Professional Documents
Culture Documents
Market Trends
Interim Report 2014
Security
BARCLAY SIMPSON
COMPENSATION
AND MARKET
TRENDS interim
REPORT
CONTENTS
2014
SECURITY
Offices
London
Edinburgh
New York
Dubai
Hong Kong
Singapore
Disciplines
Internal Audit
Risk
Compliance
Information Security
Business Continuity
Legal
Treasury
01
Security recruitment
market strengthening
This time last year, we reported
that companies were coming to the
recruitment market in increasing numbers
and following through recruitment
processes with realistic offers. Since
then, an additional 800,000 people
have been employed in the UK and the
economy is forecast to grow by 3% in
2014. In this context, high profile cyberattacks are provoking both corporate and
public fear just as business investment is
expanding at its fastest rate in six years.
The security recruitment market is
unlikely to ever have a more favourable
backdrop than it currently enjoys.
Availability of
workers falling
Real earnings, having fallen by 10%
over the last six years, are finally turning
around. Regardless of developments
in the security recruitment market,
across the economy the availability of
workers to fill vacancies is falling at its
fastest rate in fifteen years. Recruiting
security professionals with the right skills
is a significant challenge, particularly
experienced practitioners who can make
an immediate impact. This is leading
CIOs to reshape roles and working
arrangements, as well as having to adjust
their recruitment expectations.
Salary increases
currently under control
Whilst average wages in the UK economy
have fallen, we are confident that security
practitioners have done better. Although
there are still a significant number of
security practitioners who report no
increase in their salaries, the average
EXECUTIVE
SUMMARY
High profile
cyber-attacks
are provoking
both corporate
and public
fear, just as
business
investment is
expanding at
its fastest rate
in six years
Strong demand
anticipated to continue
Given a strengthening economy, rising
investment and the constantly evolving
threat from cyber-attacks, we currently
anticipate strong demand for security
practitioners for the remainder of 2014.
02
MARKET
ANALYSIS
VACANCIES
- New vacancies
- Outstanding vacancies
Rate of placements
- Placement rate
03
Experienced
practitioners in
demand
Whilst the security recruitment
market has clearly swung in favour
of candidates and away from
employers, our Survey found that 5%
of respondents were redundant and 9%
of those who had changed job did so
for defensive reasons. Both these results
are low for the security recruitment market
when compared to any recent period.
However, they are high when compared to
other areas of corporate governance.
Evidently, no matter how strong the
recruitment market, employers remain
selective and security skills and
experiences that were once in demand
can become out of date. Equally,
particularly amongst consultancies and
systems integrators, corporate fortunes
can be uncertain and job security less
dependable. It is also a reminder that
security has changed to the extent that
what was once characterised as simply
a technical discipline has developed
into a mainstream corporate function.
As a matter of course, practitioners are
required to communicate and, more
importantly, influence. In the face of
resurgent demand, this need for strong
communication skills is restricting
the number of candidates who can
realistically expect to navigate corporate
recruitment processes.
MARKET
COMMENTARY
The joined up
security model?
We have yet to see evidence in the
recruitment market of the emergence of a
converged security model where physical
and IT/cyber security practitioners are
integrated. This model is rare, even
where there is a shared functional lead.
Challenges ranging from cyber-attacks to
the basic physical threat of unauthorised
personnel fitting keyloggers to IT systems
would be more efficiently addressed with
a joined up approach.
Why do so few companies operate
a joined up security model when
executive management is becoming
increasingly aware and concerned
about security? There would seem to
be a lack of practitioners at all levels with
a good understanding and appreciation
of both areas. Whilst there is an increase
in the take up of industry standard
qualifications, such as the CISSP
amongst physical security practitioners,
it remains rare for IT/cyber security
practitioners to take physical security
qualifications, such as the globally
recognised CPPl. As threats continue to
evolve, security functions will develop
and practitioners at more senior levels
who take a holistic view of security are
likely to emerge. We await developments.
04
Financial Services
Given the potentially catastrophic nature
of security failures in financial services
earlier this year, the Bank of England,
the Treasury and the Financial Conduct
Authority were keen to assess the results
of Waking Shark 2, an exercise designed
to assess the ability of the UKs core
financial services providers to withstand
cyber-attacks. Amongst the findings
was the need for better co-ordination
in response to attacks and a need to
quickly inform law enforcement agencies
and the appropriate regulator(s) with
their response. It was suggested that the
British Bankers Association (BBA) take
a central co-ordinating role to manage
communication across the sector.
In response, there has been strong
demand. Notably, most of the major
retail banks continue to have multiple
vacancies. A common theme is the
seniority of the vacancies, which
are consistently at the 50-80,000
experienced practitioner level.
Practitioners at this level are regularly
receiving multiple offers. Demand is
particularly high from group 2nd line
functions, for IT risk and information
risk focused roles. The cross-over with
operational risk has never been so strong.
Logical access management has also
been a priority with several roles requiring
expertise either at 2nd line review or first
line implementation.
Commerce
Security within commerce has already
made the headlines this year with high
profile breaches occurring at eBay and
Target in the USA, the latter resulting
in the resignation of the CEO. These
events simply increase the pressure
Sector
Analysis
Consultancies and
Systems Integrators
At the start of the year, as corporate
security budgets grew and the pressure
to adopt new standards increased,
we anticipated that demand from
consultancies and systems integrators
was likely to be strong in 2014. We
envisaged competition for staff within the
sector to be a feature of the recruitment
market in 2014. This has proven to be
the case.
Many consultancies and SIs have multiple
vacancies and security practitioners with
the required skills will invariably have
more than one offer to select from. Whilst
demand is biased towards security
consultants with a mix of delivery and
business development experience,
there has been a notable increase in
demand for specialists in the areas
of SIEM, PCI DSS and Identity and
Access Management. Additionally, there
Contract
Information and cyber security is now
high on the corporate agenda. CIOs and
CISOs are better able to demonstrate
the value of bringing in specialist
resources to put the necessary controls
in place at the start of projects. Our
Survey indicates a broadly confident
market, with contractors reporting
increasing demand for their skills and
rising contract rates.
As a result of ongoing high profile
intellectual property theft, contractors
with experience of advising against
Advanced Persistent Threats (APT) are
currently in high demand. The demand
for this skill set was further validated
by the FBIs high profile fight against
suspected Chinese military hackers.
A clear trend is the increase in
permanent security practitioners
expressing an interest in
developing their career in the
contract market. Common reasons
are a better work life balance, less
stress, better rates of pay and the
opportunity to focus on areas of
interest. The contract market will
always be an attractive proposition
for candidates in the security market.
However, it should be approached
with caution, particularly before
resigning from a permanent position.
05
Security
SALARY
GUIDE AND
COMPENSATION
SURVEY
2014
1
Key
Conclusions
Pensions
2
Overview
38%
29%
24%
9%
2014
2013
The
same
02.5%
2.5 5%
510%
10 15%
Over
15%
22%
23%
33%
9%
5%
8%
36%
14%
23%
11%
9%
7%
June
2012
June
2013
June
2014
14%
11%
14%
17%
0-
or the
5%
same
28%
6%
2014
2013
25%
8%
510%
10 15%
15 20%
2030%
Over
30%
8%
13%
11%
13%
21%
14%
10%
13%
11%
19%
2011
2012
2013
2014
31%
42%
34%
28%
Salary v Remuneration
Whilst base salaries always catch the headlines, offers of
employment invariably include other benefits. On average,
these additional benefits make up over 30% of total
remuneration. Here is an overview of the other benefits that
security practitioners might expect to receive.
Bonuses
Bonus payments marginally increased from 22% in
2013 to 23% of base salaries in 2014. However, the
percentage of security practitioners reporting that their
employer paid a bonus rose from 61% to 72%. This
percentage is still lower than in other areas of corporate
governance, but is a result of the higher percentage
of security practitioners working in the public and
consultancy sectors where traditionally bonuses are
less likely to be paid.
Of those who received a bonus, 34% reported an increase,
with only 9% reporting a reduction. Bonuses, whilst
potentially a good way of retaining and motivating staff, are
rarely an efficient way of attracting them. Bonuses are often
non contractual, often discretionary and may be paid on the
basis of corporate or personal performance or a combination
of the two. There can also be a qualifying period.
An issue with bonuses is that whilst a security
practitioner entering the recruitment market who has
benefited from a bonus may add it to their base salary,
they are more inclined to discount bonuses when
discussing expected salary. This goes some way to
explaining what can otherwise be relatively high increases
in the base salaries achieved by security practitioners
moving between employers. Bonuses can vary considerably.
However, 68% of security practitioners received a bonus less
than 20% of their base salary and only 11% benefited from
bonuses in excess of 30%.
81% of security
practitioners report
that they benefit
from some form of
flexible working.
Pensions
For new recruits, final salary pensions no longer exist in
the private sector. For those who still benefit from such
schemes there is a full appreciation of their value and that
the cost of giving it up to join a new employer would be
prohibitively expensive.
80% of security practitioners benefit from employer
pension contributions, low by the standards of other
areas of corporate governance. It is probably the result
of consultancies being less likely to make pension
contributions. The typical employer pension contribution
is in the range of 5-10% and, at 9%, the average pension
contribution remained the same as in 2013.
Pension schemes in the private sector are invariably money
purchase where the company commits to making a contribution
based on a percentage of salary. Whilst there is often a short
qualifying period before contributions commence, a period in
excess of six months would be considered unusual.
Most arrangements require the employer to make a contribution
based upon a fixed percentage of base salary. The employee
may or may not be required to match it. Frequently, employers
will be prepared to match additional contributions made by
the employee up to a fixed percentage. The percentage may
increase with the age of the employee, their years of service
and their level of seniority.
Other benefits
60% of security practitioners reported they received other
benefits in 2014. The average value of those benefits rose
from 3,700 in 2013 to 4,100 in 2014. Cars or car allowances
have become a less common benefit. They can still be
expected where a role requires significant travel and also for
senior hires. In terms of overall remuneration, a car allowance
is frequently offered in lieu of a car and is often considered as
non pensionable salary when evaluating overall remuneration. A
more common benefit for those working in London is a location
allowance. This is a supplement for those working in London
to cover the increased cost of either living in or commuting to
London. The most valuable other benefit is Critical Illness Cover
which is expensive to provide and is usually restricted to senior
roles. However, Private Health Insurance is common and is
often extended to all immediate family members.
Life Assurance, usually linked to a pension scheme,
is normal, as is payment of at least one professional
Flexible benefits
This refers to schemes where employees are offered limited
core benefits in addition to their base salary. This addition can
either be taken as salary or employees can choose to buy from
a menu of additional benefits. These schemes became popular
10 years ago, particularly in the accounting profession, but
have not been universally adopted.
Holiday entitlement
48% of security practitioners surveyed receive 25 days
holiday, with 60% reporting between 25 to 28 days
holiday. The average number of days holiday surveywide is 26 days. Holiday entitlement, regardless of sector, is
more likely to be enhanced by the number of years worked
rather than seniority. As a strategy, it represents a good way
of rewarding loyalty and retaining staff but a poor way of
attracting new employees.
An increasingly popular benefit is to provide employees with
the opportunity to buy additional holidays. This is usually
limited to an additional 5 days that would be purchased
through salary sacrifice.
Flexible working
Flexible working is popular. 81% of security practitioners
report that they benefit from flexible working. It is most
common in consultancy and least common in banking and
financial services. Given that 24% of security practitioners cite
achieving a better work / life balance as their prime motivation
for changing jobs, flexible working appears to be something
they are prepared to negotiate on when moving jobs. Our
Survey indicates that security practitioners who have changed
job in the last 12 months are more likely to benefit from flexible
working than those who have not, with 95% of women reporting
that they benefit from flexible working, against 77% of men.
Employers are ultimately more concerned with output rather
than simply attendance. Flexible working is an effective means
of retaining staff and few employees once they have benefited
from it would be prepared to give it up. We anticipate that this
will ultimately become a universal benefit.
3
General
Results
Please note that the figures in this report cannot be extrapolated across everyone who works in security, as the sample consists
of people registered with Barclay Simpson. However, the figures do substantiate our experience of the market and the year on
year comparisons are clearly representative.
General results
Market made up of highly experienced practitioners
p 90% of security practitioners
surveyed have worked in
security for over 5 years
(89% in 2013)
p Security practitioners at
senior consultant / AVP level
most active
Bonuses
Bonuses up on 2013
p 72% of employers paid a bonus in
2014 (61% in 2013)
p Average bonus equivalent to 23% of
basic salary (22% in 2013)
p 34% reporting a higher bonus in 2014
p 68% of security practitioners received
a bonus of less than 20%
10
Which of these as a
percentage of your salary best
describes your last bonus?
Do you
benefit from
any long term
incentive
plan?
Pensions
Pensions an important part of remuneration
Salary %
contribution
to pension
from your
employer
Does your
employer
provide you
with any
pension
benefits?
Other benefits
Value of other benefits significant and continuing to rise
p 60% of security practitioners
surveyed received other benefits
(57% in 2013)
Holiday entitlement
Average holiday entitlement remains at 26 days
p For 48% of respondents 25
days remains the most common
entitlement
p 60% of respondents have between
25-28 days
p Only 15% of respondents have less
than 25 days holiday
p Average holiday entitlement
remains at 26 days
What
is your
holiday
entitlement
in days?
11
Flexible working
Majority of security practitioners benefit from flexible working
Does your
employer
provide you
with the
opportunity to
work flexibly?
Contractors in work
Clear majority believe demand for their skills improving
p 74% of contractors in
work believe market
for their skills is
improving (58% in
2013)
p Clear difference with
contractors who are in
work and those who
are not
12
p 58% of contractors
started a new contract
within one month
(82% in 2013)
p No contractors have
taken over 12 months
to find a contract
(2% in 2013)
p Majority believe
they are adequately
compensated
p 61% satisfaction
for contractors is
comparable to 57%
for permanent
p Fewer contractors
reporting a decrease
than in 2013 (36%)
p Type of work
remains most
important factor
Are you
satisfied with
your current
contract?
p High level of
satisfaction with
existing roles
p However,
experienced
contractors who are
not will have already
moved
p Length of contract
more important
than rates of pay
p Only 26% of
contracts have
lasted at least 12
months (56% in
2013)
p Only 21% of
contracts less than
3 months
p Contracts generally
run for longer than
anticipated
p 46% finding it
more difficult
(50% in 2013)
13
4
Salary Guide
Salary Guidance
The figures below are what we believe to be the most
likely salary ranges available to a cross section of security
practitioners. We also provide a more generic end user guide.
This is split between banking, financial services non banking
and commercial end users which have been divided between
larger FTSE 100 or equivalent groups and smaller FTSE 250 or
equivalent groups. We then go on to provide a generic guide for
those in consultancies and SIs. This is split into Big 4, SIs, large
consultancies and boutique consultancies.
The salary ranges quoted are for good rather than exceptional
individuals and take no account of other benefits in addition
to salary, such as bonuses, profit sharing arrangements and
pension benefits.
London
Rest of UK
46 - 53,000
38 45,000
48 60,000
40 50,000
63 69,000
56 62,000
65 75,000
55 - 65,000
65 80,000
55 70,000
PCI QSA
67 78,000
57 67,000
78 86,000
65 71,000
84 89,000
70 76,000
112 125,000
96 105,000
118 132,000
90 98,000
Team member in a small DP department for a large mobile telecommunications group. Proven experience
in a similar role and ISEB qualified.
Security Analyst
Generic information and IT security consulting and project delivery in a large retail financial services
group. 4 years experience.
Working for a large consultancy firm, delivering and managing consulting engagements and in some
cases managing junior staff. Some sales and business development responsibility.
Security Manager responsible for the business meeting compliance standards such as ISO27001 and PCI.
Security Presales Engineer within a security vendor. Technology focus on network security.
Practicing QSA working with external clients and managing their entire PCI compliance programme.
Security Manager
Working in a FTSE 100 group leading a team of 6-8 network security specialists, reporting directly to the
Head of Security. 10 years experience.
Major financial services group, a large team to manage/supervise. Established career history within BCM.
Head of Security
Managing a team of 8 security practitioners in a financial services company, assisted by 2 more junior
managers. 10 years management experience and 17 years security experience.
14
SIEM Consultant
Technical specialist with strong skills with a leading SIEM solution such as ArcSight or RSA enVision.
Design, implementation and integration experience. Client facing consultative role.
Solid skills in identity and access management design and architecture. Background of working in
consultancy, with good client-facing skills and bid work experience.
Working for an SI, undertaking security consultancy and delivering on security projects for a large-scale
client. Senior person also involved in bid / proposal work and mentoring team members.
CLAS Consultant/CCP
Senior level in a security practice of a large consultancy or SI. Skills in security architecture, security
policy formulation and review, and risk assessment. Also undertakes business development activities.
Working in a penetration testing practice within a consultancy. Responsibility for some client management
and mentoring less experienced penetration testers.
Medium to large insurance group. No direct reports. EU Data Privacy legislation experience.
Experience of DPA 98 and EU Privacy Directive 95/46/EC, required to provide specialist privacy
knowledge and support.
Analyst using various security solutions deployed within the IT environment, providing active monitoring,
identification, notification and response to internal and external threats and recommendation for the
mitigation of risks.
Security Consultant
Providing security advice across the business, ranging from policy review and development, to
information risk reviews. Holds CISSP or CISM.
Managing a team of 8 security practitioners in a financial services company, assisted by 2 more junior.
Penetration Tester
SME in application security, code reviews and vulnerabilities, attacks and countermeasures with a
deep knowledge of hacking and penetration testing techniques, methodologies and tools across web
application and infrastructure.
SIEM Consultant
Technical Specialist with strong skills with leading SIEM solution such as ArcSight or RSA envision.
Design, implementation and integration experience.
Good technical understanding with the ability to identify, assess, manage and report risk. Working with
different projects within the organisation on varying technologies.
Consultant will need to identify appropriate security controls, as well as carry out code reviews of J2EE
enterprise applications, penetration tests, tracking new requirements and recommending improvements.
PCI Consultant
PCI consultant who can work with the client to ensure compliance to the PCI-DSS standards.
London
Rest of UK
65 80,000
55 70,000
65 75,000
57 67,000
67 84,000
59 70,000
67 85,000
62 70,000
71 82,000
67 73,000
79 89,000
67 73,000
London
Rest of UK
400 500
per day
350 450
per day
450
per day
400
per day
450 550
per day
400 500
per day
500
per day
400
per day
500 600
per day
450 550
per day
550
per day
500
per day
550 600
per day
500 550
per day
570
per day
525
per day
625
per day
575
per day
15
Banking
Non banking
FS
Commercial
FTSE 100
equivalent
Commercial
FTSE 250 or
smaller
32 39,000
31 36,000
30 32,000
27 30,000
36 42,000
36 42,000
36 42,000
35 40,000
37 46,000
37 46,000
36 42,000
31 40,000
39 48,000
38 46,000
36 42,000
30 34,000
45 80,000
50 85,000
50 75,000
45 68,000
55 65,000
50 56,000
43 52,000
38 44,000
65 90,000
58 80,000
55 85,000
55 80,000
80 105,000
73 95,000
70 90,000
68 90,000
90 125,000
88 120,000
85 110,000
77 100,000
118 140,000
115 135,000
100
126,000
90 126,000
160,000+
140,000+
150,000+
N/A
Big 4
Systems
Integrator
Large
Consultancy
Boutique
Consultancy
28 46,000
30 48,000
30 48,000
32 50,000
Consultant
32 46,000
35 49,000
35 49,000
37 52,000
40 50,000
40 55,000
40 60,000
40 60,000
43 52,000
45 60,000
45 60,000
47 64,000
56 75,000
62 78,000
62 78,000
62 80,000
58 90,000
60 85,000
60 85,000
65 90,000
72 105,000
70 87,000
70 87,000
70 90,000
100
148,000
90 110,000
95 120,000
95 120,000
2 yrs +
(4 yrs + no team)
(5 yrs + no team)
Senior Consultant
Manager (Principal Consultant)
16
06
ABOUT
BARCLAY
SIMPSON
Barclay Simpson
Bridewell Gate, 9 Bridewell Place
London EC4V 6AW
Tel: 44 (0)20 7936 2601
Email: bs@barclaysimpson.com
www.barclaysimpson.com/2014interimreport/audit
www.barclaysimpson.com/2014interimreport/risk
www.barclaysimpson.com/2014interimreport/compliance
www.barclaysimpson.com/2014interimreport/security
www.barclaysimpson.com/2014interimreport/legal
Corporate Governance
Internal & IT Audit
Risk
Compliance
Security
Legal
Adrian Simpson
Daniel Flynn
Matt Brown
Tom Boulderstone
Mark Ampleford
Jane Fry
as@barclaysimpson.com
df@barclaysimpson.com
mb@barclaysimpson.com
tgb@barclaysimpson.com
ma@barclaysimpson.com
jf@barclaysimpson.com
North America
Daniel Close
dc@barclaysimpson.com
17