internal auditors are employed in
three sectors - the public sector, the Big 4 and
the financial services industry:
• Recruitment in the public sector has slowed
and those employed in it will probably stay
put. Significant redundancies are unlikely in
the short term.
• The Big 4, who in past slowdowns have
invariably shed staff, have so far shown no
indication of doing so. They have perhaps
learnt from past mistakes. During the past
two years, outside of their annual graduate
intake, they have recruited very few internal
auditors. However, given the numbers
they employ, should they undertake any
significant redundancies, the number of
internal auditors in the recruitment market
could significantly increase.
• The financial services industry is now
contracting. To date there have been limited
redundancies and given the travails of
the sector, almost a surprising propensity
to recruit. What is clear, however, is that
vacancy creation has slowed significantly
and there is little immediate prospect of it
picking up.
For those departments who are recruiting, it
remains a frustrating process. The number of
suitably experienced candidates can often be
limited. Not surprisingly, given the economic
backdrop, many internal auditors, unless they
are obliged to do so, are not entering the
recruitment market. Unfortunately for those
who are, the shrinking number of vacancies is
clearly apparent.
There is little doubt that demand for internal
auditors will be subdued in the short to
medium term and that the number of
redundant internal auditors will rise. To what
extent, is dependent on developments in the
wider economy.
05|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
Risk Management
Risk management continues to come under
more pressure than other areas of corporate
governance. This is as a result of the large
numbers of risk managers employed in
investment banking and the extent of the
losses and rationalisation in the sector.
Well known names such as Lehman Brothers
and Bear Stearns no longer exist, whilst others
have lost their independence.
Not surprisingly, the shortage of candidates
that has characterised the market in recent
years has dissipated. For many vacancies,
and it seemed improbable only a few months
ago, there are now significant numbers of
well qualified candidates readily available. The
number of redundant risk managers is growing.
Whilst risk management remains a critical
function and one that is likely to be recast
in the light of developments, the mandate
to recruit externally is now more frequently
missing. In these instances the responsibilities
of the role are being absorbed and distributed
internally.
However, there are pockets of relatively
strong demand. Solvency II, the insurance
sector’s capital management programme,
is driving recruitment in the wholesale
and retail insurance markets. In response
to the increase in the number of risk
transformation projects there is steady
demand from the risk advisory divisions
of the consultancy sector. There is also
notable demand for risk managers with
restructuring, turnaround and workout
experience as banks are looking to respond
to their deteriorating credit portfolios. A
further noticeable development is that credit
and market risk are becoming more closely
aligned. This is resulting in what is becoming
known as ‘convergence risk’.
One may debate whether risk management
is the cause or the symptom of the current
crisis. There is no doubt, however, that risk
management will remain centre stage. Once
the current economic crisis abates, more
commonly understood and transparent
risk management processes are likely to
emerge. In the meantime, overall demand is
likely to be subdued as the financial services
industry is recapitalised and reorganised.
Compliance
Not surprisingly, recruitment activity declined
significantly during the second half of 2008.
Redundancies were up and recruitment freezes
became common place. The sectors bearing
the brunt were investment banking, where
many banks either collapsed or merged,
and mortgage lenders, intermediaries and
packagers. Sectors that fared relatively better
include asset and wealth management and the
insurance sector.
As predicted, the FSA continued its risk and
principles based approach to regulation
during 2008 and its 2008/9 Business Plan
reaffirmed that principles become more
significant in times of market turbulence.
The FSA does not plan to deviate from its work
on MiFID or CRD nor let up in the focus to
mitigate the risks presented by market abuse
or financial crime. It is continuing to take action
and enforce severe penalties on companies
and approved persons who breach regulations.
The Treating Customers’ Fairly deadline for
2008 impacted recruitment, particularly in
the retail financial services markets where
many of the vacancies required taking some
responsibility for implementing TCF.
Internationally, the SEC will be investigating
the effectiveness of its regulatory regime as a
result of the Madoff debacle. Tighter controls
on private investment pools and hedge funds
will be on the agenda for 2009 and this is
likely to impact on the UK’s view of regulation
in the sector.
Despite regulatory pressures to maintain
high levels of risk management and robust
compliance controls, it clearly emerged
towards the end of the year that only
business critical recruitment was being
undertaken. Only candidates requiring little
or no training and who could immediately
add value were being considered. Further,
junior compliance positions and Senior/
Head of Compliance type roles were
becoming rare.
06|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
Whilst the number of redundant compliance
staff is now growing, some vacancies remain
difficult to fill. Not surprisingly, if companies are
going to recruit externally they will have high
expectations of finding a very close fit to their
requirements. On a positive note, redundant
investment banking compliance candidates are
generally highly regarded in other sectors such
as asset management and asset servicing.
Demand for compliance staff is likely to
remain subdued in the medium term and
limited to business critical recruitment.
Fortunately, many positions in compliance
are essentially guaranteed as a requirement
to conduct business. Unfortunately, there is
less certainty that businesses will continue
to exist as an industry wide process of
retrenchment and rationalisation continues.
Information Security
Demand for information security staff
noticeably declined in the second half of
2008. Recruitment freezes and elongated
recruitment sign off procedures are becoming
more common and unemployment amongst
security practitioners is increasing. However,
information security extends into all areas of
the economy, both in the private and public
sectors, and is not substantially dependent
on financial services. Demand is therefore
potentially broadly based.
Recruitment in banking and financial services
is now particularly subdued and it is clear
that after a strong period of demand, the Big
4 are no longer recruiting. Investment in IT
is declining and directly affecting IT security
vendors, consultancies and those working
in-house in risk assessment or project roles.
However, whilst redundancies are back,
information security is clearly better integrated
into businesses than in previous downturns. Areas of relative
Areas of relative strength are FTSE 250 strength are FTSE 250
companies who are still pressing ahead with companies who are still
the appointment of their first information pressing ahead with
security specialist. Further, the Hannigan the appointment of
Report, which followed government data their first information
leakages, is resulting in improvements in the security specialist.
security of government projects and demand Further, the Hannigan
for security practitioners with government and Report, which followed
government data
military experience.
leakages, is resulting
in improvements in the
However, for the first time in some years,
security of government
there is now a pool of redundant security
projects and demand for
practitioners. Not surprisingly, for those security practitioners
companies looking to recruit there is a much with government and
wider range of candidates available who are military experience.
far more likely to be flexible in terms of the
geographic locations, sectors and salaries they
will actively consider.
Looking ahead, there is unlikely to be any
upturn in the market in the near term and
redundancies and unemployment are
likely to track developments in the wider
economy. In consolation, the redundancies
and widespread unemployment that
characterised the recruitment market for
security practitioners in 2001 and 2002 are
unlikely to return. Security departments are
now more independent of IT, more regulator
led and have a better defined role than
previously. Information security is not the
target for cost savings that it once was.
07|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
Outlook
Last year we anticipated a painful period of
deleveraging. It is clear that we assumed that
the accompanying falls in asset prices would
be contained and that any damage would be
substantially limited to the financial services
sector. However, the ferocity of the process
and the damage to the wider economy
has been far greater than perhaps even the
most pessimistic commentators’ forecast.
Unemployment is already starting to climb
menacingly. Whilst you can take your pick as
to where unemployment will be in one month,
six months or a year from now, perhaps the
only thing you can say with certainty is that it
will be significantly higher than it is now.
Whatever the rise, we believe it will be
proportionately lower in corporate governance.
Corporate governance is integral to business
and most departments are leanly staffed.
Redundancies are expensive, destroy the
morale of those who remain and then leave
open the problem of sometime in the future
having to find replacements.
Unfortunately, the problem is not simply the
dispensability of corporate governance, but the
ability of the host business to survive either
independently or otherwise. It is clear, as is
already the case, that as businesses retreat
from markets, fail or undertake defensive
mergers, redundancies will follow. However, for
most people, if you are working in a relatively
secure business, or even the public sector,
you are unlikely to lose your job. The problem
with recessions is that for those people who
do lose their jobs, the pain is disproportionately
distributed. As vacancy creation collapses,
the pool of redundant people grows and
securing employment becomes increasingly
problematic. Unfortunately, during 2009,
the number of unemployed corporate
governance practitioners will rise.
08|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

02. INFORMATION SECURITY – MARKET ANALYSIS

SIGNIFICANT SLOWDOWN EVIDENT IN FINAL QUARTER OF 2008

Information Security Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008

New vacancies 56 63 65 58 50

Closing vacancies 24 31 29 33 20

Candidates registering 214 179 195 240 230

Defensive registrations 14% 15% 15% 17% 20%

Overall salary increase 15% 16% 14% 13% 4%

During the first six months of 2008, the
number of vacancies generated in the
information security and business continuity
recruitment market, although marginally down,
was broadly consistent with the previous two
years. This was perhaps surprising given the
enormity of the economic developments.
However, most commentators then believed
that the UK and developed world at worst
might expect a short shallow recession. It is
clear that nothing so benign has transpired and
only the depth and length of the recession is
in question. The recession has now started to
show up in our market data.
• Q4 sees sharp reduction in vacancies
During the final quarter of 2008, there
was a significant slowdown in the rate at
which new information security vacancies
were generated.
Whilst some comfort might initially be taken
from the number of vacancies generated in
the second half of 2008, 50 versus 58 in the
previous six months, a rather more telling
statistic is the closing number of vacancies,
which has fallen from 33 in July 2008 to just
20 in December 2008. In fact, the rate of
vacancy generation was broadly maintained
into the third quarter of 2008, but then fell
away in the final quarter. The trend is now
set for a significantly lower number
of vacancies.
• Drop in registrations as candidates
reluctant to move
The number of candidate registrations fell
in the second half of 2008. Against that,
the number of defensive registrations rose.
The fall in registrations is not surprising,
as changing employer involves risk. Whilst
much of this risk is more perceived than
real, some feel that entering the recruitment
market for purely discretionary purposes is
not something they currently wish to do.
Defensive registrations are up as those who
are made redundant or feel their position is
potentially under threat is rising.
• Dramatic fall in salary increases
The average salary increase achieved
Whilst some comfort
by changing jobs in the second half of might initially be taken
2008 fell dramatically to 4%. This was from the number of
caused by those who are out of work vacancies generated
accepting salaries below their pre- in the second half of
2008, 50 versus 58 in the
redundancy earnings.
previous six months,
a rather more telling
statistic is the closing
number of vacancies,
which has fallen from 33
in July 2008 to just 20 in
December 2008.

09|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

MARKET COMMENTARY
Unemployment now evident
There is now unemployment in information
security. Within many companies, IT projects
have been put on hold, budgets for new
technologies have been frozen and recruitment
suspended. The number of information security
specialists being forced into the recruitment
market is rising and the number of vacancies
is falling. The last time this happened was in
2002. Then, post the dotcom bust, many start
up internet companies lost their funding and
Although demand is now declining, previously
budgets were cut in anticipation of a downturn
there had been strong demand for penetration
and the uncertainly of the run up to the
testers to assist in determining a company’s
Iraq War.
security status. The reason for the decline is
The reasons for the current downturn are twofold. Firstly, the consultancies that employ
different. However, for anyone who loses their the bulk of penetration testers are becoming
job, the impact is likely to be very similar. If more cautious and secondly, as people
you find yourself in this situation or simply become more wary about changing jobs, there
fear the threat of redundancy, the more is less backfilling required.
proactive you are, the better. Focusing on
Another niche area which has experienced
how you can improve your marketability -
strong demand has been Identity Management
perhaps doing things such as completing
(IdM). However, demand has recently
a professional qualification and developing In the UK, the number
slowed due to the fact that most Sarbanes of encrypted hard drives
relationships within the industry – can
Oxley compliance, which was driving IdM will increase, particularly
make a real difference to your appeal to
recruitment, has been concluded. This said, following the high
potential employers. profile data losses of
it is possible that Public Key Infrastructure
2007 and 2008. This
Against this rather downbeat backdrop, there (PKI) may replace this demand in the Identity
is now a government
are areas of the recruitment market where and Access Management (IAM) market. requirement, involving
demand remains strong. A great deal of work has been undertaken various levels of PKI to
using PKI as well as IdM on the Transglobal access information on
For example, in the public sector there are a Secure Collaboration Program (TSCP). This hard drives.
number of long-term projects which are already is essential for companies dealing with the
funded and recruiting. We expect this to US government. In the UK, the number of
continue during 2009. encrypted hard drives will increase, particularly
following the high profile data losses of
Managed Security Services (MSS) and Security
2007 and 2008. This is now a government
as a Service (SaaS) are still recruiting at all
requirement, involving various levels of PKI to
levels from VP / managerial positions through
access information on hard drives. It is likely
to pre-sales and technical operational roles.
that the private sector will follow and some
Outsourcing is proving to be a cost effective
consultancies are already progressing this.
way of securing information and avoids the
New roles in PKI should emerge in 2009.
need to purchase the technology and recruit
staff to implement, integrate, configure and
maintain it.

There is still demand from companies wishing

to appoint their first Information Security
Officer. These are usually stand alone roles
reporting to the COO, Head of Risk or CIO
and result from various pressures, including
PCI, the growing scope of FSA regulation and
countering reputational risk following highly
publicised data leakages.

10|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
Data leakage
Data leakage was a topic for many industry
conferences and security publications
throughout 2008. This was the result of fines
imposed on the private sector and media
humiliation of the public sector.
There is now increased awareness of
information security and its role in ensuring
that an organisation is not commercially
damaged or its reputation and trust
publically compromised by data leakage.
Within the public sector, the Hannigan report
was commissioned, which highlighted where
improvements could be made to reduce
data leakage within the public sector. These
included more encryption, penetration testing
and a raised awareness of information security
across government departments. The private
sector has responded by investing in privacy
personnel and aligning with ISO 27001.
The Information Commissioner is to be
granted new powers to conduct “spot checks”
and sanctions will be introduced under the
Data Protection Act for the most serious
breaches of its principles. This will affect both
the private and public sectors and will no doubt
lead to increased demand for privacy staff
during 2009.
Contracting to Government
Demand for security staff in the public sector
is generally considered to be more immune
to the recession than the private sector. As
a consequence, there is currently enhanced
interest in gaining work in the public sector.
It can be a problem gaining the necessary
security clearance in the required time frame.
This process can take up to two months, which
for many contracts, is too late. A way round
this is to work through a consultancy, which
can hold clearances on a contract basis and
can sponsor an SC or DV clearance to work on
government projects. However, there are costs
involved and if clearance is not used within a
year the process has to be completed again.
Middle East market growth
The Middle East is becoming a popular
alternative for UK based information
security professionals. Whilst the region
is not immune to the global slowdown,
many new information security positions
are still being generated, not only in Dubai
and the UAE, but in Qatar, Bahrain, Kuwait
and Saudi Arabia. Local national banks and
commercial groups are expanding, together
with multinational groups who are migrating
into the region.
These developments require robust corporate
governance and the demand for globally
recognised compliance. Demand for effective
information security management is growing.
Large, complex organisations are ensuring
they have information security standards and
policies that are in line with global best practice
and are building information security teams
and in some cases working with consultancies
to improve their Information Security Data leakage
was a topic for
Management Systems (ISMS). Accreditation
many industry
to ISO 27001 is still not common, but there conferences and
is an increase in demand for accreditation as security publications
more companies in the region announce their throughout 2008.
This was the result
certification.
of fines imposed
The Middle East offers numerous on the private
sector and media
opportunities within information security.
humiliation of the
However, relocating is a big decision which public sector.
should only be made after careful research
and consideration.
11|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

Analysis by sector
Consultancies & Systems
Integrators
The consultancies and systems integrators
reflected developments in the wider economy
during 2008.
The number of vacancies registered declined
during the course of the year, even though
there were some cases of very urgent
recruitment. The number of candidates
competing for each vacancy is increasing,
although many better qualified individuals
are preferring to stay out of the recruitment
market and remain with their existing
employers. Really good candidates who chose
to enter the market can still receive multiple
offers and are often counter-offered to stay
with their existing employer.
A number of consultancies, Sls and the
telcos with security professional services
practices, now have recruitment freezes.
Security practitioners have been moved
on to other projects and some security
practices and businesses have been
restructured and reorganised.
It is hard to discuss this market sector without
mentioning the significant data losses that
have occurred during 2008, particularly in
government and by certain major outsourcers.
This has had mixed affects. Firms involved in Any recruitment that
the data-leakages themselves have, at times, has been taking place
lost major contracts and therefore required is primarily at mid
less staff. At the same time, such data losses level, with demand
have been used as a sales tool to increase for security architects,
the number of security specialist staff used identity management
specialists, government
on contracts.
security consultants
We anticipate that demand will continue to and penetration testers.
These were the same
be subdued in 2009. The exception is likely
skills that were required
to be from those consultancies benefiting in 2007 and reflect
from contract wins. Recruitment freezes the nature of projects,
will continue and many of the best particularly in the
practitioners are likely to stay with their government sector.
existing employers.

Any recruitment that has been taking place

is primarily at mid level, with demand for
security architects, identity management
specialists, government security consultants
and penetration testers. These were the same
skills that were required in 2007 and reflect
the nature of projects, particularly in the
government sector. There have been a select
number of consultancies, SIs and telcos with
security practices that recruited significantly
in these areas in 2008. These were mostly
new positions in projects and contracts where
they were able to immediately place additional
security consultants.

The boutique security consultancies were even

more cautious in their recruitment during 2008.
They only recruited security consultants on
the back of winning new business or replacing
essential leavers.

12|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

End users
Information security departments started the Candidate availability has been mixed. It is
year buoyed by the need to fix potential data clear that many candidates, either through
leakages. At that time the credit crunch and its redundancy or the perceived threat of this, feel
effects on the wider economy had yet to be they have little choice but to search for another
felt in information security recruitment. job. Others, who are under no threat, but who
might otherwise have looked for discretionary
Demand held up until the end of quarter 3
purposes, prefer the security of their existing
when, in a similar fashion to other areas of
employer.
corporate governance, there was a significant
decline in the number of new vacancies. Currently, unemployment is still low but
After Lehman Brothers failed, demand for compared with recent years it is steadily
information security staff in the financial rising. Candidates with blemished CVs are
services sector dropped sharply. Some finding it more difficult to secure interviews. A
positions were put on hold, budgets were number of contractors are starting to compete
reviewed and any recruitment needed to for permanent roles even though they will
be sanctioned at a higher executive level. often not be considered by the hiring or HR
Information security staff that left the managers.
organisation were not automatically replaced.
The combination of fewer jobs and more
During economic slowdowns, IT investment candidates is resulting in lower salaries.
is often badly hit. New technologies have Employers are more likely to match, rather
less take up, projects are scaled down and than improve existing packages and, in the
development slows. Information security case of unemployed candidates, may offer
within end users is inevitably affected as below previous earnings.
less technology related risk assessments
are required. Those who are full-time risk This trend in the market looks set for 2009.
assessors should consider broadening their In spite of the positive benefits of PCI and
skill base. No vacancies were registered in Hannigan, demand from end users will be
this area during the second half of 2008. closely tied to developments in the wider
UK and world economy.
Demand in commerce has held up better
with many smaller companies still appointing
their first information security specialist. This
is a continuation of an established trend and
this impetus is largely caused by the growing
scope and recognition of ISO 27001, PCI and
vendor assessments. PCI has had an impact
in a number of sectors and is being used by
information security managers to justify their
budgets. However, by the end of 2008, many
commercial companies, most notably in the
retail, property and media sectors curtailed
their recruitment plans.

13|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

Contract market
At the start of 2008, contractors were in
demand across all sectors, especially those
individuals with identity management skills,
cryptographic experts and CLAS consultants.
High profile data leakages, coupled with a
number of ambitious projects that required
an increase in the collection of sensitive data,
resulted in enhanced security concerns. The
Hannigan report highlighted a number of areas
that required attention within the public sector
and resulted in increased security awareness
amongst its senior management.

Strong demand for CLAS consultants
continued throughout 2008 with long term high
profile central government projects remaining
a big user. A large intake of new CLAS
consultants eased demand, although long-term
highly skilled CLAS consultants are being tied
in to longer, more lucrative, contracts. Many
CLAS consultants are working with more than
one public sector client and this demand will at
least remain if not increase in 2009.
Financial services, as a result of some large
fines, used more contractors during 2008
for data privacy and third party security
assessments. The FSA released its Data
Security report in the first half of 2008 and
many companies needed to act on the findings
and recommendations.
The Data Protection Act gained weight during
2008 and more spot checks may be carried out
throughout 2009. Companies will most likely
want to review their privacy policies. Much
of this work is being carried out as part of
compliance with ISO27001, which could see an
increase in related contract roles.
2008 was characterised by less work in the
private sector but growth in the public sector.
The increased number of contractors looking
for work resulted in more competition for
positions, with rates falling approximately 10%
for generalist information security positions.
Some contractors were requested to move into
permanent positions to cut costs. However,
specialists such as identity management
experts and penetration testers were able to
maintain their rates. 2008 was
characterised by less
In 2009, we expect demand from the public
work in the private
sector to be broadly consistent with 2008. sector but growth in
The private sector will be more dependent the public sector.
on developments in the economy. There will
almost certainly be more competition amongst
contractors as those who have been made
redundant from permanent roles will also be
looking for contract work.

In 2009, we anticipate that the mergers in

the financial services industry will result in
an increased demand for consultants with
network security and architect skills to
assist with systems integration.

New frameworks have been awarded in the

public sector and are due to begin during
the second quarter of 2009. This will see an
increase in roles for information assurance,
much of which will be CLAS defence work.

In 2009, more companies will be expected

to be ISO27001 compliant and this could
increase the number of roles for ISO 27001
implementers and lead auditors. This increase
will be the result of third party suppliers using
security as a selling point and the expectations
laid out by various governing bodies on
information security management systems.

14|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
Business continuity
Historically, business continuity has suffered
in economic downturns, as companies have
sought areas in which to cut costs. Thankfully,
business continuity has benefited from
increased media coverage and the new British
Standard (BS25999) was released in 2008.
Business continuity now has a higher profile
and executive management is more conscious
of its benefits. However, the recession is
having an effect. Budgets have tightened and
expansion plans have been curtailed. In some
cases whole teams of business continuity
professionals have been disbanded.
Within business continuity consultancy, after
a confident start to 2008, recruitment slowed
significantly in the second half of the year.
There is now more caution and some have
looked to downsize. The market is becoming
more competitive as consultancy fees are
being squeezed. Consolidation is likely as some
smaller consultancies struggle to ensure that
they will be well placed to benefit from the
eventual upturn.
Banking and the wider financial services
industry is by some distance the largest
employer of business continuity staff.
The industry has driven standards. Teams
can grow quickly and specialist positions
are common. When, as now, the financial
services industry contracts, it has a
disproportionate effect on the market.
Despite this, other sectors have gone some
way to compensating for business continuity
job losses in the financial services industry.
If this growth in other sectors continues, it
will create new opportunities for business
continuity specialists to expand their
experience.
As a result of redundancies, there have been
more people in the job market out of necessity
rather than purely for career development
reasons. As a consequence, job applications
have become more competitive. This is
depressing salaries and, as more experienced
candidates are prepared to accept less
senior roles, is making it more difficult for
inexperienced candidates. It is also making
the contract market more competitive as
otherwise unemployed business continuity
specialists make themselves available for
contract work.
Looking ahead into next year, a recent
Continuity Central report found that the
majority of companies expect business
continuity spending to be maintained in
2009. Almost half said that it would be
the same in 2009 as it was in 2008 and
about a quarter believed it could increase.
It will be interesting to see if the reality
matches the expectation.
Summary / predictions
In last year’s report we predicted that the
outcome for 2008 would be finely balanced.
Would the damage to the financial system be
contained? If it was not, then we predicted
that the prospects for the employment of
information security specialists would be
more closely tied to developments in the
wider economy than many might otherwise
like to believe. Unfortunately, the damage has
crossed into the wider economy and is bigger
than even the most pessimistic predictions.
It is clearly not simply a local UK problem, but
is affecting the global economy, making any
solutions more difficult.
As a result, there will be fewer information
security specialists employed in the UK
economy at the end of 2009 than there
are now. Many companies will be too
focussed on fighting for their survival to
be worried about the nicety of whether
their information security departments
are up to standard.
Against this backdrop, we expect some areas
of strength in the security market. Data
Protection Act spot checks are scheduled to
start in 2009. More companies will be looking
to become ISO 27001 compliant and the
If the current trends
contract market should benefit from major
continue, particularly
integration projects that will take place as a with the move towards
result of banking mergers. ISO 27001, more
information security
If the current trends continue, particularly specialists will directly
with the move towards ISO 27001, more or indirectly be working
information security specialists will for the UK government
directly or indirectly be working for the by the end of 2009 than
UK government by the end of 2009 than ever before.
ever before.
15|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

03. INFORMATION SECURITY – CURRENT SALARIES

OVERVIEW
Salary increases are significantly down for 2008
The average salary increase accepted by
information security specialists fell to 4% in
the second half of 2008. This is the lowest
ever recorded. Corporate costs were closely
controlled during 2008 and some companies
were able to have offers accepted that
were less than redundant candidates had
previously been earning.
Many candidates in these difficult times are
becoming less interested in salary and more
concerned about qualitative factors, such as
potential security of employment and career
progression.
Salary survey
Barclay Simpson analyses the salary data that
accumulates from the placements we make in
the UK. This provides a useful guide to salaries
and salary trends in information security.
This survey consists of 20 profiles of typical
security specialists, for whom we have
provided an approximate salary range they
could realistically expect to achieve. The profiles
are for good rather than exceptional individuals
and take no account of other benefits that can
accrue to information security specialists
such as company cars, nor do they take
account of non-contractual bonus and profit
sharing arrangements.

Outlook for 2009

If the normal patterns of supply and demand
are followed, as the supply of information
security specialists increases and the demand
for their services falls, salaries, as a factor of
supply and demand, should fall.

In reality it is not that simple. The bargaining

position of information security specialists
has weakened. This will be combined with
severe budgetary pressure as companies seek
to reduce costs. Further falls are likely to be
mitigated by two factors:

1. Those people who are employed and their

job security is not under threat, will have
no need to accept a lower salary than they
might do otherwise. In fact, given the
economic circumstances, these candidates
are likely to require an even bigger premium
on their salary to compensate for the
perceived increase in risk they are taking by
moving jobs.
2. Many companies, even though a candidate
is unemployed, do not necessarily wish
to offer them the lowest salary that they
might accept. They will be recruiting against
established salary grades and will rightly
want someone to join who is motivated and
has not just accepted because they have no
other realistic alternatives.
Outside of base salary, it is likely that
discretionary bonuses, particularly those
based on corporate performance, will fall.
However, given the economic backdrop,
many information security specialists will be
pleased to get through 2009 with a secure
job. The economy has entered territory that
it has not been in for over 15 years.

16|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY

London Rest of UK
Security Operations Engineer
A junior member of a network security ops team in a 24/7
managed service environment. Reports into the Security £27-35,000 £22-30,000
Operations Team Leader. Monitors security devices such as
firewalls, IDS / IPS etc.

Security Analyst
Experience including monitoring and awareness for
£36-40,000 £30-37,000
information security. Likely to be working for a retail bank
or other financial institution.

Senior Security Sales Consultant

An experienced sales professional who consistently overachieves. £50-60,000 basic, £45-55,000 basic,
Working for a security vendor and reporting to the Sales Director OTE £100-110,000 OTE £90-100,000
or Manager.

Penetration Tester
Working for a boutique security consultancy, this skilled
penetration tester will have good client-facing skills and be able to £52-60,000 £49-56,000
undertake application penetration testing, code level reviews and
reverse engineering.

Senior Business Continuity Consultant

Broad business continuity experience with strong external
£54-63,000 £45-54,000
consulting experience in a multi sector project environment.
Proven client relationship building and presenting experience.

Disaster Recovery Test Manager

Working in the investment banking field with excellent disaster
£57-68,000 £47-56,000
recovery knowledge and experience. A career history working for
large complex organisations in lead positions for DR testing.

Identity Management Consultant

Solid skills in identity and access management design and
£57-65,000 £53-62,000
architecture. Background of working in consultancy, with good
client-facing skills and bid work experience.

Business Continuity Manager

Business continuity management experience gained in
£57-68,000 £46-55,000
medium to large scale financial services groups. Small scale
team leading responsibilities.

Information Security Officer

Sole information security person (no reports) appointed to a FTSE
£58-64,000 £49-54,000
250 or small FTSE 100. Background in either consulting or from a
policy role in a larger department.

CLAS Consultant
At a senior level within the security practice of a large consultancy
or SI. Skills in technical and non-technical security areas such
£58-67,000 £52-61,000
as security architecture, as well as security policy formulation
and review, and risk assessment. Also undertakes business
development activities.

Operational Security Manager

Managing 2-3 personnel within a mid-sized department and £60-66,000 £55-60,000
answering directly to the head of department.

Data Protection Manager

Extensive data protection management experience gained in
large corporate enterprises which would often include large £62-71,000 £50-55,000
financial services. Executive level consultancy and team leading
experience.

Security Architect
Working for a consultancy, undertaking security design and
£64-73,000 £57-66,000
architecture for large-scale client projects. Senior person also
involved in bid / proposal work and mentoring team members.

17|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY

(continued) London Rest of UK

Big 4 Senior Manager
Individual with business development experience and a policy £80-95,000 £68-74,000
focus to their information security experience

Head of Information Security

Managing a team of 20 security professionals in a financial £110-125,000 £80-88,000
services company, assisted by 2 more junior managers.

Business Continuity Analyst (Contract)

Working in the financial services industry with a good £225 – 320 £200-300
grounding in business continuity, articulate, focused with per day per day
good team working skills.

Data Privacy Consultant (Contract)

Working with financial and commercial organisations, providing £450-550 £350-450
advice on data privacy in line with the data protection act and per day per day
industry guidelines.

ISO 27001 Consultant (Contract)

An ISO 27001 Lead Auditor working for a consultancy. Role would
£550-600 £500-550
include advice on ISO 27001 implementation, gap analysis, risk
per day per day
assessment, security policy review and selection of controls to
align with the standard.

Identity Management Consultant (Contract)

A skilled IdM consultant with experience of various identity
management suites from the leading providers. Will have had £650-700 £550-600
exposure to the identity management process from beginning to per day per day
end. Working in a commercial environment they will have good
client-facing skills.

CLAS Consultant (Contract)

Experienced CLAS Consultant responsible for security policy
£700-800 £500-600
development during government programmes such as Risk
per day per day
Management Accreditation Document Sets (RMADS) and
associated documentation.

18|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

Barclay Simpson Market Report 2009

INFORMATION SECURITY

APPENDICES
04. Appendices

I. Sample structure

II. Graphs of key indicators

III. Data tables by specialism

19|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY
APPENDIX I - SAMPLE STRUCTURE
This report is based on quantitative data
gathered from a sample structured as follows:
• 50 internal audit departments
• 30 risk management departments
• 30 compliance departments
• 35 information security departments
In addition to the numbers, we speak directly
with a number of heads of department to
discuss their current and future recruitment
requirements as well as the broader picture
to gain a qualitative perspective which is
invaluable for the market commentary.
The core statistics provide the following
key information:
VACANCIES
• Number of vacancies at the start of
the period
• Number of vacancies generated during
the period
This, over time, provides guidance on the rate
at which vacancies are being generated and an
indication of the ease with which companies
are filling these vacancies.
REGISTRATIONS
• Number of candidates registering in each
market segment
This monitors the flow of candidates into the
recruitment market and, combined with the
number of vacancies generated, gives an
insight into the balance of supply and demand.
DEFENSIVE REGISTRATIONS
• The proportion of candidates registering for
defensive reasons
The percentage of candidates registering with
Barclay Simpson because they have been
made redundant or perceive the threat of
redundancy (i.e. who register for defensive
reasons), can provide a useful insight into the
behaviour of the recruitment market.
SALARIES
• Salary survey
• Salary increases
In addition to an updated salary survey, we
report on the average percentage salary
increase achieved by people moving between
employers, which is often a good indication
of the relative bargaining power that exists
between employers and potential recruits.
20|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

APPENDIX II - GRAPHS OF KEY INDICATORS

New Vacancies

• New vacancies down across the board

• Drop in new vacancies lower in information security than the other 3 areas

Closing vacancies

• Closing vacancies even more sharply down

• In Risk Management and Compliance, they have almost halved

21|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

Candidate registrations

• High numbers of candidate registrations continue

• Significant increase in registrations in Compliance
• Significant decrease in Internal & Computer Audit

Defensive registrations
Percentage of candidates registering with Barclay Simpson because they have been made redundant
or perceive the threat of redundancy.

• Significant increase in redundancies or the threat of redundancy in all areas of corporate

• Defensive registrations now account for over 40% of new Compliance candidates

22|24
 Barclay Simpson Market Report 2009
INFORMATION SECURITY

Overall salary increase*

• Salary increases relatively stable in Internal & Computer Audit and Risk Management
• Salary increases have dropped significantly in Compliance and Information Security

* Percentages based on introductions made by Barclay Simpson during the quarter. Allowance has been made for the value
of company cars but for no other benefits. Corporate governance personnel working in the private sector are often awarded
annual bonuses based on either their personal or overall corporate performance. These bonuses become part of their salary
package. When joining a new employer there is generally a qualifying period, often up to a year, before bonuses become
due. Not unreasonably, corporate governance professionals, when weighing their existing salary package against an offer of
alternative employment, tend to include their existing bonus but exclude potential bonuses from a new employer. We would
estimate that this accounts for approximately 5% of the increase that people receive as a result of changing position.

23|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY

APPENDIX III - DATA TABLES BY SPECIALISM

Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008
Corporate Governance
New vacancies 419 398 333 321 228
Closing vacancies 236 227 216 227 113
Candidates registering 904 922 894 885 915
Defensive registrations 10% 13% 19% 18% 29%
Overall salary increase 18% 17% 16% 17% 10%

Internal Audit
New vacancies 80 89 84 79 58
Closing vacancies 36 52 39 37 23
Candidates registering 297 322 312 356 242
Defensive registrations 12% 16% 17% 19% 28%
Overall salary increase 14% 13% 12% 12% 11%

Risk Management
New vacancies 85 198 127 77 53
Closing vacancies 95 117 77 72 37
Candidates registering 124 195 249 241 257
Defensive registrations 5% 4% 8% 17% 25%
Overall salary increase 21% 24% 21% 16% 15%

Compliance
New vacancies 85 119 107 99 67
Closing vacancies 59 67 76 62 33
Candidate registering 198 172 146 165 186
Defensives registrations 10% 13% 26% 32% 41%
Overall salary increase 18% 19% 22% 21% 11%

Information Security
New vacancies 56 63 65 58 50
Closing vacancies 24 31 29 33 20
Candidates registering 214 179 195 240 230
Defensive registrations 14% 15% 15% 17% 20%
Overall salary increase 15% 16% 14% 13% 4%

24|24