2009 MR Security

8/8/2019 2009 MR Security

1/25

2009Market ReportINFORMATION SECURITY


2/25

Barclay Simpson Market Report 2009INFORMATION SECURITY

01|25

CONTENTS01. Executive summar

02. In ormation Securit market anal sis

03. In ormation Securit salaries

04. Appendices

I. Sample structure

II. Graphs o ke indicators

III. Data tables b specialism

Barclay Simpson Market Report 2009

INFORMATION SECURITY


3/25


02|24

TOP LINE CONCLUSION

At the start o 2008, with the e ects o thecredit crunch already a number o months old,

ew people, certainly i market commentatorsand investor behaviour are to be trusted,anticipated that the banking sector andwider world economy would be acing theircurrent di culties.

In the space o a ear, three out o the veleading US investment banks no longerexist as independent entities and twoo those do not exist at all. A signi cantportion o the UK banking industr hasbeen partiall nationalised, as it has in

other countries. The UK econom and theeconomicall developed countries o theworld are now in recession and the onlquestions are how deep andhow long?

I it was not clear be ore, it certainly is now,that the UK economy did not undergo somepolitically inspired economic miracle. A ter aprotracted period o low infationary growth,risk was mispriced. The cost o money was toolow, the willingness to take risks increased andleverage became unsustainably high. Bubblesinfated, most notably in equity, raw material,property and housing. A stress ul period ode-leveraging is now underway.

Un ortunately, the problem was not containedto the nancial services industry. The re-pricingo risk and withdrawal o credit is now taking

its toll on the wider world economy, as bothwealth and demand all. What is the extent othe problem in the UK? Whilst the governmentwants bank lending to return to 2007 levels,which may well sound reasonable, it would stillbe twice the average o the previous ten years.It is likel that the de-leveraging process isset to continue and asset prices will decline

urther. Ultimatel , the nancial s stems inNorth America, Europe and other parts othe world will need to be recapitalised asall losses are eventuall recognised. A shortsharp recession does not appear to be themost likel outcome.

01. EXECUTIVE SUMMARYWelcome to Barclay Simpsons 2009 In ormation Security Market Report.

This is the 19th year we have produced a market report summarising andanalysing recruitment trends in corporate governance and the th year wehave published a specialist report on in ormation security.

We place great value on pro essional reaction to the Report and wouldappreciate your comments.

A ter a protracted periodo low infationargrowth, risk wasmispriced. The cost omone was too low, thewillingness to take risksincreased and leveragebecame unsustainablhigh. Bubbles infated,most notabl in equit ,raw material, propert

and housing. A stress ulperiod o de-leveraging isnow underwa .


4/25


TOP LINE CONCLUSION continued

However, the pertinent question or this reportis how the economic environment will a ect

the employment prospects o those workingin corporate governance. Employment is alagging indicator. Usually, unemployment onlystarts to rise signi cantly once an economyis in recession and is o ten slow to respondpositively once growth re-commences. In the

nal months o 2008, it became abundantlyclear that the rate at which jobs were beinglost in the UK economy was accelerating,with most days bringing announcementso redundancies.

Whilst emplo ment in corporate

governance will broadl ollow trends inthe wider econom , as a discipline it willdo better than man others. Provided acompan remains viable, its corporategovernance resources are likel to remainintact. That does not mean that people wholeave will be replaced or that redundancies willnot occur. The problem or those who are maderedundant (and i your employer no longerexists then you will be made redundant), willbe to secure another position. For many, that islikely to become increasingly problematic.

ECONOMIC HIGHLIGHTS

The UK econom , together with thedeveloped economic world, is already in

recession. This is orecast to continue into2009. The median estimate is or the UKeconomy to contract by a urther 1.5%in 2009. A worse outcome is possible.World economic growth is likely to beless than 2%.

At almost 6%, unemplo ment has alreadyreached an 11 year high and is climbingrapidly. It will shortly exceed 2 million and,with plenty more bad news on employmentto come, is orecast to be signi cantlyhigher by 2010. There are some predictions

that it will approach 3 million. Totalemployment in the UK economy,which peaked during 2008 at 29.5 million,is now declining.

Infation, which only six months ago wasperceived to be an economic threat, hasfallen from a 16 year high and is likely to

all signi cantly urther. Commodity priceshave allen steeply and with the economyshrinking, infation is set to undershoot its2% target during 2009. The prospect odefation cannot be ruled out.

The UK budget de cit is currently orecastto be 78 billion in 2009 and 128 billionor 8% o GDP in 2010. This will representthe highest level o government borrowingsince modern records began and will takegovernment borrowing to 60% of GDP. Thepotential or a signi cantly worse outcomeis substantial and ultimately Governmentspending will be orced to decline.

03|24

The UK econom ,together with thedeveloped economicworld, is alread inrecession. This is orecastto continue into 2009.The median estimateis or the UK economto contract b a urther1.5% in 2009. A worseoutcome is possible.


5/25


04|24

CORPORATE GOVERNANCE - OVERVIEW

The vast sums that have been spent oncorporate governance in the nancial servicessector have seemingly done little to stop thecredit debacle.

Whilst it is perhaps convenient to suggestthat the ault lies entirel in sub-primelending in the United States, it seems ratherdisingenuous when our own NorthernRock was o ering 125% mortgages. Since1997, and the bail out o Long-Term CapitalManagement, and in response to everyeconomic threat since, low interest ratesand a huge increase in the supply o moneyallowed the conditions to exist or credit to beexpanded. Globally, governments created themonetary conditions that provided the bankswith the opportunity to dramatically expand thecredit they made available. They then seeminglycompounded the error by allowing hedge

unds, structured investment vehicles and otheractivities to go unregulated. Credit simplmoved rom regulated to unregulated areas.No doubt there were ew votes to be gathered

rom a more restrictive monetary policy thatwould have saved the economy rom assetprice bubbles and its present predicament. In hindsight, a more restrictive monetarpolic would have provided much

better value in regulating the nancialservices industr .

Fortunately, and or the bene t o all o those ous who make a living either directly or indirectlyout o corporate governance, more regulationis no doubt on its way. The proverbial cherry

on the cake being the $50 billion alleged lossat Mado . Un ortunately, the nancial servicesindustry in the UK is in the process o shrinking.Ultimately, a smaller more regulated nancialservices industry will emerge.

As part o this process, the role o corporategovernance will be re-evaluated. Whilstgovernments certainl created the monetarconditions that allowed the banks to expandcredit, it was the executive management oman nancial institutions, even includingsome o the apparentl more conservativebuilding societies, who ailed to takeaccount o the risks the were taking. Thepremise that management would be prudentin their action because o their responsibility toprotect shareholders, has proven misplaced.A rather more convincing explanation is thatincentivised remuneration packages basedon short rather than long term per ormancecaused the interests o shareholders to berelegated and otherwise unacceptable risksto be taken.

In this context, corporate governance hasappeared to have a pro management bias thathas not adequately protected shareholders orthe wider economy. The deeper the recession,the greater the political response will be.At the ver least better risk identi cation,evaluation and reporting will be demanded.Governance will become more transparentand orm a much greater part o thereporting process. Corporate governanceis set to become high pro le.

This lies in the uture. Now it remains aquestion o managing the banking andconsequent economic crisis.

So how is it looking in the corporategovernance recruitment market?

For those expecting a knee jerk reaction anda drive to immediately strengthen governance

unctions, it is yet to happen and is mostlikely many months away. However, or thoseexpecting widespread redundancies, thereis as yet little evidence. What does appear tobe underway and started over a year ago, is aprotracted slow down in corporate governancerecruitment, a slow down unlike any that wehave witnessed in twenty years

For those expectingwidespread redundancies,there is as et littleevidence. What doesappear to be underwaand started over a earago, is a protractedslow down in corporategovernance recruitment,a slow down unlike an

that we have witnessedin twent ears


6/25


05|24

In recent years, many crises have blown up,o ten seemingly rom nowhere, which havegripped the corporate governance recruitmentmarket almost overnight and brought

about head count and recruitment reezes.Governments have invariably responded withlower interest rates and in a matter o monthsthe market has regained its composure andmoved on.

The di erence now is that whilst the currenteconomic crisis dwar s all others, it hasbuilt up slowly. Sub-prime and credit crunchentered the vernacular two years ago. Marketparticipants seemingly became immune tobad news. Whilst the market has slowed andthe pockets o weakness that we describedin our interim report are spreading, it is clear

rom our various surveys that the corporategovernance recruitment market has notground to a halt. However, the econom iscontinuing to contract, the rate at which theeconom is losing jobs is accelerating and

urther declines in corporate governancerecruitment activit will occur.

Here is a brief summary of the individual corporate governance markets:

INTERNAL & COMPUTER AUDIT

Demand or internal auditors only started todecline steeply during the last quarter o 2008.However, as we reported last year, a slowdownin recruitment seemingly started in 2007.

To date, there have been ew redundanciesin internal auditing and a lower numberthan in other areas o governance. Theredundancies that have occurred have primarilybeen in sectors such as house building, retailand nancial services where corporate ailurehas resulted in the closure o resident internalaudit departments. There is little doubt thatmore ailures and closures will occur. The vast

majority o internal auditors are employed inthree sectors - the public sector, the Big 4 andthe nancial services industry:

Recruitment in the public sector has slowedand those employed in it will probably stayput. Signi cant redundancies are unlikely inthe short term.

The Big 4, who in past slowdowns haveinvariably shed sta , have so ar shown noindication o doing so. They have perhapslearnt rom past mistakes. During the pasttwo years, outside o their annual graduateintake, they have recruited very ew internalauditors. However, given the numbersthey employ, should they undertake anysigni cant redundancies, the number ointernal auditors in the recruitment marketcould signi cantly increase.

The nancial services industry is nowcontracting. To date there have been limitedredundancies and given the travails othe sector, almost a surprising propensityto recruit. What is clear, however, is thatvacancy creation has slowed signi cantly

and there is little immediate prospect o itpicking up.

For those departments who are recruiting, itremains a rustrating process. The number osuitably experienced candidates can o ten belimited. Not surprisingly, given the economicbackdrop, many internal auditors, unless theyare obliged to do so, are not entering therecruitment market. Un ortunately or thosewho are, the shrinking number o vacancies isclearly apparent.

There is little doubt that demand or internalauditors will be subdued in the short tomedium term and that the number oredundant internal auditors will rise. To whatextent, is dependent on developments in thewider economy.

There is little doubtthat demand orinternal auditors willbe subdued in theshort to medium termand that the numbero redundant internalauditors will rise. To whatextent, is dependent ondevelopments in thewider econom .


7/25


06|24

RISK MANAGEMENT

Risk management continues to come undermore pressure than other areas o corporategovernance. This is as a result o the largenumbers o risk managers emplo ed ininvestment banking and the extent o thelosses and rationalisation in the sector.Well known names such as Lehman Brothersand Bear Stearns no longer exist, whilst othershave lost their independence.

Not surprisingly, the shortage o candidatesthat has characterised the market in recentyears has dissipated. For many vacancies,and it seemed improbable only a ew monthsago, there are now signi cant numbers owell quali ed candidates readily available. The

number o redundant risk managers is growing.Whilst risk management remains a critical

unction and one that is likely to be recastin the light o developments, the mandateto recruit externally is now more requentlymissing. In these instances the responsibilitieso the role are being absorbed and distributedinternally.

However, there are pockets o relativelystrong demand. Solvenc II, the insurancesectors capital management programme,is driving recruitment in the wholesale

and retail insurance markets. In responseto the increase in the number o risktrans ormation projects there is steaddemand rom the risk advisor divisionso the consultanc sector. There is alsonotable demand or risk managers withrestructuring, turnaround and workoutexperience as banks are looking to respondto their deteriorating credit port olios. A

urther noticeable development is that creditand market risk are becoming more closelyaligned. This is resulting in what is becomingknown as convergence risk.

One may debate whether risk managementis the cause or the symptom o the currentcrisis. There is no doubt, however, that riskmanagement will remain centre stage. Oncethe current economic crisis abates, morecommonl understood and transparentrisk management processes are likel toemerge. In the meantime, overall demand islikely to be subdued as the nancial servicesindustry is recapitalised and reorganised.

COMPLIANCE

Not surprisingly, recruitment activity declinedsigni cantly during the second hal o 2008.Redundancies were up and recruitment reezesbecame common place. The sectors bearingthe brunt were investment banking, wheremany banks either collapsed or merged,and mortgage lenders, intermediaries andpackagers. Sectors that ared relatively betterinclude asset and wealth management and theinsurance sector.

As predicted, the FSA continued its risk andprinciples based approach to regulationduring 2008 and its 2008/9 Business Planrea rmed that principles become moresigni cant in times o market turbulence.

The FSA does not plan to deviate rom its workon MiFID or CRD nor let up in the ocus tomitigate the risks presented by market abuseor nancial crime. It is continuing to take actionand en orce severe penalties on companiesand approved persons who breach regulations.The Treating Customers Fairly deadline or2008 impacted recruitment, particularly inthe retail nancial services markets wheremany o the vacancies required taking someresponsibility or implementing TCF.

Internationally, the SEC will be investigatingthe e ectiveness o its regulatory regime as a

result o the Mado debacle. Tighter controlson private investment pools and hedge undswill be on the agenda or 2009 and this islikely to impact on the UKs view o regulationin the sector.

Despite regulator pressures to maintainhigh levels o risk management and robustcompliance controls, it clearl emergedtowards the end o the ear that onlbusiness critical recruitment was beingundertaken. Onl candidates requiring littleor no training and who could immediateladd value were being considered. Further,

junior compliance positions and Senior/Head o Compliance t pe roles werebecoming rare.


8/25


07|24

Whilst the number o redundant compliancesta is now growing, some vacancies remaindi cult to ll. Not surprisingly, i companies aregoing to recruit externally they will have high

expectations o nding a very close t to theirrequirements. On a positive note, redundantinvestment banking compliance candidates aregenerally highly regarded in other sectors suchas asset management and asset servicing.

Demand or compliance sta is likel toremain subdued in the medium term andlimited to business critical recruitment.Fortunatel , man positions in complianceare essentiall guaranteed as a requirementto conduct business. Un ortunatel , there isless certaint that businesses will continueto exist as an industr wide process oretrenchment and rationalisation continues.

INFORMATION SECURITy

Demand or in ormation security stanoticeably declined in the second hal o

2008. Recruitment reezes and elongatedrecruitment sign o procedures are becomingmore common and unemployment amongstsecurity practitioners is increasing. However,in ormation security extends into all areas othe economy, both in the private and publicsectors, and is not substantially dependenton nancial services. Demand is there orepotentially broadly based.

Recruitment in banking and nancial servicesis now particularly subdued and it is clearthat a ter a strong period o demand, the Big4 are no longer recruiting. Investment in IT

is declining and directly a ecting IT securityvendors, consultancies and those workingin-house in risk assessment or project roles.However, whilst redundancies are back,in ormation security is clearly better integratedinto businesses than in previous downturns.Areas o relative strength are FTSE 250companies who are still pressing ahead withthe appointment o their rst in ormationsecurity specialist. Further, the HanniganReport, which ollowed government dataleakages, is resulting in improvements in thesecurity o government projects and demand

or security practitioners with government andmilitary experience.

However, or the rst time in some years,there is now a pool o redundant securitypractitioners. Not surprisingly, or thosecompanies looking to recruit there is a muchwider range o candidates available who are

ar more likely to be fexible in terms o thegeographic locations, sectors and salaries theywill actively consider.

Looking ahead, there is unlikely to be anyupturn in the market in the near term andredundancies and unemployment arelikely to track developments in the widereconomy. In consolation, the redundanciesand widespread unemplo ment thatcharacterised the recruitment market orsecurit practitioners in 2001 and 2002 areunlikel to return. Securit departments arenow more independent o IT, more regulatorled and have a better de ned role thanpreviousl . In ormation securit is not thetarget or cost savings that it once was.

Areas o relativestrength are FTSE 250companies who are stillpressing ahead withthe appointment otheir rst in ormationsecurit specialist.Further, the HanniganReport, which ollowed

government dataleakages, is resultingin improvements in thesecurit o governmentprojects and demand orsecurit practitionerswith government andmilitar experience.


9/25


08|24

OUTLOOK

Last year we anticipated a pain ul period odeleveraging. It is clear that we assumed thatthe accompanying alls in asset prices wouldbe contained and that any damage would besubstantially limited to the nancial servicessector. However, the erocit o the processand the damage to the wider economhas been ar greater than perhaps even themost pessimistic commentators orecast.Unemplo ment is alread starting to climbmenacingl . Whilst you can take your pick asto where unemployment will be in one month,six months or a year rom now, perhaps theonly thing you can say with certainty is that itwill be signi cantly higher than it is now.

Whatever the rise, we believe it will beproportionately lower in corporate governance.Corporate governance is integral to businessand most departments are leanly sta ed.Redundancies are expensive, destroy themorale o those who remain and then leaveopen the problem o sometime in the uturehaving to nd replacements.

Un ortunately, the problem is not simply thedispensability o corporate governance, but theability o the host business to survive eitherindependently or otherwise. It is clear, as isalready the case, that as businesses retreat

rom markets, ail or undertake de ensivemergers, redundancies will ollow. However, ormost people, i you are working in a relativelysecure business, or even the public sector,you are unlikely to lose your job. The problemwith recessions is that or those people whodo lose their jobs, the pain is disproportionatelydistributed. As vacanc creation collapses,the pool o redundant people grows andsecuring emplo ment becomes increasinglproblematic. Un ortunatel , during 2009,the number o unemplo ed corporate

governance practitioners will rise.


10/25


09|24

During the rst six months o 2008, thenumber o vacancies generated in thein ormation security and business continuityrecruitment market, although marginally down,was broadly consistent with the previous twoyears. This was perhaps surprising given theenormity o the economic developments.However, most commentators then believedthat the UK and developed world at worstmight expect a short shallow recession. It isclear that nothing so benign has transpired andonly the depth and length o the recession isin question. The recession has now started toshow up in our market data.

Q4 sees sharp reduction in vacanciesDuring the nal quarter o 2008, therewas a signi cant slowdown in the rate atwhich new in ormation security vacancieswere generated.

Whilst some com ort might initially be takenrom the number o vacancies generated in

the second hal o 2008, 50 versus 58 in theprevious six months, a rather more tellingstatistic is the closing number o vacancies,which has allen rom 33 in July 2008 to just20 in December 2008. In act, the rate ovacancy generation was broadly maintainedinto the third quarter o 2008, but then ellaway in the nal quarter. The trend is nowset or a signi cantly lower numbero vacancies.

Drop in registrations as candidatesreluctant to move

The number o candidate registrations ellin the second hal o 2008. Against that,the number o de ensive registrations rose.The all in registrations is not surprising,as changing employer involves risk. Whilstmuch o this risk is more perceived thanreal, some eel that entering the recruitmentmarket or purely discretionary purposes isnot something they currently wish to do.De ensive registrations are up as those whoare made redundant or eel their position ispotentially under threat is rising.

Dramatic fall in salary increasesThe average salary increase achievedby changing jobs in the second hal o2008 ell dramatically to 4%. This wascaused by those who are out o workaccepting salaries below their pre-redundancy earnings.

02. INFORMATION SECURITY MARKET ANALYSISSIGNIFICANT SLOWDOWN EVIDENT IN FINAL QUARTER OF 2008

In ormation Securit Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008

New vacancies 56 63 65 58 50

Closing vacancies 24 31 29 33 20

Candidates registering 214 179 195 240 230

De ensive registrations 14% 15% 15% 17% 20%

Overall salary increase 15% 16% 14% 13% 4%

Whilst some com ortmight initiall be taken

rom the number ovacancies generatedin the second hal o2008, 50 versus 58 in theprevious six months,a rather more tellingstatistic is the closingnumber o vacancies,which has allen rom 33in Jul 2008 to just 20 inDecember 2008.


11/25


MARKET COMMENTARy

UNEMPLOyMENT NOW EVIDENT

There is now unemployment in in ormation

security. Within many companies, IT projectshave been put on hold, budgets or newtechnologies have been rozen and recruitmentsuspended. The number o in ormation securityspecialists being orced into the recruitmentmarket is rising and the number o vacanciesis alling. The last time this happened was in2002. Then, post the dotcom bust, many startup internet companies lost their unding andbudgets were cut in anticipation o a downturnand the uncertainly o the run up to theIraq War.

The reasons or the current downturn aredi erent. However, or anyone who loses theirjob, the impact is likely to be very similar. I

ou nd oursel in this situation or simplear the threat o redundanc , the more

proactive ou are, the better. Focusing onhow ou can improve our marketabilit -perhaps doing things such as completinga pro essional quali cation and developingrelationships within the industr canmake a real di erence to our appeal topotential emplo ers.

Against this rather downbeat backdrop, thereare areas o the recruitment market wheredemand remains strong.

For example, in the public sector there are anumber o long-term projects which are already

unded and recruiting. We expect this tocontinue during 2009.

Managed Security Services (MSS) and Securityas a Service (SaaS) are still recruiting at alllevels rom VP / managerial positions through

to pre-sales and technical operational roles.Outsourcing is proving to be a cost e ectiveway o securing in ormation and avoids theneed to purchase the technology and recruitsta to implement, integrate, con gure andmaintain it.

There is still demand rom companies wishingto appoint their rst In ormation SecurityO cer. These are usually stand alone rolesreporting to the COO, Head o Risk or CIOand result rom various pressures, includingPCI, the growing scope o FSA regulation and

countering reputational risk ollowing highlypublicised data leakages.

Although demand is now declining, previouslythere had been strong demand or penetrationtesters to assist in determining a companyssecurity status. The reason or the decline istwo old. Firstly, the consultancies that employthe bulk o penetration testers are becomingmore cautious and secondly, as peoplebecome more wary about changing jobs, thereis less back lling required.

Another niche area which has experiencedstrong demand has been Identity Management(IdM). However, demand has recentlyslowed due to the act that most SarbanesOxley compliance, which was driving IdMrecruitment, has been concluded. This said,it is possible that Public Key In rastructure(PKI) may replace this demand in the Identityand Access Management (IAM) market.A great deal o work has been undertakenusing PKI as well as IdM on the TransglobalSecure Collaboration Program (TSCP). Thisis essential or companies dealing with theUS government. In the UK, the number oencrypted hard drives will increase, particularly

ollowing the high pro le data losses o2007 and 2008. This is now a governmentrequirement, involving various levels o PKI toaccess in ormation on hard drives. It is likelythat the private sector will ollow and someconsultancies are already progressing this.New roles in PKI should emerge in 2009.

10|24

In the UK, the numbero encr pted hard driveswill increase, particularl

ollowing the highpro le data losses o2007 and 2008. Thisis now a governmentrequirement, involvingvarious levels o PKI toaccess in ormation onhard drives.


12/25


DATA LEAKAGE

Data leakage was a topic or many industrycon erences and security publications

throughout 2008. This was the result o nesimposed on the private sector and mediahumiliation o the public sector.

There is now increased awareness oin ormation securit and its role in ensuringthat an organisation is not commercialldamaged or its reputation and trustpublicall compromised b data leakage.

Within the public sector, the Hannigan reportwas commissioned, which highlighted whereimprovements could be made to reduce

data leakage within the public sector. Theseincluded more encryption, penetration testingand a raised awareness o in ormation securityacross government departments. The privatesector has responded by investing in privacypersonnel and aligning with ISO 27001.

The In ormation Commissioner is to begranted new powers to conduct spot checksand sanctions will be introduced under theData Protection Act or the most seriousbreaches o its principles. This will a ect boththe private and public sectors and will no doubt

lead to increased demand or privacy staduring 2009.

CONTRACTING TO GOVERNMENT

Demand or security sta in the public sectoris generally considered to be more immuneto the recession than the private sector. Asa consequence, there is currently enhancedinterest in gaining work in the public sector.

It can be a problem gaining the necessarysecurity clearance in the required time rame.This process can take up to two months, which

or many contracts, is too late. A way roundthis is to work through a consultancy, whichcan hold clearances on a contract basis andcan sponsor an SC or DV clearance to work ongovernment projects. However, there are costsinvolved and i clearance is not used within ayear the process has to be completed again.

MIDDLE EAST MARKET GROWTH

The Middle East is becoming a popularalternative or UK based in ormation

securit pro essionals. Whilst the regionis not immune to the global slowdown,man new in ormation securit positionsare still being generated, not onl in Dubaiand the UAE, but in Qatar, Bahrain, Kuwaitand Saudi Arabia. Local national banks andcommercial groups are expanding, togetherwith multinational groups who are migratinginto the region.

These developments require robust corporategovernance and the demand or globallyrecognised compliance. Demand or e ective

in ormation security management is growing.Large, complex organisations are ensuringthey have in ormation security standards andpolicies that are in line with global best practiceand are building in ormation security teamsand in some cases working with consultanciesto improve their In ormation SecurityManagement Systems (ISMS). Accreditationto ISO 27001 is still not common, but thereis an increase in demand or accreditation asmore companies in the region announce theircerti cation.

The Middle East o ers numerousopportunities within in ormation security.However, relocating is a big decision whichshould only be made a ter care ul researchand consideration.

11 |24

Data leakagewas a topic orman industrcon erences andsecurit publicationsthroughout 2008.This was the resulto nes imposedon the privatesector and mediahumiliation o thepublic sector.


13/25


12|24

ANALySIS By SECTOR

CONSULTANCIES & SySTEMSINTEGRATORS

The consultancies and systems integratorsrefected developments in the wider economyduring 2008.

The number o vacancies registered declinedduring the course o the year, even thoughthere were some cases o very urgentrecruitment. The number o candidatescompeting or each vacancy is increasing,although many better quali ed individualsare pre erring to stay out o the recruitmentmarket and remain with their existingemployers. Really good candidates who choseto enter the market can still receive multipleo ers and are o ten counter-o ered to staywith their existing employer.

A number o consultancies, Sls and thetelcos with securit pro essional servicespractices, now have recruitment reezes.Securit practitioners have been movedon to other projects and some securitpractices and businesses have beenrestructured and reorganised.

Any recruitment that has been taking placeis primarily at mid level, with demand or

security architects, identity managementspecialists, government security consultantsand penetration testers. These were the sameskills that were required in 2007 and refectthe nature o projects, particularly in thegovernment sector. There have been a selectnumber o consultancies, SIs and telcos withsecurity practices that recruited signi cantlyin these areas in 2008. These were mostlynew positions in projects and contracts wherethey were able to immediately place additionalsecurity consultants.

The boutique security consultancies were even

more cautious in their recruitment during 2008.They only recruited security consultants onthe back o winning new business or replacingessential leavers.

It is hard to discuss this market sector withoutmentioning the signi cant data losses thathave occurred during 2008, particularly ingovernment and by certain major outsourcers.This has had mixed a ects. Firms involved inthe data-leakages themselves have, at times,lost major contracts and there ore requiredless sta . At the same time, such data losseshave been used as a sales tool to increasethe number o security specialist sta usedon contracts.

We anticipate that demand will continue tobe subdued in 2009. The exception is likelto be rom those consultancies bene ting

rom contract wins. Recruitment reezeswill continue and man o the bestpractitioners are likel to sta with theirexisting emplo ers.

An recruitment thathas been taking placeis primaril at midlevel, with demand

or securit architects,identit managementspecialists, governmentsecurit consultantsand penetration testers.These were the same

skills that were requiredin 2007 and refectthe nature o projects,particularl in thegovernment sector.


14/25


13|24

END USERS

In ormation security departments started theyear buoyed by the need to x potential data

leakages. At that time the credit crunch and itse ects on the wider economy had yet to beelt in in ormation security recruitment.

Demand held up until the end o quarter 3when, in a similar ashion to other areas ocorporate governance, there was a signi cantdecline in the number o new vacancies.A ter Lehman Brothers ailed, demand orin ormation security sta in the nancialservices sector dropped sharply. Somepositions were put on hold, budgets werereviewed and any recruitment needed tobe sanctioned at a higher executive level.

In ormation security sta that le t theorganisation were not automatically replaced.

During economic slowdowns, IT investmentis o ten badl hit. New technologies haveless take up, projects are scaled down anddevelopment slows. In ormation securitwithin end users is inevitabl a ected asless technolog related risk assessmentsare required. Those who are ull-time riskassessors should consider broadening theirskill base. No vacancies were registered inthis area during the second hal o 2008.

Demand in commerce has held up betterwith many smaller companies still appointingtheir rst in ormation security specialist. Thisis a continuation o an established trend andthis impetus is largely caused by the growingscope and recognition o ISO 27001, PCI andvendor assessments. PCI has had an impactin a number o sectors and is being used byin ormation security managers to justi y theirbudgets. However, by the end o 2008, manycommercial companies, most notably in theretail, property and media sectors curtailedtheir recruitment plans.

Candidate availability has been mixed. It isclear that many candidates, either through

redundancy or the perceived threat o this, eelthey have little choice but to search or anotherjob. Others, who are under no threat, but whomight otherwise have looked or discretionarypurposes, pre er the security o their existingemployer.

Currently, unemployment is still low butcompared with recent years it is steadilyrising. Candidates with blemished CVs are

nding it more di cult to secure interviews. Anumber o contractors are starting to compete

or permanent roles even though they willo ten not be considered by the hiring or HRmanagers.

The combination o ewer jobs and morecandidates is resulting in lower salaries.Emplo ers are more likel to match, ratherthan improve existing packages and, in thecase o unemplo ed candidates, ma o erbelow previous earnings.

This trend in the market looks set or 2009.In spite o the positive bene ts o PCI andHannigan, demand rom end users will beclosely tied to developments in the widerUK and world economy.


15/25


14|24

CONTRACT MARKET

At the start o 2008, contractors were indemand across all sectors, especially thoseindividuals with identity management skills,cryptographic experts and CLAS consultants.High pro le data leakages, coupled with anumber o ambitious projects that requiredan increase in the collection o sensitive data,resulted in enhanced security concerns. TheHannigan report highlighted a number o areasthat required attention within the public sectorand resulted in increased security awarenessamongst its senior management.

Strong demand or CLAS consultantscontinued throughout 2008 with long term highpro le central government projects remaining

a big user. A large intake o new CLASconsultants eased demand, although long-termhighly skilled CLAS consultants are being tiedin to longer, more lucrative, contracts. ManyCLAS consultants are working with more thanone public sector client and this demand will atleast remain i not increase in 2009.

Financial services, as a result o some largenes, used more contractors during 2008or data privacy and third party security

assessments. The FSA released its DataSecurity report in the rst hal o 2008 andmany companies needed to act on the ndings

and recommendations.

The Data Protection Act gained weight during2008 and more spot checks may be carried outthroughout 2009. Companies will most likelywant to review their privacy policies. Mucho this work is being carried out as part ocompliance with ISO27001, which could see anincrease in related contract roles.

In 2009, we anticipate that the mergers inthe nancial services industr will result inan increased demand or consultants withnetwork securit and architect skills to

assist with s stems integration.

New rameworks have been awarded in thepublic sector and are due to begin duringthe second quarter o 2009. This will see anincrease in roles or in ormation assurance,much o which will be CLAS de ence work.

In 2009, more companies will be expectedto be ISO27001 compliant and this couldincrease the number o roles or ISO 27001implementers and lead auditors. This increasewill be the result o third party suppliers usingsecurity as a selling point and the expectations

laid out by various governing bodies onin ormation security management systems.

2008 was characterised by less work in theprivate sector but growth in the public sector.The increased number o contractors looking

or work resulted in more competition orpositions, with rates alling approximately 10%

or generalist in ormation security positions.Some contractors were requested to move intopermanent positions to cut costs. However,specialists such as identity managementexperts and penetration testers were able tomaintain their rates.

In 2009, we expect demand rom the publicsector to be broadl consistent with 2008.The private sector will be more dependenton developments in the econom . There willalmost certainly be more competition amongst

contractors as those who have been maderedundant rom permanent roles will also belooking or contract work.

2008 wascharacterised b lesswork in the privatesector but growth inthe public sector.


16/25


15|24

BUSINESS CONTINUITy

Historically, business continuity has su eredin economic downturns, as companies havesought areas in which to cut costs. Thank ully,business continuity has bene ted romincreased media coverage and the new BritishStandard (BS25999) was released in 2008.Business continuity now has a higher pro leand executive management is more consciouso its bene ts. However, the recession ishaving an e ect. Budgets have tightened andexpansion plans have been curtailed. In somecases whole teams o business continuitypro essionals have been disbanded.

Within business continuity consultancy, a tera con dent start to 2008, recruitment slowed

signi cantly in the second hal o the year.There is now more caution and some havelooked to downsize. The market is becomingmore competitive as consultancy ees arebeing squeezed. Consolidation is likely as somesmaller consultancies struggle to ensure thatthey will be well placed to bene t rom theeventual upturn.

Banking and the wider nancial servicesindustr is b some distance the largestemplo er o business continuit sta .The industr has driven standards. Teamscan grow quickl and specialist positions

are common. When, as now, the nancialservices industr contracts, it has adisproportionate e ect on the market. Despite this, other sectors have gone someway to compensating or business continuityjob losses in the nancial services industry.I this growth in other sectors continues, itwill create new opportunities or businesscontinuity specialists to expand theirexperience.

As a result o redundancies, there have beenmore people in the job market out o necessityrather than purely or career developmentreasons. As a consequence, job applicationshave become more competitive. This isdepressing salaries and, as more experiencedcandidates are prepared to accept lesssenior roles, is making it more di cult orinexperienced candidates. It is also makingthe contract market more competitive asotherwise unemployed business continuityspecialists make themselves available orcontract work.

Looking ahead into next ear, a recentContinuit Central report ound that themajorit o companies expect businesscontinuit spending to be maintained in2009. Almost hal said that it would bethe same in 2009 as it was in 2008 andabout a quarter believed it could increase.It will be interesting to see i the realitmatches the expectation.

SUMMARy / PREDICTIONS

In last years report we predicted that theoutcome or 2008 would be nely balanced.Would the damage to the nancial system becontained? I it was not, then we predictedthat the prospects or the employment oin ormation security specialists would bemore closely tied to developments in thewider economy than many might otherwiselike to believe. Un ortunately, the damage hascrossed into the wider economy and is biggerthan even the most pessimistic predictions.It is clearly not simply a local UK problem, butis a ecting the global economy, making anysolutions more di cult.

As a result, there will be ewer in ormation

securit specialists emplo ed in the UKeconom at the end o 2009 than thereare now. Man companies will be too

ocussed on ghting or their survival tobe worried about the nicet o whethertheir in ormation securit departmentsare up to standard.

Against this backdrop, we expect some areaso strength in the security market. DataProtection Act spot checks are scheduled tostart in 2009. More companies will be lookingto become ISO 27001 compliant and thecontract market should bene t rom major

integration projects that will take place as aresult o banking mergers.

I the current trends continue, particularlywith the move towards ISO 27001, morein ormation security specialists willdirectly or indirectly be working or theUK government by the end o 2009 thanever be ore.

I the current trendscontinue, particularlwith the move towardsISO 27001, morein ormation securitspecialists will directlor indirectl be working

or the UK governmentb the end o 2009 thanever be ore.


17/25


OVERVIEW

Salary increases are signi cantly down or 2008

The average salar increase accepted bin ormation securit specialists ell to 4% inthe second hal o 2008. This is the lowestever recorded. Corporate costs were closelcontrolled during 2008 and some companieswere able to have o ers accepted thatwere less than redundant candidates hadpreviousl been earning.

Many candidates in these di cult times arebecoming less interested in salary and moreconcerned about qualitative actors, such aspotential security o employment and careerprogression.

OUTLOOK FOR 2009

I the normal patterns o supply and demandare ollowed, as the supply o in ormationsecurity specialists increases and the demand

or their services alls, salaries, as a actor osupply and demand, should all.

In reality it is not that simple. The bargainingposition o in ormation security specialistshas weakened. This will be combined with

severe budgetary pressure as companies seekto reduce costs. Further alls are likely to bemitigated by two actors:

1. Those people who are employed and theirjob security is not under threat, will haveno need to accept a lower salary than theymight do otherwise. In act, given theeconomic circumstances, these candidatesare likely to require an even bigger premiumon their salary to compensate or theperceived increase in risk they are taking bymoving jobs.

2. Many companies, even though a candidateis unemployed, do not necessarily wishto o er them the lowest salary that theymight accept. They will be recruiting againstestablished salary grades and will rightlywant someone to join who is motivated andhas not just accepted because they have noother realistic alternatives.

Outside o base salary, it is likely thatdiscretionary bonuses, particularly thosebased on corporate per ormance, will all.However, given the economic backdrop,man in ormation securit specialists will bepleased to get through 2009 with a secure

job. The econom has entered territor thatit has not been in or over 15 ears.

SALARy SURVEy

Barclay Simpson analyses the salary data thataccumulates rom the placements we make inthe UK. This provides a use ul guide to salariesand salary trends in in ormation security.

This survey consists o 20 pro les o typicalsecurity specialists, or whom we haveprovided an approximate salary range theycould realistically expect to achieve. The pro lesare or good rather than exceptional individualsand take no account o other bene ts that canaccrue to in ormation security specialistssuch as company cars, nor do they take

account o non-contractual bonus and pro tsharing arrangements.

16|24

03. INFORMATION SECURITY CURRENT SALARIES


18/25


17|24

London Rest o UK

Securit Operations EngineerA junior member o a network security ops team in a 24/7managed service environment. Reports into the SecurityOperations Team Leader. Monitors security devices such as

rewalls, IDS / IPS etc.

27-35,000 22-30,000

Securit Anal stExperience including monitoring and awareness orin ormation security. Likely to be working or a retail bankor other nancial institution.

36-40,000 30-37,000

Senior Securit Sales Consultant An experienced sales pro essional who consis tently overachieves.Working or a security vendor and reporting to the Sales Directoror Manager.

50-60,000 basic, OTE 100-110,000

45-55,000 basic,OTE 90-100,000

Penetration TesterWorking or a boutique security consultancy, this skilled

penetration tester will have good client- acing skills and be able toundertake application penetration testing, code level reviews andreverse engineering.

52-60,000 49-56,000

Senior Business Continuit ConsultantBroad business continuity experience with strong externalconsulting experience in a multi sector project environment.Proven client relationship building and presenting experience.

54-63,000 45-54,000

Disaster Recover Test ManagerWorking in the investment banking eld with excellent disasterrecovery knowledge and experience. A career history working orlarge complex organisations in lead positions or DR testing.

57-68,000 47-56,000

Identit Management ConsultantSolid skills in identity and access management design and

architecture. Background o working in consultancy, with goodclient- acing skills and bid work experience.

57-65,000 53-62,000

Business Continuit ManagerBusiness continuity management experience gained inmedium to large scale nancial services groups. Small scaleteam leading responsibilities.

57-68,000 46-55,000

In ormation Securit O cerSole in ormation security person (no reports) appointed to a FTSE250 or small FTSE 100. Background in either consulting or rom apolicy role in a larger department.

58-64,000 49-54,000

CLAS ConsultantAt a senior level within the security practice o a large consultancyor SI. Skills in technical and non-technical security areas suchas security architecture, as well as security policy ormulationand review, and risk assessment. Also undertakes businessdevelopment activities.

58-67,000 52-61,000

Operational Securit ManagerManaging 2-3 personnel within a mid-sized department andanswering directly to the head o department.

60-66,000 55-60,000

Data Protection ManagerExtensive data protection management experience gained inlarge corporate enterprises which would o ten include large

nancial services. Executive level consultancy and team leadingexperience.

62-71,000 50-55,000

Securit Architect

Working or a consultancy, undertaking security design andarchitecture or large-scale client projects. Senior person alsoinvolved in bid / proposal work and mentoring team members.

64-73,000 57-66,000


19/25


18|24

(continued) London Rest o UK

Big 4 Senior ManagerIndividual with business development experience and a policy

ocus to their in ormation security experience80-95,000 68-74,000

Head o In ormation SecuritManaging a team o 20 security pro essionals in a nancialservices company, assisted by 2 more junior managers.

110-125,000 80-88,000

Business Continuit Anal st (Contract)Working in the nancial services industry with a goodgrounding in business continuity, articulate, ocused withgood team working skills.

225 320per day

200-300per day

Data Privac Consultant (Contract)Working with nancial and commercial organisations, providingadvice on data privacy in line with the data protection act andindustry guidelines.

450-550per day

350-450per day

ISO 27001 Consultant (Contract)An ISO 27001 Lead Auditor working or a consultancy. Role wouldinclude advice on ISO 27001 implementation, gap analysis, riskassessment, security policy review and selection o controls toalign with the standard.

550-600 per day

500-550per day

Identit Management Consultant (Contract)A skilled IdM consultant with experience o various identitymanagement suites rom the leading providers. Will have hadexposure to the identity management process rom beginning toend. Working in a commercial environment they will have goodclient- acing skills.

650-700 per day

550-600 per day

CLAS Consultant (Contract)Experienced CLAS Consultant responsible or security policydevelopment during government programmes such as Risk

Management Accreditation Document Sets (RMADS) andassociated documentation.

700-800per day

500-600 per day


20/25


19|24

APPENDICES04. Appendices

I. Sample structure

II. Graphs o ke indicators

III. Data tables b specialism

Barclay Simpson Market Report 2009

INFORMATION SECURITY


21/25


20|24

This report is based on quantitative data

gathered rom a sample structured as ollows:

50 internal audit departments

30 risk management departments

30 compliance departments

35 in ormation security departments

In addition to the numbers, we speak directlywith a number o heads o department todiscuss their current and uture recruitmentrequirements as well as the broader pictureto gain a qualitative perspective which is

invaluable or the market commentary.

The core statistics provide the ollowingkey in ormation:

VACANCIES

Number o vacancies at the start othe period

Number o vacancies generated duringthe period

This, over time, provides guidance on the rateat which vacancies are being generated and anindication o the ease with which companiesare lling these vacancies.

REGISTRATIONS

Number o candidates registering in eachmarket segment

This monitors the fow o candidates into therecruitment market and, combined with thenumber o vacancies generated, gives aninsight into the balance o supply and demand.

DEFENSIVE REGISTRATIONS

The proportion o candidates registering orde ensive reasons

The percentage o candidates registering with

Barclay Simpson because they have beenmade redundant or perceive the threat oredundancy (i.e. who register or de ensivereasons), can provide a use ul insight into thebehaviour o the recruitment market.

SALARIES

Salary survey

Salary increases

In addition to an updated salary survey, wereport on the average percentage salary

increase achieved by people moving betweenemployers, which is o ten a good indicationo the relative bargaining power that existsbetween employers and potential recruits.

APPENDIX I - SAMPLE STRUCTURE


22/25


21|24

NEW VACANCIES

New vacancies down across the board

Drop in new vacancies lower in information security than the other 3 areas

CLOSING VACANCIES

Closing vacancies even more sharply down

In Risk Management and Compliance, they have almost halved

APPENDIX II - GRAPHS OF KEY INDICATORS


23/25


22|24

CANDIDATE REGISTRATIONS

High numbers of candidate registrations continue

Signi cant increase in registrations in Compliance

Signi cant decrease in Internal & Computer Audit

DEFENSIVE REGISTRATIONS

Percentage o candidates registering with Barclay Simpson because they have been made redundantor perceive the threat o redundancy.

Signi cant increase in redundancies or the threat of redundancy in all areas of corporate

Defensive registrations now account for over 40% of new Compliance candidates


24/25


23|24

OVERALL SALARy INCREASE*

Salary increases relatively stable in Internal & Computer Audit and Risk Management

Salary increases have dropped signi cantly in Compliance and Information Security

* Percentages based on introductions made by Barclay Simpson during the quarter. Allowance has been made or the valueo company cars but or no other bene ts. Corporate governance personnel working in the private sector are o ten awardedannual bonuses based on either their personal or overall corporate per ormance. These bonuses become part o their salarypackage. When joining a new employer there is generally a quali ying period, o ten up to a year, be ore bonuses becomedue. Not unreasonably, corporate governance pro essionals, when weighing their existing salary package against an o er o

alternative employment, tend to include their existing bonus but exclude potential bonuses rom a new employer. We wouldestimate that this accounts or approximately 5% o the increase that people receive as a result o changing position.


25/25


APPENDIX III - DATA TABLES BY SPECIALISM

Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008

Corporate GovernanceNew vacancies 419 398 333 321 228





Internal Audit



Candidates registering 297 322 312 356 242De ensive registrations 12% 16% 17% 19% 28%


Risk Management






Compliance



Candidate registering 198 172 146 165 186

De ensives registrations 10% 13% 26% 32% 41%


In ormation Securit



Candidates registering 214 179 195 240 230De ensive registrations 14% 15% 15% 17% 20%


2009 MR Security

Documents

Transcript of 2009 MR Security