Acumin’s annual Salary Index for the UK information security industry collates salary data on a breadth of job functions and professions, based on engagements of live roles from the last 12 months.
The Index gives information security professionals insight into where they stand against a broad benchmark for their peer group. This is especially useful as the market becomes increasingly competitive, diverse and under-supplied in terms of skills.
With organizations trying to hire in a candidate-driven market, it is imperative that salaries offered are suitably attractive. Indeed, a major obstacle to staffing an information security team is the inability to hire, as security roles often get bogged down in HR profiling and IT salary bandings.
Overview of 2014
Last year for many was the ‘year of the breach’, with a number of high-profile, costly and destructive security incidents in the headlines. In the aftermath, board-level attitudes towards cybersecurity received an overdue wake-up call.
PR disasters for eBay, Sony, and Target and others resulted in growing budgets and appetites for proper risk management among senior management. However, cybersecurity technology spend has remained static, demonstrating management’s desire to own and manage risk rather than seek a silver bullet solution.
Indeed, putting in place controls is not enough on its own. It is the maturity and resilience of the frameworks, policies, and processes around these controls that offer the potential for security improvement. So it’s not just a matter of increased awareness at C-level, but rather a sense of increased responsibility that is driving the industry forwards.
The increased monetization, commoditization, and speed of development of exploits and toolkits sold on the black market, meanwhile, has meant that cybersecurity professionals’ expertise is more in demand than ever.
Vendors
One of the key challenges in the vendor space is retaining valued staff. Typically there has been a competitive environment whereby organizations have expanded sales teams in their efforts to meet growth targets, and as such headhunting of successful sales people has been rife.
To mitigate this cyclical exodus we initially saw increases in basic salaries but the sustainability of this approach is short-lived. Now we are finding package values with attractive equity and share options offered. This is something that’s particularly prevalent across the recent influx of high-growth VC-backed vendors who have entered the market.
As part of the execution of growth strategies, there has been an increased utilization and development of channel partners to bolster sales and delivery capabilities. The demand for those who develop strong partnerships with systems integrators and consultancies has seen a greater volume of openings, as well as more lucrative packages on offer for channel sales professionals (up from £120-140k to £130-160k OTE). This has filtered across into presales roles where the requirement for technical sales expertise has grown on a direct and partner basis (£5k increases across the lower and upper ranges).
The role of presales consultants and security engineers has grown in prominence and value, with these technical SMEs becoming centrally involved in scoping and developing requirements, adding value beyond running demonstrations and webinars, and implementation.
Consultancies & SIs
Challenged by the buoyancy of the contractor market, static elements we’ve seen in SI salaries have predominantly been due to pressure on margins and charge out rates. In organizations with more mature security and risk capabilities, there is a developing preference to utilize contract resource for project delivery. As such there has been an improvement in rates across nearly all areas on that basis.
Whilst there are some pressures around delivery capabilities, we have seen ongoing growth across the business development function with both pure play sales (up £10k at both ends to £130-170k OTE) and technical sales roles (more incremental increases to £62-83k) commanding higher salaries than they were 12 months ago.
"We have seen ongoing growth... with both pure play and technical sales roles commanding higher salaries"
As more organizations wise up to the necessity for and requirements of PCI-DSS, there has been an ongoing desire to develop effective security operations, with the most obvious and easy route being to outsource the function. Consequently we are seeing extensive demand in this space. The shortage of those experienced with working in SOCs has led to increasingly competitive packages seeing a rise from £45-75k to £50-80k.
With a maturing and crowded security market, SIs and consultancies have set out to differentiate. This has seen interesting hires into lead roles, often coming from less traditional backgrounds, as organizations attempt to develop and define services.
End Users
The largest enterprises continue to require information security personnel, but where we have seen most growth has been in the SME market. Increasingly SMEs are taking responsibility for their own information security, compelled by best practice rather than compliance-focused initiatives. This has opened up a number of interesting opportunities for greenfield development, transformation and maturing of practices, and insourcing of capabilities.
The increased responsibility and demand for information security/risk managers has created a competitive landscape with upward movement of salary bandings to £60-80k. Alongside this, those who execute the strategies, frameworks, and security/risk models (namely information security analysts in the Salary Survey) have seen a similar upswing in packages to £40-55k.
On the technical side, security architects (particularly those contracting with rates increasing to £500-750 per day) have remained in high demand, although salaries in this area have plateaued at their current peak of £75-110k. Security engineers implementing controls have, however, seen some more significant rises from £55-70k to their current £55-80k.
There have been some interesting opportunities in package development around security operations and incident response, with shifts at both the lower and upper ends of the range taking the banding to £50-80k. This is likely due to a combination of factors, including an ever-developing threat landscape, increased ownership of SOCs/CIRTs, and industry-wide development of security intelligence and analytically-led approaches to threat management. Development of end user security operations capabilities has impacted roles across the environment, including security administrators and monitoring analysts.