Compensation and

Market Trends
Interim Report 2014
Security

BARCLAY SIMPSON
COMPENSATION
AND MARKET
TRENDS interim
REPORT

CONTENTS

2014
SECURITY

Welcome to Barclay Simpsons 2014

SECURITY Compensation and Market
Trends interim Report
Barclay Simpson has been producing corporate governance market reports since 1990.
This year, as we did last year, we are using our Mid-Year 2014 report as an opportunity
to focus primarily on compensation. This report seeks to provide insight and guidance
into compensation within security. It is supported by a comprehensive survey of security
practitioners registered with Barclay Simpson in June 2014. Comparable reports exist for
all other areas of corporate governance. They can be accessed in section 6 of this report
(About Barclay Simpson) or at www.barclaysimpson.com
We place great value on the professional reaction to our reports and would appreciate
your comments and any requests for further clarification or information.

01/ Executive Summary /1

02/ market analysis /2
03/ market commentary /3
04/ sector analysis /4
05/ SALARY GUIDE &

COMPENSATION REPORT /5
06/ About Barclay Simpson /17

Offices
London
Edinburgh
New York
Dubai
Hong Kong
Singapore

Disciplines
Internal Audit
Risk
Compliance
Information Security
Business Continuity
Legal
Treasury

01
Security recruitment
market strengthening
This time last year, we reported
that companies were coming to the
recruitment market in increasing numbers
and following through recruitment
processes with realistic offers. Since
then, an additional 800,000 people
have been employed in the UK and the
economy is forecast to grow by 3% in
2014. In this context, high profile cyberattacks are provoking both corporate and
public fear just as business investment is
expanding at its fastest rate in six years.
The security recruitment market is
unlikely to ever have a more favourable
backdrop than it currently enjoys.

Availability of
workers falling
Real earnings, having fallen by 10%
over the last six years, are finally turning
around. Regardless of developments
in the security recruitment market,
across the economy the availability of
workers to fill vacancies is falling at its
fastest rate in fifteen years. Recruiting
security professionals with the right skills
is a significant challenge, particularly
experienced practitioners who can make
an immediate impact. This is leading
CIOs to reshape roles and working
arrangements, as well as having to adjust
their recruitment expectations.

Salary increases
currently under control
Whilst average wages in the UK economy
have fallen, we are confident that security
practitioners have done better. Although
there are still a significant number of
security practitioners who report no
increase in their salaries, the average

EXECUTIVE
SUMMARY

increase reported for the last two years

has been 4%. Given the rebound in the
economy stretching back to last year,
we are surprised that the results of this
years Survey did not report a higher
average. However this average, like
others we have analysed in detail, hides a
wide range of experiences. For example,
after a number of years when real
earnings grew faster in the public sector, it
now seems to be the private sectors turn
to play catch up.
Other benefits, that are not included in an
assessment of average salaries, such as
bonuses and pension contributions, are
also used to reward security practitioners.
At approximately 30% of total earnings,
these other benefits have seemingly
increased more readily than base salaries.
They potentially represent a less public
way of rewarding high value staff.

High profile
cyber-attacks
are provoking
both corporate
and public
fear, just as
business
investment is
expanding at
its fastest rate
in six years

Salary is far from

everything

Whilst the focus of this report is on

compensation, we should not forget
that it remains only one factor, albeit
an important one, in the employment
equation. Less than 30% of security
practitioners cite salary as the primary
reason they have sought another job.
Any company employing, and wishing
to retain, security practitioners
should reflect how important career
development prospects and work/life
balance are to security practitioners.
It is something we believe many
employers increasingly appreciate.

Strong demand
anticipated to continue
Given a strengthening economy, rising
investment and the constantly evolving
threat from cyber-attacks, we currently
anticipate strong demand for security
practitioners for the remainder of 2014.

02

MARKET
ANALYSIS

VACANCIES

Vacancies still increasing

At the start of 2014, our employer survey identified pent up pressure to expand
security teams and recruit. In that survey, 77% of security managers reported they
had insufficient resources to carry out their responsibilities. As a consequence, the
number of vacancies generated in the security recruitment market (having seemingly
peaked in 2013) has further increased in 2014.
The increasing frequency and high profile nature of cyber-attacks in 2014 is helping
provide security departments with higher budgets and many vacancies are for new
positions. Sectors where recruitment is currently high include telecoms, manufacturing,
retail and retail banking. Whilst in the past the manufacturing sector has not contributed
greatly to the aggregate demand for security practitioners, intellectual property theft has
become a concern and is driving recruitment. Companies are particularly seeking
candidates who can quickly deliver improvements and make an immediate impact.
As a result, vacancies are more likely to be at the mid to senior level and there is less
interest in training and developing more junior practitioners. It begs the question, where
will more experienced practitioners come from? Rising demand and a finite number of
experienced practitioners will require solutions to be found.

- New vacancies
- Outstanding vacancies

Rate of placements

Slowed by the availability of candidates

The graph demonstrates the willingness of companies to recruit during the period
rather than simply registering vacancies and arranging interviews. It reflects the
rate at which candidates are being offered and are accepting jobs.
The rate of placements marginally declined in the second half of 2013 and in 2014
has yet to recover. Given the improved economic backdrop and current level of
demand, this might be surprising. The explanation is the lack of availability of, and
competition for, the type of security practitioners companies wish to recruit. Companies
have become more sensitive about retaining staff and are more likely to address their
concerns. Many security practitioners are benefiting from enhanced career prospects
and a better work/life balance with their existing employer, which are two of the key
reasons many enter the recruitment market. In spite of the very real prospect of
increasing their salary through a job move, many security practitioners are choosing to
stay with their existing employer.
Where companies are prepared to move aggressively to fill vacancies, for example
by offering a benchmark beating salary, they are more likely to be successful. In
recognition, the salary budgets that companies are coming to the recruitment market
with are regularly being upwardly adjusted. However, the results from our Survey
are yet to indicate any across the board increases in salaries. Salary increases
achieved in the recruitment market so far in 2014 remain consistent with 2013.

- Placement rate

03
Experienced
practitioners in
demand
Whilst the security recruitment
market has clearly swung in favour
of candidates and away from
employers, our Survey found that 5%
of respondents were redundant and 9%
of those who had changed job did so
for defensive reasons. Both these results
are low for the security recruitment market
when compared to any recent period.
However, they are high when compared to
other areas of corporate governance.
Evidently, no matter how strong the
recruitment market, employers remain
selective and security skills and
experiences that were once in demand
can become out of date. Equally,
particularly amongst consultancies and
systems integrators, corporate fortunes
can be uncertain and job security less
dependable. It is also a reminder that
security has changed to the extent that
what was once characterised as simply
a technical discipline has developed
into a mainstream corporate function.
As a matter of course, practitioners are
required to communicate and, more
importantly, influence. In the face of
resurgent demand, this need for strong
communication skills is restricting
the number of candidates who can
realistically expect to navigate corporate
recruitment processes.

Demand no longer led

by financial services
Demand is currently broadly based and
is no longer being led by the financial
services sector. It encompasses industry
and commerce and the consultancy
sector, where utilisation rates are high

MARKET
COMMENTARY

and most consultancies and systems

integrators are recruiting. This year, unlike
last year when the financial services
sector dominated demand, each vacancy
is more likely to have its own specific
requirements. This is providing a much
wider range of potential opportunities.
However, demand remains focused
on experienced practitioners. This
again questions where the necessary
expertise will be nurtured to support
the expanding number of security
practitioners that are required now and
almost certainly in the future. Clearly
companies (and this is an area for which
the government is showing support)
will have to increase their commitment
to training. Links between universities,
training institutions and commerce are
strengthening. As the cost of successful
cyber-attacks becomes easier to quantify,
investing in defense for the longer term
becomes easier to justify.

Growth in second line

functions
Within financial services, demand
from group or second line functions
has grown in 2014 and has been a
feature of the recruitment market.
Their historic purpose, usually on tiny
budgets, has been to keep divisional
information security functions talking to
each other. Maybe they offered a few
group-wide initiatives or possibly a
unified approach to awareness and
training. Regulation is changing this.
Banks are putting group functions in
place to complete a wide range of risk
assessments. The three lines of defense
structure is being put in place. This
expansion, at the 2nd line, is having an
impact on the recruitment market. Despite
responding to the same regulation,
second line functions vary. Some have a
generalist non-technical focus providing

a governance focused risk assessment

service. Others have groups of subject
matter experts delving deep into the
work of the first line and supporting it with
consultancy services.
What is uniform throughout the
financial services sector is that the
division between 1st and 2nd line
information security functions is much
more defined and 2nd line functions
are growing. Some are achieving this
through external recruitment and others
by restructuring existing departments.

The joined up
security model?
We have yet to see evidence in the
recruitment market of the emergence of a
converged security model where physical
and IT/cyber security practitioners are
integrated. This model is rare, even
where there is a shared functional lead.
Challenges ranging from cyber-attacks to
the basic physical threat of unauthorised
personnel fitting keyloggers to IT systems
would be more efficiently addressed with
a joined up approach.
Why do so few companies operate
a joined up security model when
executive management is becoming
increasingly aware and concerned
about security? There would seem to
be a lack of practitioners at all levels with
a good understanding and appreciation
of both areas. Whilst there is an increase
in the take up of industry standard
qualifications, such as the CISSP
amongst physical security practitioners,
it remains rare for IT/cyber security
practitioners to take physical security
qualifications, such as the globally
recognised CPPl. As threats continue to
evolve, security functions will develop
and practitioners at more senior levels
who take a holistic view of security are
likely to emerge. We await developments.

04
Financial Services
Given the potentially catastrophic nature
of security failures in financial services
earlier this year, the Bank of England,
the Treasury and the Financial Conduct
Authority were keen to assess the results
of Waking Shark 2, an exercise designed
to assess the ability of the UKs core
financial services providers to withstand
cyber-attacks. Amongst the findings
was the need for better co-ordination
in response to attacks and a need to
quickly inform law enforcement agencies
and the appropriate regulator(s) with
their response. It was suggested that the
British Bankers Association (BBA) take
a central co-ordinating role to manage
communication across the sector.
In response, there has been strong
demand. Notably, most of the major
retail banks continue to have multiple
vacancies. A common theme is the
seniority of the vacancies, which
are consistently at the 50-80,000
experienced practitioner level.
Practitioners at this level are regularly
receiving multiple offers. Demand is
particularly high from group 2nd line
functions, for IT risk and information
risk focused roles. The cross-over with
operational risk has never been so strong.
Logical access management has also
been a priority with several roles requiring
expertise either at 2nd line review or first
line implementation.

Commerce
Security within commerce has already
made the headlines this year with high
profile breaches occurring at eBay and
Target in the USA, the latter resulting
in the resignation of the CEO. These
events simply increase the pressure

Sector
Analysis

on executive management to ensure

that security is adequately addressed
and has contributed to the increased
demand from the commercial sector.
Energy companies in particular, have seen
an increase in their security needs as their
lack of defence has, in some instances,
resulted in their being unable to obtain
insurance against a cyber-attack.
Whilst the relatively small size of
commercial company security
departments usually results in broad skill
sets being required, they are becoming
more technical. Vacancies remain top
heavy, with high numbers of senior
positions in an already competitive
market. As a result, companies have
frequently needed to review their original
budgets. This is likely to feed through to
higher salaries.

Consultancies and
Systems Integrators
At the start of the year, as corporate
security budgets grew and the pressure
to adopt new standards increased,
we anticipated that demand from
consultancies and systems integrators
was likely to be strong in 2014. We
envisaged competition for staff within the
sector to be a feature of the recruitment
market in 2014. This has proven to be
the case.
Many consultancies and SIs have multiple
vacancies and security practitioners with
the required skills will invariably have
more than one offer to select from. Whilst
demand is biased towards security
consultants with a mix of delivery and
business development experience,
there has been a notable increase in
demand for specialists in the areas
of SIEM, PCI DSS and Identity and
Access Management. Additionally, there

is a surge in boutique consultancies

expanding their services and aggressively
recruiting. This is most likely the result of
the drive by Government departments
and businesses in the private sector to
use more SMEs. The consulting sector is
responding to both the demand for their
services and candidate shortages by
streamlining their recruitment processes
and competing more aggressively to
attract talent.

Contract
Information and cyber security is now
high on the corporate agenda. CIOs and
CISOs are better able to demonstrate
the value of bringing in specialist
resources to put the necessary controls
in place at the start of projects. Our
Survey indicates a broadly confident
market, with contractors reporting
increasing demand for their skills and
rising contract rates.
As a result of ongoing high profile
intellectual property theft, contractors
with experience of advising against
Advanced Persistent Threats (APT) are
currently in high demand. The demand
for this skill set was further validated
by the FBIs high profile fight against
suspected Chinese military hackers.
A clear trend is the increase in
permanent security practitioners
expressing an interest in
developing their career in the
contract market. Common reasons
are a better work life balance, less
stress, better rates of pay and the
opportunity to focus on areas of
interest. The contract market will
always be an attractive proposition
for candidates in the security market.
However, it should be approached
with caution, particularly before
resigning from a permanent position.

05
Security

SALARY
GUIDE AND
COMPENSATION
SURVEY
2014

Our Mid-Year Report provides an in depth section on

salaries and compensation, designed to provide a much
fuller picture of overall remuneration packages.
Most security practitioners are keen to know their market worth.
This is not always easy to address. Two otherwise similar
security practitioners may enter the recruitment market and
accept materially different salaries. We provide this caveat
because we are aware that the security recruitment market is
sufficiently diverse that it defies simple categorisation. However,
security practitioners and their employers want guidance and
this is what we attempt to provide.
As recruitment consultants, we are involved in the negotiations
that take place between employers and prospective employees.
We are aware that whilst salary is usually the most
important consideration, a number of other factors go
to make up total remuneration. In addition to the data we
gather from the placements we make and the recruitment work
we do, including contact with security and human resources
departments about salaries and other benefits, we have also
conducted a Compensation Survey to provide specific detail on
all different types of remuneration within security.
The Survey was of security practitioners registered with Barclay
Simpson and was conducted in June 2014. It generated several
hundred responses.

Covers both permanent

and contract markets
We also conducted an Interim Compensation Survey covering
the contract market. We have incorporated the key findings into
this report to make it as easy as possible to understand the full
picture for security.
We hope that you find the results interesting. This report
provides the key highlights of the Survey. If you would like
more detail about your specific sector or role, please call Mark
Ampleford on 020 7936 2601 (ma@barclaysimpson.com).
This section is broken down into 4 parts:
1. Key conclusions Key conclusions from Security
Compensation Survey
2. Overview Commentary on the major trends in salaries and
other benefits paid to security practitioners
3. Compensation Survey Results of Compensation Survey
completed by security practitioners
4. Salary Guide Guide to salaries for specific security roles
and positions

1
Key
Conclusions

The results from Barclay Simpsons

Security Compensation Survey are
encouraging and confirm an active
and confident security recruitment
market where demand is rising but
costs and salaries remain broadly
under control.

Mature recruitment market

p 90% of security practitioners surveyed have worked in
security for over 5 years

Value of other benefits increasing

Bonuses
p 72% of companies paid bonuses in the last year

p 62% have worked in security for over 10 years

p Average bonus equivalent to 23% of basic salary

p Security practitioners are more likely to be men 95%

than women 5%

Pensions

More security practitioners

moving jobs
p 38% of security practitioners surveyed have changed job in
the last 12 months, against 34% in 2013
p 38% of security practitioners moved primarily for career
development reasons, 29% primarily to increase
their salary and 24% for a better
work/life balance
p 5% of security practitioners surveyed
reported they were not working
(more than any other area of
corporate governance)

p 80% of security practitioners benefit from employer pension

contributions
p Average employer pension contributions remain at
equivalent to 9% of basic salary
Long term incentive plans
p 17% of security practitioners benefit from long term
incentive plans
Other allowances
p 60% of security practitioners benefit from other allowances
p Average value of other benefits equivalent to 4,100

Satisfaction with remuneration

rises when moving job
p Overall, 57% of security practitioners satisfied
with current remuneration
p Rises to 75% for security practitioners who have moved in
the last year against 45% for those who have not moved
p 81% benefit from flexible working. Percentage rises
to 85% for those who have moved in the past year
p Average holiday entitlement remains at 26 days

Salary increases up on 2013

p Average salary increase of 17% achieved by security
practitioners who changed job in the last year, against
14% in 2013
p 4% salary increase for security practitioners who stayed with
their existing employer

Satisfaction amongst contractors

who are working
p 69% of contractors content with current contract
p 61% believe they are adequately compensated

2
Overview

The UK economy is currently experiencing a robust

recovery and benefiting from increased investment.
Whilst security practitioners are in high demand, the
results of our Survey indicate that companies have
continued to control costs. Salary increases available
to security practitioners staying with their employer
remain consistent with 2013.
managers and compliance professionals. Whilst the headline
rate is perhaps unsurprising, averages can be misleading.
For example, a number of the people who stayed with their
employer will have benefited from promotions.

Motivation for entering

the recruitment market
This analysis looks at what motivated security practitioners
to change employer in the last 12 months. In spite of 22% of
security practitioners reporting they did not receive a salary
increase, salary was the primary motivation for only 29% of
security practitioners entering the recruitment market, down
from 36% in 2013. Whilst career development was the most
common reason, security practitioners answers to this
question differed from our Surveys across other areas of
corporate governance. The 9% who gave job security as
a reason was higher, possibly indicating a more endemic
uncertainty that pervades the wider technology sector.
24% of security practitioners are also seeking a better work
/ life balance, again higher than other areas of corporate
governance. This is surprising, as it is more usually a key
driver for women. However, women made up only 5% of
respondents to the Survey. The number of women employed in
security is significantly lower than in other areas of corporate
governance. For example, the comparable percentage in
internal auditing is 23%.
Motivation for entering the recruitment market
Career development
Salary
Better work / life balance
Job security

38%
29%
24%
9%

Whilst salary is not the primary motive for information security

practitioners seeking another job, they will almost invariably use
the opportunity to better their salary and our Survey indicated
that 75% of security practitioners who had changed
employer in the last 12 months were now content with their
salary, against only 45% who had not changed employer.

Salary increases achieved

by security practitioners who
stayed with their employer

What best describes your salary increase in the last year?

2014

2013

The
same

02.5%

2.5 5%

510%

10 15%

Over
15%

22%

23%

33%

9%

5%

8%

36%

14%

23%

11%

9%

7%

Analysing the average increase tells a different story,

particularly when compared to 2013. Last year, 36% of
security practitioners reported that they received no
increase in their base salary against only 22% this year.
Given the rebound in the economy, it is surprising that so
many security practitioners continue to report that they
received no salary increase. We can only assume that the
question is backward rather than forward looking and will
produce a more positive result next year. Also, last year, 16%
of respondents reported a salary increase in excess of 10%
against only 13% in 2014.

Salary increases achieved

by changing employer
The Survey indicates that the average salary increase achieved
by security practitioners moving job is 17%, up from 14% in
2013. Security practitioners have been in a stronger bargaining
position since 2013 when companies found it was becoming
more difficult to recruit.
June
2011

June
2012

June
2013

June
2014

14%

11%

14%

17%

There is a significant difference between the 17% increase in

salary achieved by changing job and the 4% average achieved
by staying with an existing employer. However, breaking
down the average, as we did last year, reveals a wide range
of outcomes. It is particularly instructive that whilst 17% may
be taken as the average, only 24% of security practitioners
accepted a salary increase between 10% and 20%.

According to our Survey, the average increase for security

practitioners who stayed with their existing employer is
unchanged at 4%, the same increase as internal auditors but
lower than other areas of corporate governance such as risk

The average salary

increase achieved by
security practitioners
moving job is 17%, up
from 14% in 2013.

What best describes your salary increase in the last year?

Less

0-

or the
5%
same

28%
6%
2014
2013

25%

8%

510%

10 15%

15 20%

2030%

Over
30%

8%

13%

11%

13%

21%

14%

10%

13%

11%

19%

Compared to 2013, the breakdown in 2014, unlike other

areas of corporate governance, is similar. It is perhaps a
little surprising that 28% of the moves involved either a
reduction or similar salary. Equally, in spite of an economy
now growing more strongly, the percentage of candidates
achieving salary gains of over 20% was only 34% in 2014,
against 30% in 2013.
It might seem curious that even 28% of security practitioners
would move for the same or less salary. For some, however,
they accept a similar salary as the result of relocation, for
example a move away from London (and in the case of
increases a move to London) or perhaps the opportunity to
work in a new sector. Others are prepared to accept a better
work life balance which is clearly a key driver in the security
market. Further, the number of moves prompted by the threat of
redundancy is higher in security than other areas of corporate
governance. Whilst base salary is the most compelling
element of any offer, there are other benefits such as
pensions, bonuses and holiday entitlement.
The security recruitment market is a diverse place in terms
of the salary increases practitioners command by changing
employer, There is clearly a huge difference in what companies
are prepared to pay for security practitioners with in demand
skill sets, particularly for those who combine them with
commercial savvy and effective communication skills.

Offers rejected as deemed too low

An insightful statistic is the number of offers that are rejected for
being too low. That is the percentage of security practitioners
who have rejected an offer they would have otherwise accepted
simply on the basis of salary. It represents the propensity of
prospective employers to make realistic offers rather than
simply opportunistic ones. It also provides some insight into
how security professionals view their bargaining power.
Offers rejected as deemed too low

2011

2012

2013

2014

31%

42%

34%

28%

In 2012, when the Eurozone crisis was badly affecting

confidence, many companies made opportunistic offers.
Since then the percentage has steadily fallen. Companies
recognise the shortage of the security practitioners they wish
to employ and candidates have become more confident and
assertive. Most candidates are going to move only if they
expect it to be financially beneficial. Companies are currently
more likely to make realistic offers in response to their need
to recruit.

Salary v Remuneration
Whilst base salaries always catch the headlines, offers of
employment invariably include other benefits. On average,
these additional benefits make up over 30% of total
remuneration. Here is an overview of the other benefits that
security practitioners might expect to receive.

Bonuses
Bonus payments marginally increased from 22% in
2013 to 23% of base salaries in 2014. However, the
percentage of security practitioners reporting that their
employer paid a bonus rose from 61% to 72%. This
percentage is still lower than in other areas of corporate
governance, but is a result of the higher percentage
of security practitioners working in the public and
consultancy sectors where traditionally bonuses are
less likely to be paid.
Of those who received a bonus, 34% reported an increase,
with only 9% reporting a reduction. Bonuses, whilst
potentially a good way of retaining and motivating staff, are
rarely an efficient way of attracting them. Bonuses are often
non contractual, often discretionary and may be paid on the
basis of corporate or personal performance or a combination
of the two. There can also be a qualifying period.
An issue with bonuses is that whilst a security
practitioner entering the recruitment market who has
benefited from a bonus may add it to their base salary,
they are more inclined to discount bonuses when
discussing expected salary. This goes some way to
explaining what can otherwise be relatively high increases
in the base salaries achieved by security practitioners
moving between employers. Bonuses can vary considerably.
However, 68% of security practitioners received a bonus less
than 20% of their base salary and only 11% benefited from
bonuses in excess of 30%.

81% of security
practitioners report
that they benefit
from some form of
flexible working.

Pensions
For new recruits, final salary pensions no longer exist in
the private sector. For those who still benefit from such
schemes there is a full appreciation of their value and that
the cost of giving it up to join a new employer would be
prohibitively expensive.
80% of security practitioners benefit from employer
pension contributions, low by the standards of other
areas of corporate governance. It is probably the result
of consultancies being less likely to make pension
contributions. The typical employer pension contribution
is in the range of 5-10% and, at 9%, the average pension
contribution remained the same as in 2013.
Pension schemes in the private sector are invariably money
purchase where the company commits to making a contribution
based on a percentage of salary. Whilst there is often a short
qualifying period before contributions commence, a period in
excess of six months would be considered unusual.
Most arrangements require the employer to make a contribution
based upon a fixed percentage of base salary. The employee
may or may not be required to match it. Frequently, employers
will be prepared to match additional contributions made by
the employee up to a fixed percentage. The percentage may
increase with the age of the employee, their years of service
and their level of seniority.

Other benefits
60% of security practitioners reported they received other
benefits in 2014. The average value of those benefits rose
from 3,700 in 2013 to 4,100 in 2014. Cars or car allowances
have become a less common benefit. They can still be
expected where a role requires significant travel and also for
senior hires. In terms of overall remuneration, a car allowance
is frequently offered in lieu of a car and is often considered as
non pensionable salary when evaluating overall remuneration. A
more common benefit for those working in London is a location
allowance. This is a supplement for those working in London
to cover the increased cost of either living in or commuting to
London. The most valuable other benefit is Critical Illness Cover
which is expensive to provide and is usually restricted to senior
roles. However, Private Health Insurance is common and is
often extended to all immediate family members.
Life Assurance, usually linked to a pension scheme,
is normal, as is payment of at least one professional

subscription. Other benefits may include season ticket

loans in London, gym membership, subsidised dental care,
personal and accident insurance and staff discounts. These
are generally low value benefits.

Flexible benefits
This refers to schemes where employees are offered limited
core benefits in addition to their base salary. This addition can
either be taken as salary or employees can choose to buy from
a menu of additional benefits. These schemes became popular
10 years ago, particularly in the accounting profession, but
have not been universally adopted.

Holiday entitlement
48% of security practitioners surveyed receive 25 days
holiday, with 60% reporting between 25 to 28 days
holiday. The average number of days holiday surveywide is 26 days. Holiday entitlement, regardless of sector, is
more likely to be enhanced by the number of years worked
rather than seniority. As a strategy, it represents a good way
of rewarding loyalty and retaining staff but a poor way of
attracting new employees.
An increasingly popular benefit is to provide employees with
the opportunity to buy additional holidays. This is usually
limited to an additional 5 days that would be purchased
through salary sacrifice.

Flexible working
Flexible working is popular. 81% of security practitioners
report that they benefit from flexible working. It is most
common in consultancy and least common in banking and
financial services. Given that 24% of security practitioners cite
achieving a better work / life balance as their prime motivation
for changing jobs, flexible working appears to be something
they are prepared to negotiate on when moving jobs. Our
Survey indicates that security practitioners who have changed
job in the last 12 months are more likely to benefit from flexible
working than those who have not, with 95% of women reporting
that they benefit from flexible working, against 77% of men.
Employers are ultimately more concerned with output rather
than simply attendance. Flexible working is an effective means
of retaining staff and few employees once they have benefited
from it would be prepared to give it up. We anticipate that this
will ultimately become a universal benefit.

3
General
Results

Please note that the figures in this report cannot be extrapolated across everyone who works in security, as the sample consists
of people registered with Barclay Simpson. However, the figures do substantiate our experience of the market and the year on
year comparisons are clearly representative.

General results
Market made up of highly experienced practitioners
p 90% of security practitioners
surveyed have worked in
security for over 5 years
(89% in 2013)

How long have you

worked in security?

Do you have management

responsibilty?

p 62% have worked in security for

over 10 years (61% in 2013)
p 57% of security practitioners
report they have management
responsibility

Security practitioners becoming more active

p 38% of the security
practitioners surveyed
reported they had changed
job in the last 12 months
(34% in 2013)

Have you changed job in the

last 12 months?

p Security practitioners working in the

public sector and consultancy were most
likely to have moved whilst those working
in financial services were least likely
p IT security managers were most likely to
have moved, against business continuity
managers who were least likely

p Security practitioners at
senior consultant / AVP level
most active

p Security practitioners on lower salaries

more likely to have moved, although no
difference between managers and non
managers

Bonuses
Bonuses up on 2013
p 72% of employers paid a bonus in
2014 (61% in 2013)
p Average bonus equivalent to 23% of
basic salary (22% in 2013)
p 34% reporting a higher bonus in 2014
p 68% of security practitioners received
a bonus of less than 20%

10

Which of these as a
percentage of your salary best
describes your last bonus?

How does your bonus

compare to last year?

Bonus payments mainly paid in cash

What
percentage of
your bonus
was paid in
cash?

p 82% of bonuses paid in cash

(72% in 2013)
p 5% of bonus was deferred
(9% in 2013)

Do you
benefit from
any long term
incentive
plan?

p 17% of security practitioners benefit

from long term incentive plans
(31% of managers against 10% of
non managers)

Pensions
Pensions an important part of remuneration
Salary %
contribution
to pension
from your
employer

Does your
employer
provide you
with any
pension
benefits?

p 80% of security practitioners

surveyed benefit from employer
pension contributions (71% in 2013)
p Average value of pension
contributions remains at 9%
p Typical pension contribution in the
5-10% range

Other benefits
Value of other benefits significant and continuing to rise
p 60% of security practitioners
surveyed received other benefits
(57% in 2013)

What is the approximate

monetary value of other
benefits?

p Managers more likely to receive other

benefits and for them to be of higher
value than for non managers
p Value of other benefits increases with
years of service

p Average value of other benefits

to those who received them up to
4,100 (3,700 in 2013)

p Other benefits more common and

valuable in banking and financial
services than in other sectors

Holiday entitlement
Average holiday entitlement remains at 26 days
p For 48% of respondents 25
days remains the most common
entitlement
p 60% of respondents have between
25-28 days
p Only 15% of respondents have less
than 25 days holiday
p Average holiday entitlement
remains at 26 days

What
is your
holiday
entitlement
in days?

p Most generous holiday entitlement

given to security practitioners in
public sector with 36% getting at
least 30 days, least generous in
consultancy sector
p Number of days holiday is consistent
between size of company and
management, although rises with
number of years of experience

11

Flexible working
Majority of security practitioners benefit from flexible working
Does your
employer
provide you
with the
opportunity to
work flexibly?

p Overall, flexible working is up from

67% in 2013 to 81% in 2014
p Flexible work most likely in medium
sized companies
p Flexible working more prevalent
amongst managers and the
higher paid

p 95% of women report they work flexibly

against 77% of men
p 85% of security practitioners who have
changed employer in the last year
allowed to work flexibly, against 71%
who have not
p Flexible working most common in
consulting and least common in
banking and financial services

Content with compensation?

Majority content with compensation
p Overall, 57% believe they are
adequately compensated
(55% in 2013)

Overall do you think you are

adequately compensated?

p Higher levels of contentment

from those working in smaller
companies
p Contentment improves as salary
level increases

p 75% of security practitioners who have

changed job in the last 12 months are
content, against only 45% who have not
p 71% of security practitioners working
in the public sector are content,
significantly higher than any other
sectors. At 45%, lowest in banking and
financial services
p Managers more content than non
managers and men are more content
than women

Interim Compensation Survey

Contractors in work
Clear majority believe demand for their skills improving
p 74% of contractors in
work believe market
for their skills is
improving (58% in
2013)
p Clear difference with
contractors who are in
work and those who
are not

12

Do you think the market for

your skills is improving or
deteriorating?

How quickly were you able to

secure your current contract?

p 58% of contractors
started a new contract
within one month
(82% in 2013)
p No contractors have
taken over 12 months
to find a contract
(2% in 2013)

Rates firm and generally rising

p More security
contractors reporting
an increase than in
2013 (45%)

Which best describes how

your current rate compares
with your previous?

Do you believe you are

adequately compensated?

p Majority believe
they are adequately
compensated
p 61% satisfaction
for contractors is
comparable to 57%
for permanent

p Fewer contractors
reporting a decrease
than in 2013 (36%)

Rate of pay surprisingly low priority

When considering a new
contract what is the most
important consideration?

p Type of work
remains most
important factor

Are you
satisfied with
your current
contract?

p High level of
satisfaction with
existing roles
p However,
experienced
contractors who are
not will have already
moved

p Length of contract
more important
than rates of pay

Contracts seemingly shorter than in 2013

How long have
you been in your
existing contract?

p Only 26% of
contracts have
lasted at least 12
months (56% in
2013)

What is the anticipated

length of your current
contract?

p Only 21% of
contracts less than
3 months
p Contracts generally
run for longer than
anticipated

p Contracts run for

longer in financial
services than other
sectors

Contractors looking for work

Picture less positive than for contractors currently working
p 23% of
contractors
looking for
longer than 3
months
(16% in 2013)

Do you think the market for

your skills is improving or
deteriorating?

Are you finding securing a

contract more or less difficult
than anticipated?

How long have you been

seeking a contract?

p 46% finding it
more difficult
(50% in 2013)

13

4
Salary Guide

Salary Guidance
The figures below are what we believe to be the most
likely salary ranges available to a cross section of security
practitioners. We also provide a more generic end user guide.
This is split between banking, financial services non banking
and commercial end users which have been divided between
larger FTSE 100 or equivalent groups and smaller FTSE 250 or
equivalent groups. We then go on to provide a generic guide for

those in consultancies and SIs. This is split into Big 4, SIs, large
consultancies and boutique consultancies.
The salary ranges quoted are for good rather than exceptional
individuals and take no account of other benefits in addition
to salary, such as bonuses, profit sharing arrangements and
pension benefits.

selected profileS - permanent

London

Rest of UK

46 - 53,000

38 45,000

48 60,000

40 50,000

63 69,000

56 62,000

Security and Compliance Manager

65 75,000

55 - 65,000

Security Presales Engineer

65 80,000

55 70,000

PCI QSA

67 78,000

57 67,000

78 86,000

65 71,000

84 89,000

70 76,000

112 125,000

96 105,000

118 132,000

90 98,000

Senior Data Protection Analyst

Team member in a small DP department for a large mobile telecommunications group. Proven experience
in a similar role and ISEB qualified.

Security Analyst

Generic information and IT security consulting and project delivery in a large retail financial services
group. 4 years experience.

Senior Business Continuity Consultant

Working for a large consultancy firm, delivering and managing consulting engagements and in some
cases managing junior staff. Some sales and business development responsibility.

Security Manager responsible for the business meeting compliance standards such as ISO27001 and PCI.

Security Presales Engineer within a security vendor. Technology focus on network security.

Practicing QSA working with external clients and managing their entire PCI compliance programme.

Security Manager

Security background in a small financial services company. 3 years management experience.

No permanent reports. Will utilise consulting firms and contractors on an ad-hoc basis.

Network Security Team Leader

Working in a FTSE 100 group leading a team of 6-8 network security specialists, reporting directly to the
Head of Security. 10 years experience.

Head of Business Continuity

Major financial services group, a large team to manage/supervise. Established career history within BCM.

Head of Security

Managing a team of 8 security practitioners in a financial services company, assisted by 2 more junior
managers. 10 years management experience and 17 years security experience.

14

selected profileS - permanent

SIEM Consultant

Technical specialist with strong skills with a leading SIEM solution such as ArcSight or RSA enVision.
Design, implementation and integration experience. Client facing consultative role.

Identity & Access Management Consultant

Solid skills in identity and access management design and architecture. Background of working in
consultancy, with good client-facing skills and bid work experience.

Senior Security Consultant

Working for an SI, undertaking security consultancy and delivering on security projects for a large-scale
client. Senior person also involved in bid / proposal work and mentoring team members.

CLAS Consultant/CCP

Senior level in a security practice of a large consultancy or SI. Skills in security architecture, security
policy formulation and review, and risk assessment. Also undertakes business development activities.

CHECK Team Leader

Working in a penetration testing practice within a consultancy. Responsibility for some client management
and mentoring less experienced penetration testers.

EMEA Manager of Data Protection

Medium to large insurance group. No direct reports. EU Data Privacy legislation experience.

selected profileS - contract

Data Privacy Analyst

Experience of DPA 98 and EU Privacy Directive 95/46/EC, required to provide specialist privacy
knowledge and support.

Security Monitoring Analyst

Analyst using various security solutions deployed within the IT environment, providing active monitoring,
identification, notification and response to internal and external threats and recommendation for the
mitigation of risks.

Security Consultant

Providing security advice across the business, ranging from policy review and development, to
information risk reviews. Holds CISSP or CISM.

Business Continuity Consultant

Managing a team of 8 security practitioners in a financial services company, assisted by 2 more junior.

Penetration Tester

SME in application security, code reviews and vulnerabilities, attacks and countermeasures with a
deep knowledge of hacking and penetration testing techniques, methodologies and tools across web
application and infrastructure.

SIEM Consultant

Technical Specialist with strong skills with leading SIEM solution such as ArcSight or RSA envision.
Design, implementation and integration experience.

Technology Risk Consultant

Good technical understanding with the ability to identify, assess, manage and report risk. Working with
different projects within the organisation on varying technologies.

Application Security Consultant

Consultant will need to identify appropriate security controls, as well as carry out code reviews of J2EE
enterprise applications, penetration tests, tracking new requirements and recommending improvements.

PCI Consultant

PCI consultant who can work with the client to ensure compliance to the PCI-DSS standards.

London

Rest of UK

65 80,000

55 70,000

65 75,000

57 67,000

67 84,000

59 70,000

67 85,000

62 70,000

71 82,000

67 73,000

79 89,000

67 73,000

London

Rest of UK

400 500
per day

350 450
per day

450
per day

400
per day

450 550
per day

400 500
per day

500
per day

400
per day

500 600
per day

450 550
per day

550
per day

500
per day

550 600
per day

500 550
per day

570
per day

525
per day

625
per day

575
per day

15

Banking

Non banking
FS

Info Security Analyst 2 yrs

Commercial
FTSE 100
equivalent

Commercial
FTSE 250 or
smaller

32 39,000

31 36,000

30 32,000

27 30,000

Data Protection Analyst 2 yrs+

36 42,000

36 42,000

36 42,000

35 40,000

Business Continuity Analyst

37 46,000

37 46,000

36 42,000

31 40,000

Info Security Analyst 3 yrs

39 48,000

38 46,000

36 42,000

30 34,000

Business Continuity Manager

45 80,000

50 85,000

50 75,000

45 68,000

Info Security Analyst 4 yrs +

55 65,000

50 56,000

43 52,000

38 44,000

Data Protection Manager

65 90,000

58 80,000

55 85,000

55 80,000

Info Security Manager (team under 5)

80 105,000

73 95,000

70 90,000

68 90,000

Info Security Manager (team 5+)

90 125,000

88 120,000

85 110,000

77 100,000

Head of Info Security (dept under 10)

118 140,000

115 135,000

100
126,000

90 126,000

160,000+

140,000+

150,000+

N/A

Big 4

Systems
Integrator

Large
Consultancy

Boutique
Consultancy

Penetration Tester (under 4 years exp)

28 46,000

30 48,000

30 48,000

32 50,000

Consultant

32 46,000

35 49,000

35 49,000

37 52,000

CHECK Team Member

40 50,000

40 55,000

40 60,000

40 60,000

43 52,000

45 60,000

45 60,000

47 64,000

56 75,000

62 78,000

62 78,000

62 80,000

CHECK Team Leader

58 90,000

60 85,000

60 85,000

65 90,000

Senior Manager (Managing Consultant)

72 105,000

70 87,000

70 87,000

70 90,000

100
148,000

90 110,000

95 120,000

95 120,000

Salary chart - End UserS

2 yrs +

(4 yrs + no team)

(5 yrs + no team)

Head of Info Security (dept 10+)

Salary Chart - Consultancies and SIs

Senior Consultant
Manager (Principal Consultant)

Director (Practice Lead)

16

06

ABOUT
BARCLAY
SIMPSON
Barclay Simpson
Bridewell Gate, 9 Bridewell Place
London EC4V 6AW
Tel: 44 (0)20 7936 2601
Email: bs@barclaysimpson.com

Barclay Simpson is an international

corporate governance recruitment
consultancy specialising in internal
audit, risk, compliance, security,
business continuity, legal and treasury
appointments. Established in 1989,
Barclay Simpson works with clients in
all sectors throughout the UK, Europe,
Middle East, North America and AsiaPacific from our offices in London,
Edinburgh, New York, Dubai, Hong
Kong and Singapore.

We add value by using our unique focus

on corporate governance, our highly
experienced specialist consultants
and access to both the local and
international pools of corporate
governance talent.
Our strength lies in our ability to
understand client and candidate needs
and then to use this insight to ensure
our candidates are introduced to
positions they want and our clients to
the candidates they wish to recruit.

For more in-depth coverage,

comprehensive reports and
compensation guides exist for the
Internal Audit, Risk, Compliance,
Security and Legal recruitment
markets. These can be assessed
from the links below.
We also produce other specialist
reports, each of which can be
accessed for free on our website:
www.barclaysimpson.com

www.barclaysimpson.com/2014interimreport/audit
www.barclaysimpson.com/2014interimreport/risk
www.barclaysimpson.com/2014interimreport/compliance
www.barclaysimpson.com/2014interimreport/security
www.barclaysimpson.com/2014interimreport/legal

If you would like to discuss any aspect of the reports please

contact the following divisional heads:

To discuss our regional and international services

please contact:

Corporate Governance
Internal & IT Audit
Risk
Compliance
Security
Legal

Scotland Liam Hughes lh@barclaysimpson.com

Europe
Tim Sandwell
ts@barclaysimpson.com
Middle East
Matt Crocombe
mc@barclaysimpson.com
Asia Pacific
Russell Bunker
rb@barclaysimpson.com

Adrian Simpson
Daniel Flynn
Matt Brown
Tom Boulderstone
Mark Ampleford
Jane Fry

as@barclaysimpson.com
df@barclaysimpson.com
mb@barclaysimpson.com
tgb@barclaysimpson.com
ma@barclaysimpson.com
jf@barclaysimpson.com

North America

Daniel Close

dc@barclaysimpson.com

17