Professional Documents
Culture Documents
2009 MR Security
2009 MR Security
2009 MR Security
Market Report
INFORMATION SECURITY
Barclay Simpson Market Report 2009
INFORMATION SECURITY
INFORMATION SECURITY
CONTENTS
01. Executive summary
04. Appendices
I. Sample structure
01|25
Barclay Simpson Market Report 2009
INFORMATION SECURITY
02|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
03|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
04|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
In recent years, many ‘crises’ have blown up, Here is a brief summary of the individual
often seemingly from nowhere, which have corporate governance markets:
gripped the corporate governance recruitment
market almost overnight and brought internal & Computer Audit
about head count and recruitment freezes. Demand for internal auditors only started to There is little doubt
Governments have invariably responded with decline steeply during the last quarter of 2008. that demand for
lower interest rates and in a matter of months However, as we reported last year, a slowdown internal auditors will
the market has regained its composure and in recruitment seemingly started in 2007. be subdued in the
moved on. short to medium term
To date, there have been few redundancies and that the number
The difference now is that whilst the current in internal auditing and a lower number of redundant internal
economic crisis dwarfs all others, it has than in other areas of governance. The auditors will rise. To what
built up slowly. Sub-prime and credit crunch redundancies that have occurred have primarily extent, is dependent on
entered the vernacular two years ago. Market been in sectors such as house building, retail developments in the
participants seemingly became immune to wider economy.
and financial services where corporate failure
bad news. Whilst the market has slowed and has resulted in the closure of resident internal
the pockets of weakness that we described audit departments. There is little doubt that
in our interim report are spreading, it is clear more failures and closures will occur. The vast
from our various surveys that the corporate majority of internal auditors are employed in
governance recruitment market has not three sectors - the public sector, the Big 4 and
ground to a halt. However, the economy is the financial services industry:
continuing to contract, the rate at which the
economy is losing jobs is accelerating and • Recruitment in the public sector has slowed
further declines in corporate governance and those employed in it will probably stay
recruitment activity will occur. put. Significant redundancies are unlikely in
the short term.
• The Big 4, who in past slowdowns have
invariably shed staff, have so far shown no
indication of doing so. They have perhaps
learnt from past mistakes. During the past
two years, outside of their annual graduate
intake, they have recruited very few internal
auditors. However, given the numbers
they employ, should they undertake any
significant redundancies, the number of
internal auditors in the recruitment market
could significantly increase.
• The financial services industry is now
contracting. To date there have been limited
redundancies and given the travails of
the sector, almost a surprising propensity
to recruit. What is clear, however, is that
vacancy creation has slowed significantly
and there is little immediate prospect of it
picking up.
For those departments who are recruiting, it
remains a frustrating process. The number of
suitably experienced candidates can often be
limited. Not surprisingly, given the economic
backdrop, many internal auditors, unless they
are obliged to do so, are not entering the
recruitment market. Unfortunately for those
who are, the shrinking number of vacancies is
clearly apparent.
There is little doubt that demand for internal
auditors will be subdued in the short to
medium term and that the number of
redundant internal auditors will rise. To what
extent, is dependent on developments in the
wider economy.
05|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Risk Management
Risk management continues to come under
more pressure than other areas of corporate
governance. This is as a result of the large
numbers of risk managers employed in
investment banking and the extent of the
losses and rationalisation in the sector.
Well known names such as Lehman Brothers
and Bear Stearns no longer exist, whilst others
have lost their independence.
06|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
07|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Outlook
Last year we anticipated a painful period of Unfortunately, the problem is not simply the
deleveraging. It is clear that we assumed that dispensability of corporate governance, but the
the accompanying falls in asset prices would ability of the host business to survive either
be contained and that any damage would be independently or otherwise. It is clear, as is
substantially limited to the financial services already the case, that as businesses retreat
sector. However, the ferocity of the process from markets, fail or undertake defensive
and the damage to the wider economy mergers, redundancies will follow. However, for
has been far greater than perhaps even the most people, if you are working in a relatively
most pessimistic commentators’ forecast. secure business, or even the public sector,
Unemployment is already starting to climb you are unlikely to lose your job. The problem
menacingly. Whilst you can take your pick as with recessions is that for those people who
to where unemployment will be in one month, do lose their jobs, the pain is disproportionately
six months or a year from now, perhaps the distributed. As vacancy creation collapses,
only thing you can say with certainty is that it the pool of redundant people grows and
will be significantly higher than it is now. securing employment becomes increasingly
problematic. Unfortunately, during 2009,
Whatever the rise, we believe it will be the number of unemployed corporate
proportionately lower in corporate governance. governance practitioners will rise.
Corporate governance is integral to business
and most departments are leanly staffed.
Redundancies are expensive, destroy the
morale of those who remain and then leave
open the problem of sometime in the future
having to find replacements.
08|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Information Security Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008
New vacancies 56 63 65 58 50
Closing vacancies 24 31 29 33 20
During the first six months of 2008, the • Drop in registrations as candidates
number of vacancies generated in the reluctant to move
information security and business continuity
The number of candidate registrations fell
recruitment market, although marginally down,
in the second half of 2008. Against that,
was broadly consistent with the previous two
the number of defensive registrations rose.
years. This was perhaps surprising given the
The fall in registrations is not surprising,
enormity of the economic developments.
as changing employer involves risk. Whilst
However, most commentators then believed
much of this risk is more perceived than
that the UK and developed world at worst
real, some feel that entering the recruitment
might expect a short shallow recession. It is
market for purely discretionary purposes is
clear that nothing so benign has transpired and
not something they currently wish to do.
only the depth and length of the recession is
Defensive registrations are up as those who
in question. The recession has now started to
are made redundant or feel their position is
show up in our market data.
potentially under threat is rising.
• Q4 sees sharp reduction in vacancies • Dramatic fall in salary increases
During the final quarter of 2008, there The average salary increase achieved
Whilst some comfort
was a significant slowdown in the rate at by changing jobs in the second half of might initially be taken
which new information security vacancies 2008 fell dramatically to 4%. This was from the number of
were generated. caused by those who are out of work vacancies generated
accepting salaries below their pre- in the second half of
Whilst some comfort might initially be taken 2008, 50 versus 58 in the
from the number of vacancies generated in redundancy earnings.
previous six months,
the second half of 2008, 50 versus 58 in the a rather more telling
previous six months, a rather more telling statistic is the closing
statistic is the closing number of vacancies, number of vacancies,
which has fallen from 33
which has fallen from 33 in July 2008 to just in July 2008 to just 20 in
20 in December 2008. In fact, the rate of December 2008.
vacancy generation was broadly maintained
into the third quarter of 2008, but then fell
away in the final quarter. The trend is now
set for a significantly lower number
of vacancies.
09|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
MARKET COMMENTARY
Unemployment now evident
There is now unemployment in information
security. Within many companies, IT projects
have been put on hold, budgets for new
technologies have been frozen and recruitment
suspended. The number of information security
specialists being forced into the recruitment
market is rising and the number of vacancies
is falling. The last time this happened was in
2002. Then, post the dotcom bust, many start
up internet companies lost their funding and
Although demand is now declining, previously
budgets were cut in anticipation of a downturn
there had been strong demand for penetration
and the uncertainly of the run up to the
testers to assist in determining a company’s
Iraq War.
security status. The reason for the decline is
The reasons for the current downturn are twofold. Firstly, the consultancies that employ
different. However, for anyone who loses their the bulk of penetration testers are becoming
job, the impact is likely to be very similar. If more cautious and secondly, as people
you find yourself in this situation or simply become more wary about changing jobs, there
fear the threat of redundancy, the more is less backfilling required.
proactive you are, the better. Focusing on
Another niche area which has experienced
how you can improve your marketability -
strong demand has been Identity Management
perhaps doing things such as completing
(IdM). However, demand has recently
a professional qualification and developing In the UK, the number
slowed due to the fact that most Sarbanes of encrypted hard drives
relationships within the industry – can
Oxley compliance, which was driving IdM will increase, particularly
make a real difference to your appeal to
recruitment, has been concluded. This said, following the high
potential employers. profile data losses of
it is possible that Public Key Infrastructure
2007 and 2008. This
Against this rather downbeat backdrop, there (PKI) may replace this demand in the Identity
is now a government
are areas of the recruitment market where and Access Management (IAM) market. requirement, involving
demand remains strong. A great deal of work has been undertaken various levels of PKI to
using PKI as well as IdM on the Transglobal access information on
For example, in the public sector there are a Secure Collaboration Program (TSCP). This hard drives.
number of long-term projects which are already is essential for companies dealing with the
funded and recruiting. We expect this to US government. In the UK, the number of
continue during 2009. encrypted hard drives will increase, particularly
following the high profile data losses of
Managed Security Services (MSS) and Security
2007 and 2008. This is now a government
as a Service (SaaS) are still recruiting at all
requirement, involving various levels of PKI to
levels from VP / managerial positions through
access information on hard drives. It is likely
to pre-sales and technical operational roles.
that the private sector will follow and some
Outsourcing is proving to be a cost effective
consultancies are already progressing this.
way of securing information and avoids the
New roles in PKI should emerge in 2009.
need to purchase the technology and recruit
staff to implement, integrate, configure and
maintain it.
10|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Data leakage was a topic for many industry The Middle East is becoming a popular
conferences and security publications alternative for UK based information
throughout 2008. This was the result of fines security professionals. Whilst the region
imposed on the private sector and media is not immune to the global slowdown,
humiliation of the public sector. many new information security positions
are still being generated, not only in Dubai
There is now increased awareness of and the UAE, but in Qatar, Bahrain, Kuwait
information security and its role in ensuring and Saudi Arabia. Local national banks and
that an organisation is not commercially commercial groups are expanding, together
damaged or its reputation and trust with multinational groups who are migrating
publically compromised by data leakage. into the region.
Within the public sector, the Hannigan report These developments require robust corporate
was commissioned, which highlighted where governance and the demand for globally
improvements could be made to reduce recognised compliance. Demand for effective
data leakage within the public sector. These information security management is growing.
included more encryption, penetration testing Large, complex organisations are ensuring
and a raised awareness of information security they have information security standards and
across government departments. The private policies that are in line with global best practice
sector has responded by investing in privacy and are building information security teams
personnel and aligning with ISO 27001. and in some cases working with consultancies
to improve their Information Security Data leakage
The Information Commissioner is to be was a topic for
Management Systems (ISMS). Accreditation
granted new powers to conduct “spot checks” many industry
to ISO 27001 is still not common, but there conferences and
and sanctions will be introduced under the
is an increase in demand for accreditation as security publications
Data Protection Act for the most serious
more companies in the region announce their throughout 2008.
breaches of its principles. This will affect both This was the result
certification.
the private and public sectors and will no doubt of fines imposed
lead to increased demand for privacy staff The Middle East offers numerous on the private
during 2009. sector and media
opportunities within information security.
humiliation of the
However, relocating is a big decision which public sector.
Contracting to Government
should only be made after careful research
Demand for security staff in the public sector and consideration.
is generally considered to be more immune
to the recession than the private sector. As
a consequence, there is currently enhanced
interest in gaining work in the public sector.
11|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Analysis by sector
Consultancies & Systems
Integrators
The consultancies and systems integrators It is hard to discuss this market sector without
reflected developments in the wider economy mentioning the significant data losses that
during 2008. have occurred during 2008, particularly in
government and by certain major outsourcers.
The number of vacancies registered declined This has had mixed affects. Firms involved in Any recruitment that
during the course of the year, even though the data-leakages themselves have, at times, has been taking place
there were some cases of very urgent lost major contracts and therefore required is primarily at mid
recruitment. The number of candidates less staff. At the same time, such data losses level, with demand
competing for each vacancy is increasing, have been used as a sales tool to increase for security architects,
although many better qualified individuals the number of security specialist staff used identity management
are preferring to stay out of the recruitment specialists, government
on contracts.
market and remain with their existing security consultants
employers. Really good candidates who chose We anticipate that demand will continue to and penetration testers.
These were the same
to enter the market can still receive multiple be subdued in 2009. The exception is likely
skills that were required
offers and are often counter-offered to stay to be from those consultancies benefiting in 2007 and reflect
with their existing employer. from contract wins. Recruitment freezes the nature of projects,
will continue and many of the best particularly in the
A number of consultancies, Sls and the practitioners are likely to stay with their government sector.
telcos with security professional services existing employers.
practices, now have recruitment freezes.
Security practitioners have been moved
on to other projects and some security
practices and businesses have been
restructured and reorganised.
12|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
End users
Information security departments started the Candidate availability has been mixed. It is
year buoyed by the need to fix potential data clear that many candidates, either through
leakages. At that time the credit crunch and its redundancy or the perceived threat of this, feel
effects on the wider economy had yet to be they have little choice but to search for another
felt in information security recruitment. job. Others, who are under no threat, but who
might otherwise have looked for discretionary
Demand held up until the end of quarter 3
purposes, prefer the security of their existing
when, in a similar fashion to other areas of
employer.
corporate governance, there was a significant
decline in the number of new vacancies. Currently, unemployment is still low but
After Lehman Brothers failed, demand for compared with recent years it is steadily
information security staff in the financial rising. Candidates with blemished CVs are
services sector dropped sharply. Some finding it more difficult to secure interviews. A
positions were put on hold, budgets were number of contractors are starting to compete
reviewed and any recruitment needed to for permanent roles even though they will
be sanctioned at a higher executive level. often not be considered by the hiring or HR
Information security staff that left the managers.
organisation were not automatically replaced.
The combination of fewer jobs and more
During economic slowdowns, IT investment candidates is resulting in lower salaries.
is often badly hit. New technologies have Employers are more likely to match, rather
less take up, projects are scaled down and than improve existing packages and, in the
development slows. Information security case of unemployed candidates, may offer
within end users is inevitably affected as below previous earnings.
less technology related risk assessments
are required. Those who are full-time risk This trend in the market looks set for 2009.
assessors should consider broadening their In spite of the positive benefits of PCI and
skill base. No vacancies were registered in Hannigan, demand from end users will be
this area during the second half of 2008. closely tied to developments in the wider
UK and world economy.
Demand in commerce has held up better
with many smaller companies still appointing
their first information security specialist. This
is a continuation of an established trend and
this impetus is largely caused by the growing
scope and recognition of ISO 27001, PCI and
vendor assessments. PCI has had an impact
in a number of sectors and is being used by
information security managers to justify their
budgets. However, by the end of 2008, many
commercial companies, most notably in the
retail, property and media sectors curtailed
their recruitment plans.
13|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Contract market
At the start of 2008, contractors were in
demand across all sectors, especially those
individuals with identity management skills,
cryptographic experts and CLAS consultants.
High profile data leakages, coupled with a
number of ambitious projects that required
an increase in the collection of sensitive data,
resulted in enhanced security concerns. The
Hannigan report highlighted a number of areas
that required attention within the public sector
and resulted in increased security awareness
amongst its senior management.
Strong demand for CLAS consultants 2008 was characterised by less work in the
continued throughout 2008 with long term high private sector but growth in the public sector.
profile central government projects remaining The increased number of contractors looking
a big user. A large intake of new CLAS for work resulted in more competition for
consultants eased demand, although long-term positions, with rates falling approximately 10%
highly skilled CLAS consultants are being tied for generalist information security positions.
in to longer, more lucrative, contracts. Many Some contractors were requested to move into
CLAS consultants are working with more than permanent positions to cut costs. However,
one public sector client and this demand will at specialists such as identity management
least remain if not increase in 2009. experts and penetration testers were able to
maintain their rates. 2008 was
Financial services, as a result of some large characterised by less
fines, used more contractors during 2008 In 2009, we expect demand from the public
work in the private
for data privacy and third party security sector to be broadly consistent with 2008. sector but growth in
assessments. The FSA released its Data The private sector will be more dependent the public sector.
Security report in the first half of 2008 and on developments in the economy. There will
many companies needed to act on the findings almost certainly be more competition amongst
and recommendations. contractors as those who have been made
redundant from permanent roles will also be
The Data Protection Act gained weight during looking for contract work.
2008 and more spot checks may be carried out
throughout 2009. Companies will most likely
want to review their privacy policies. Much
of this work is being carried out as part of
compliance with ISO27001, which could see an
increase in related contract roles.
14|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
16|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
London Rest of UK
Security Operations Engineer
A junior member of a network security ops team in a 24/7
managed service environment. Reports into the Security £27-35,000 £22-30,000
Operations Team Leader. Monitors security devices such as
firewalls, IDS / IPS etc.
Security Analyst
Experience including monitoring and awareness for
£36-40,000 £30-37,000
information security. Likely to be working for a retail bank
or other financial institution.
Penetration Tester
Working for a boutique security consultancy, this skilled
penetration tester will have good client-facing skills and be able to £52-60,000 £49-56,000
undertake application penetration testing, code level reviews and
reverse engineering.
CLAS Consultant
At a senior level within the security practice of a large consultancy
or SI. Skills in technical and non-technical security areas such
£58-67,000 £52-61,000
as security architecture, as well as security policy formulation
and review, and risk assessment. Also undertakes business
development activities.
Security Architect
Working for a consultancy, undertaking security design and
£64-73,000 £57-66,000
architecture for large-scale client projects. Senior person also
involved in bid / proposal work and mentoring team members.
17|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
18|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
INFORMATION SECURITY
APPENDICES
04. Appendices
I. Sample structure
19|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
• 30 risk management departments This monitors the flow of candidates into the
recruitment market and, combined with the
• 30 compliance departments number of vacancies generated, gives an
• 35 information security departments insight into the balance of supply and demand.
20|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
New Vacancies
Closing vacancies
21|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Candidate registrations
Defensive registrations
Percentage of candidates registering with Barclay Simpson because they have been made redundant
or perceive the threat of redundancy.
22|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
• Salary increases relatively stable in Internal & Computer Audit and Risk Management
• Salary increases have dropped significantly in Compliance and Information Security
* Percentages based on introductions made by Barclay Simpson during the quarter. Allowance has been made for the value
of company cars but for no other benefits. Corporate governance personnel working in the private sector are often awarded
annual bonuses based on either their personal or overall corporate performance. These bonuses become part of their salary
package. When joining a new employer there is generally a qualifying period, often up to a year, before bonuses become
due. Not unreasonably, corporate governance professionals, when weighing their existing salary package against an offer of
alternative employment, tend to include their existing bonus but exclude potential bonuses from a new employer. We would
estimate that this accounts for approximately 5% of the increase that people receive as a result of changing position.
23|24
Barclay Simpson Market Report 2009
INFORMATION SECURITY
Internal Audit
New vacancies 80 89 84 79 58
Closing vacancies 36 52 39 37 23
Candidates registering 297 322 312 356 242
Defensive registrations 12% 16% 17% 19% 28%
Overall salary increase 14% 13% 12% 12% 11%
Risk Management
New vacancies 85 198 127 77 53
Closing vacancies 95 117 77 72 37
Candidates registering 124 195 249 241 257
Defensive registrations 5% 4% 8% 17% 25%
Overall salary increase 21% 24% 21% 16% 15%
Compliance
New vacancies 85 119 107 99 67
Closing vacancies 59 67 76 62 33
Candidate registering 198 172 146 165 186
Defensives registrations 10% 13% 26% 32% 41%
Overall salary increase 18% 19% 22% 21% 11%
Information Security
New vacancies 56 63 65 58 50
Closing vacancies 24 31 29 33 20
Candidates registering 214 179 195 240 230
Defensive registrations 14% 15% 15% 17% 20%
Overall salary increase 15% 16% 14% 13% 4%
24|24