Security Mid-Year Report 2017 Compensation & Market …and reviews the corporate governance...

Security

Mid-Year Report 2017Compensation & Market Trends

2017

Contents

BARCLAY SIMPSON Mid-Year Report 2017 SECURITY

1 Introduction 2

2 At a glance 3

3 Executive summary 5

4 Key issues 7

5 Sector analysis 23

6 Salary guide 29

7 About Barclay Simpson 33

OfficesLondonNew YorkDubaiHong KongSingapore

DisciplinesInternal AuditRiskComplianceSecurity & ResilienceLegalTreasury

1

BARCLAY SIMPSON MID-YEAR REPORT 2017 SECURITY

Introduction

Barclay Simpson has been producing corporate governance market reports since 1990. We currently produce two reports a year:

2

1Annual Market Report

Our annual Market Report is published in January and reviews the corporate governance recruitment market for the previous year, whilst making predictions for the year ahead. It includes learning from our annual survey of employers.

Mid-Year Report

Our Mid-Year Report is published in July and updates the overall market picture, as well as providing a specific focus on compensation and the views of people working in security & resilience, based on our annual survey of employees.

This time round, the results are particularly interesting as we asked several questions about Brexit to gauge sentiment amongst security professionals and provide insight into the possible impact of this momentous decision.

Comparable reports exist for all other areas of corporate governance. They can be accessed in section 7 of this report (“About Barclay Simpson”) or at www.barclaysimpson.com


At a glance 2

3 Section 2 | At a glance

Confidence high

• 80% think skills more valuable• Career development main priority

• Few security professionals out of work• Job security not a major concern

Security professionals getting on with the job

• Recruitment activity steady• Desire for more flexible working

• Holidays up

Improve the spirit and culture of the

organisation

Increase the managerial footprint and allow

greater development

Develop security as a profession

• Salaries up for those moving job• Bonuses remain high

• Pension contributions significantly up• General satisfaction with remuneration

Remuneration good

Really love it here, I feel empowered and

trusted

Brexit having limited impact

• 78% report no change to their work• 84% say job security better or the same

• Just 11% think their role will or may be relocated

But no complacency

• 43% of security professionals ready to relocate to EU• Dublin first port of call

4


Section 2 | At a glance

Executive summary

5 Section 3 | Executive summary

3Security salaries defying wider pressures on earningsFollowing a steady performance by the UK economy in 2016, growth rates at the beginning of 2017 have slowed. Whilst the post Brexit recession didn’t materialise, the vast majority of economists predict that the decision to leave the EU will hit growth. Overall unemployment levels continue to fall. Productivity growth, however, remains elusive and exchange rate depreciation has led to inflation exceeding the Bank of England’s 2% target. Real wages, which had been improving since the financial crisis, are once again coming under pressure. In spite of this, security professionals appear no less satisfied with their salary, an indication that the market for these skills remains positive compared to other areas of corporate governance and the wider economy.

Uncertainty prevailsStability and growth tend to raise demand for security professionals. Unfortunately, we are still living through a period of uncertainty and, as we write this report, the UK government has begun a set of negotiations that will have far reaching implications, not just for employees and employers in security and other areas of corporate governance, but for the country as a whole.

We had hoped that by the time of this report the consequences of Brexit would have become a little clearer. This does not appear to be the case. The situation has been further complicated by the outcome of the recent general election and it remains to be seen what impact this has on the negotiations of the UK government with EU counterparts.

Brexit poses a riskWhilst the response to our survey about the impact of Brexit is still speculative, our survey demonstrates that Brexit is a potential risk for security departments. Whilst recruitment may only be moderately more challenging after Brexit, should an economic downturn occur, many security professionals are prepared to make significant changes to their lives, including relocating, to protect their jobs and career prospects.

Softer Brexit?It is believed by some that the outcome of the general election could lead to what commentators describe as a “Soft Brexit”, where access to the single market, customs union and a more relaxed approach to immigration is prioritised. As this report will demonstrate, Brexit poses less of an immediate risk to the UK security recruitment market, when compared to the rest of the corporate governance market with fewer EU nationals working in the industry. Many security professionals are recruited directly from the UK Military and Security Services and the UK security industry is more advanced than in the EU, with professionals relocating from across the globe.

Market conditions improvingSome large banks have undergone major transformation programmes requiring multiple hires as they remodel their information and cyber security functions. Similar transformation programmes have taken place in FTSE 100 companies. This has had the knock-on effect of requiring additional headcount. The number of vacancies registered per month in 2017 year-to-date across commerce and industry has improved compared to last year. The same is true within Financial Services, where the consolidated number of vacancies per month is higher this year when compared to the average for last year.


Not for allThe number of security professionals reporting that they are not currently in work has risen slightly from 5% to 6%. We also found that 31% of security professionals who are not currently working reported being out of work for over 12 months, compared to none last year. Our experience as recruiters is that the number of vacancies in the market is higher than at this point last year. Given the ever-changing nature of technology and subsequent threats, any security professional who isn’t constantly developing their skills may find the market moving forward without them. Alternatively, changes in tax legislation have led to a number of contractors re-entering the permanent market. These highly skilled individuals who had previously worked on high value day rate contracts are now competing with less experienced candidates for permanent roles.

OutlookIt is very difficult to predict what is likely to happen over the longer term, due to the uncertainty surrounding Brexit. The security recruitment market does not operate in a vacuum and, whilst it remains dependent on the economic environment, we expect the market to remain buoyant for the foreseeable future. New regulation, such as the General Data Protection Regulation (GDPR), emerging technology such as Cloud Computing and the Internet of Things (IoT) will continue to drive demand. Furthermore, a fast-moving security landscape with perceived and actual threats on the increase is driving investment in both people and technology. The recent ransomware attack that affected the NHS, whilst not the largest attack of this kind, has made information and IT security a public and political issue. This is reflected in our survey, with 81% of security professionals believing their skills have become more valuable.

6Section 3 | Executive summary


CONFIDENCE HIGH

Increasing confidence among security professionals

81% of security professionals feel as though their skills have become more valuable and 60% of security professionals who changed jobs reported that they found it less difficult than they expected.

Key issues 4

7 Section 4 | Key issues

Candidates in Vulnerability Management, Red Teaming and Penetration Testing are finding multiple opportunities in the market as companies develop their own in-house functions. Internal consulting, that assesses risk, forms remediation plans and consults on remediation processes to departments, projects and sometimes to third parties, is also expanding.

Security Architects remain in high demand, largely due to the need to constantly adjust to fast changing and ever evolving threats, which in turn has led to the expansion of in-house capabilities.

Within the field of corporate security, intelligence, investigations, travel security and 2nd-line of defence based governance positions are in greatest demand.

Contractor confidence rising

Contractor confidence is rising with 64% of security professionals in work as a contractor believing that the market for their skills is improving (up from 58% in 2016). Candidates with knowledge of emerging technology, such as cloud computing and an understanding of the Internet of Things (IoT) are in very high demand.

The overall picture in security is one of relative calm, but with increasing pressures to hire due to new regulations and an ever-evolving market. Here are the key issues coming out of our survey of security professionals:

100%

80%

60%

40%

20%

0

2016 2017

67%

81%

Do you believe your skills have become more valuable?


8Section 4 | Key issues


100%

80%

60%

40%

20%

0

2016 2017

58%

64%

Do you believe your skills have become more valuable? (Contractors)

This is also reflected in the time taken to secure a new role, with 72% of contractors able to secure a new contract within one month and 58% of contracts over 12 months in duration.

Satisfaction with remuneration (69%) is also higher for contractors than for non-contractors (56%).

In spite of this, 66% of contractors who are out of work report it is harder to secure a new role than they expected. Candidates from a public-sector background are finding it harder than those from commerce or financial services. This is in part driven by technology. Large corporates, banks and financial services companies have bigger budgets and access to cutting edge technology, whereas in the public sector, security specialists are working with older technology and don’t have as much experience of emerging technology such as cloud computing. This was illustrated in the recent wannacry ransomware attack that affected the NHS, primarily due to its reliance on technology which in many cases is no longer supported.

Career development main priority

Career development is currently the main priority for security professionals, both for those who have changed job and for those who haven’t.

100%

80%

60%

40%

20%

0

Contractors Non-contractors

69%

56%

Overall do you believe you are adequately compensated?

Salary increase

Career development

Better work/life balance

Job security

If you were to consider looking for another job, or to go for an interview, what would be the most likely reason for this?

19%

35%

39%

2016 2017

34%

43%

19%

7% 4%


Career development is most important for corporate security workers, although still high for information and cyber security professionals, many of whom also seek better work/life balance. Consultancies have recently struggled to attract mid-level staff, in part because of a perceived lack of career progression and excessive travel. The growth of in house information security functions offers opportunities for security professionals to work on interesting projects without the need to travel.

Given the competition for skills from across the sector, companies need to adopt efficient and effective recruitment strategies. Those that have already done so have had the greatest successes.

Few security professionals out of work

Although there has been a slight rise, from 5% to 6%, the number of security professionals out of work is still low.

Key issues 4BARCLAY SIMPSON MID-YEAR REPORT 2017 SECURITY

What was your primary motive in looking for another job?

26%

47%

21%

2016 2017

28%

38%

27%

6% 7%

100%

80%

60%

40%

20%

0

2016 2017

95%

Yes

94%

Yes

Are you currently working?

Salary increase

Career development


Job security


REMUNERATION GOOD

Salaries improving

Budgets for information and cyber security have increased over the past 12 months. As a result, the average salary increase achieved by security professionals when changing jobs has also increased, from 16% in 2016 to 17% this year; roles are also being filled quicker than in previous years.

In corporate security, increased threats from terror have led to a sharp increase in the number of newly created roles. This has been reflected in a rise in the average salary increase achieved by corporate security professionals changing jobs, from 10% in 2016 to 15% this year.

Increases are fairly similar across different sectors, with the exception of the public sector, which is lower at 10%.


What would you most like to change about your job?

10%

19%

31%

2016 2017

32%

21%

11%

25%25%

Salary

Work/life balance

Job content

Career development

Job security

My manager

Recognition

7%

6%2%

4%

4%3%

40%

20%

0

2016 2017

16% 17%

Salary increase for job movers

Sub-groups

Banking & Financial Services

Commerce & Industry

Consultancy

Public Sector

Managers

Non-managers

18%

Salary increase 2017

19%

10%

19%

16%

19%

Job security not a major concern

There has been a drop from 7% to 4% in the number of security professionals citing job security as the thing they would most like to change about their job, reflecting the current levels of confidence in security.

As our comparatives demonstrate, there has been an increase in the number of security professionals (58%) who received a salary increase of more than 10%. This compares to 54% in 2016. However, 25% of people did move without an increase in pay, which may reflect some moving for quality of life reasons and a few with an eye on job security.



Which best describes how your current salary compares to your salary in your previous role?

14%

9%

16%

2016 2017

10%

17%

21%

15%10%

>40%

30-40%

20-30%

10-20%

0-10%

Less or the same

24%

22%

17%

25%

40%

20%

0

2016 2017

Salary increase for non-movers

6% 5%

Sub-groups


Commerce & Industry

Consultancy

Public Sector

Managers

Non-managers

6%

Salary increase 2017

5%

5%

6%

2%

4%

The average salary increase achieved by security professionals remaining with their employer was down slightly, from 6% to 5%. The figure was highest in banking and financial services, where the average increase was 6%; the lowest in the public sector at 2%.

The spread of pay increases was similar to 2016, although there is an encouraging reduction (from 25% in 2016 to 18%) in the number of people who received no increase.


General satisfaction with remuneration

According to our survey, the percentage of security practitioners who believe they are adequately compensated is little changed at 56% in 2017, from 58% in 2016.

Whilst salary remains a key issue, overall salaries are becoming less of a motivator for those changing job. For security professionals who haven’t moved, salary has dropped from 39% to 34% as the most likely reason to look for another job. Job satisfaction and perceived job security are high. Given the general satisfaction with remuneration, it’s little surprise that the priority is career development, as discussed earlier.


Which option best describes your salary increase in the last year?

14%

7%

12%

2016 2017

10%

9%

14%

19% 21%

>15%

10-15%

5-10%

2.5-5%

0-2.5%

The same or less

23%

25%

28%

18%

100%

80%

60%

40%

20%

0

2016 2017

58%

56%

Overall do you believe you are adequately compensated?


Bonuses remain high

The number of security professionals receiving bonuses is up from 74% in 2016 to 81%, although the average bonus level has fallen from 20% in 2016 to 15% this year.


The average of 15% is significantly below the average paid to risk managers at 28% and marginally below the average bonus paid to compliance professionals at 18%. The average bonus is not, however, the typical bonus a security professional might expect. 40% of security professionals reported receiving a bonus of less than 10% and 3% reported receiving no bonus at all. Only 10% of security professionals reported a bonus of over 30%. The most common bonus level reported by 22% of security professionals was between 5-10%. 100%

80%

60%

40%

20%

0

2016 2017

74%

Yes

81%

Yes

Does your employer pay a bonus?

40%

20%

0

2016 2017

Level of bonus - percentage of salary

Sub-groups


Commerce & Industry

Consultancy

Public Sector

Managers

Non-managers

95%

Does your employer pay a bonus?

86%

29%

77%

82%

79%

Sub-groups


Commerce & Industry

Consultancy

Public Sector

Managers

Non-managers

17%

Average bonus 2017

11%

12%

18%

17%

11%

20% 15%


Bonus levels are more common in Banking & Financial Services, where 95% of security professionals reported receiving a bonus, with an average of 17%. Whilst bonuses in the Public Sector are becoming more common, only 29% of security professionals in this sector reported receiving a bonus, which averaged at 12%. Commerce and Industry bonuses were received by 77% of security professionals and averaged 18%; for those working for a consultancy, 86% reported receiving a bonus with the average being 11%.

There is also a big discrepancy between bonuses for managers and non-managers. Managers achieved an average of 17% in their bonus, whereas non-managers averaged 11%.

Whilst bonuses are a good way for employers to retain staff, they are not an efficient way of attracting them. This is shown in our survey where the average bonus for those who changed jobs was 10%, compared to 16% for those who did not. Employers have been reluctant to compensate for loss of bonus when hiring, except for all but the most senior members of staff. If a security professional decides to change job, it is likely that any accrued bonus will be foregone with their current employer and that they will, at best, receive a pro-rated bonus from their new employer. Bonuses are non-contractual, discretionary and subject to all the usual caveats around performance. In some cases, bonuses may begin accruing from the time employment starts, in others there is a qualifying period. Some employers have a cut-off point in the year after which new joiners will not qualify for a bonus in that year’s cycle.

Pension contributions up

Pensions make a significant contribution to total income. In 2017, 86% of security professionals received additional pension contributions, a big increase on 2016 (71%) and the average contribution also increased significantly from 10% to 16%.


100%

80%

60%

40%

20%

0

2016 2017

71%

Yes

86%

Yes

Does your employer provide you with any pension benefits above the statutory minimum?

40%

20%

0

2016 2017

Level of pension contributions - percentage of salary

10% 16%


Other benefits (which include private health, travel or car allowances, memberships, etc.) remain at an average of £4,600.

Breakdown of total remuneration

The typical relative value of the different elements of remuneration in security is as follows:


BREXIT HAVING LIMITED IMPACT

Brexit having minimal impact on the work of security professionals

The effect of Brexit on security & resilience appears to be less than in other areas of corporate governance, with 78% of security professionals reporting no change to the work they are currently doing.

That is not to say Brexit is having no effect, with 17% of information security professionals reporting a moderate change and 5% a significant change to their work. Had the UK withdrawn from GDPR, the effect could have been more dramatic and impacted the work of Data Protection Officers, as the UK would no longer have to comply with the regulation.

PensionOther benefits

Bonus

Base salary

2017

73%

11%

12% 4%

2017

Moderate change

Significant change

No change

5%17%

78%

Is Brexit affecting the work you do?


There are areas of security where Brexit is having more impact, including corporate security where 27% of corporate security managers have reported a moderate change in their duties due to Brexit. Also, in banking, where 20% of security professionals reporting a moderate change and a further 5% a significant change. The figure for moderate change is comparable to other areas of corporate governance, such as risk management and compliance (23% and 24% respectively). It is, however, considerably lower than in legal where 41% of lawyers have reported moderate change to their work and a further 8% a significant change to the work they are performing.

Brexit having little effect on job security

The effect of Brexit on job security for security professionals is also less than in other areas of corporate governance, with 84% believing their roles are either more secure or the same post Brexit.

Key issues 4The 16% who believe their role to be less secure is similar to Audit (14%), but lower than other areas of corporate governance, including Compliance (24%), Legal (27%) and Risk (25%).

Threat of relocation low

89% of security professionals believe their roles are unlikely to be relocated to another part of the EU post Brexit.

The UK is likely to retain equivalence with the EU in rules and regulations for the foreseeable future. The UK also has a good track record of ‘Gold Plating’ regulatory standards, meaning there shouldn’t be any great divergence of rules and regulations between the UK and the EU. This is evidenced by the decision to retain the GDPR regulation, so it is unlikely that roles will be relocated due to regulatory pressure in the short to medium term.


2017

Same

Less secureMore secure

6%16%

78%

Has Brexit affected your job security?

Do you think your role could be relocated to another part of the EU post Brexit?

No

89%

PossiblyYes

2%9%

2017

Furthermore, security tends to be a head office function, so, subject to companies retaining headquarters in the UK, there should be little overall impact on security.

Impact potentially less than in other areas of corporate governance

Only 15% of information security professionals are EU Citizens, considerably less than in other areas of corporate governance. For example, risk is 39%, audit 29% and compliance 22%. In Corporate Security, where many candidates come from the UK military or security services, the number of EU Citizens is just 10%.

Brexit compressing earnings for junior candidates

One clear impact of both Brexit and the recent election result, has been a fall in the value of Sterling. This has led to an increase in inflation which currently stands above the Bank of England’s target of 2% and has impacted real earnings. Security professionals are fortunate that their salary increases have held up well and, when compared to national averages, the figures for security professionals exceed those in the wider economy. However, wage compression as a result of inflation has led to an increase in the number of junior security professionals who reported feeling under compensated. 48% of security professionals with less than 5 years’ experience feel adequately compensated against 59% of those with more than 5 years’ experience.


SECURITY PROFESSIONALS GETTING ON WITH THE JOB

Recruitment activity down

The number of security professionals who changed job in the past 12 months fell slightly, from 31% in 2016 to 30% this year.

The level is steady but not high and reflects general satisfaction with roles and remuneration.

Desire for more flexible working

Flexible working (i.e. the opportunity to vary your hours of work or to work from home on either an ad hoc or regular basis) is an increasing motivation for security professionals. For those with a long commute, an opportunity to work from home on a weekly basis or even for a couple of days a month represents a better work/life balance even if the same total number of hours are worked.


60%

40%

20%

0

2016 2017

31%

Ye

s

30%

Ye

s

Have you changed employer in the last 12 months?

However, perhaps as a result of the desire to have people on hand in the face of cyber-attacks and other IT emergencies, the number of security professionals benefiting from flexible working has dropped for the second year in a row.


This trend conflicts with the desire of security professionals to work more flexibly (up to 72% from 70% in 2016) and may be a source of frustration for some. Flexible working does vary by sector, with 88% of security professionals in consulting benefiting from flexible working, dropping to 74% in commerce & industry, 73% in banking and 63% in the public sector.

Holidays up

Holidays are another key factor in quality of life and, although they tend not to be used as a means of securing or retaining staff as much as other incentives, in 2017 our survey reveals an increase in the average number of days holiday from 26 to 27 days.


2015 2016 2017

100%

80%

60%

40%

20%

0 83%

Yes

79%

Yes

77%

Yes

Does your employer provide you with the opportunity to work flexibly to any significant level?

Would you like the opportunity to work more flexibly?

100%

80%

60%

40%

20%

0

2016 2017

70%

Yes

72%

Yes

Average number of days holiday

2015 2016 2017

30

28

26

24

22

20

26 2726

Our survey suggests that 71% of security professionals are based in London and the South East with 29% in the rest of the UK. The London factor is still important and attracts people from around the world. With employers driven by the need to attract the highest quality staff, they will often resist the temptation to hire in cheaper locations and retain roles in London.

Proportion of women low in security

According to our survey, women make up only 10% of information and cyber security professionals, significantly lower than in other areas of corporate governance and a drop from 11% in 2016. In corporate security, only 6% are women. Corporate security professionals tend to have a military service background, and despite an increase in the number of companies asking for balanced shortlists, women continue to be under-represented in security. The problem is not unique to security, with similar issues in other areas of corporate governance. Quantitative roles in credit and market risk suffer from similar shortages. The challenge is how to encourage more girls to study Science Technology Engineering and Mathematics (STEM) subjects at secondary school, enabling them to go on and study the relevant degree courses and eventually build a career in the security industry.

Training a good motivator

Training is another good motivator for security professionals, either those moving job or those staying put. In particular, the Big 4 and smaller consultancies have adopted a policy of recruiting and training technically skilled candidates with little or no hands-on security experience. This has helped the market as they subsequently become targets for in-house departments.

Financial services companies are also increasingly offering training and development for internal applicants as well as being more flexible on hiring candidates with potential rather than necessarily holding out for the finished article.

In addition to training, consultancies are offering prospective employees greater flexibility in order to facilitate better work/life balance, in addition to the usual benefits of work diversity and exposure to different sectors.

Growth in opportunities outside London

The cost of information and cyber security is increasing in response to more sophisticated and determined attacks. Whilst much is made of the London-centric nature of the UK economy, pressure on desk space in London and lower costs in the regions makes it practical to employ security practitioners outside of London. Moves by banks, other financial services companies, utilities and telecom groups are resulting in buoyant regional markets. Some regions, such as the North West and Mid-Lothian, have in some instances seen salaries starting to approach those in London and the South East.

Which location best described where you work?

71% 29%

London/South East Rest of UK

2017

Key issues 4



BUT NO COMPLACENCY

Security professionals ready to relocate if need be

Our survey has revealed a potential brain drain, based on the outcome of the Brexit negotiations, as 43% of security professionals have indicated they are ready to relocate if their current role or job prospects are significantly affected by Brexit.

100% of non-UK EU Citizens ready to relocate

This figure rises to 100% of EU Citizens that responded to our survey. However, given the relatively low numbers of EU Citizens working in security (15% according to our survey), this presents much less of a risk than in other areas of corporate governance, where the number of Non-UK EU Citizens is considerably higher.

That said, non-UK EU Citizens are important to security departments’ day to day functioning and future resourcing plans. Post Brexit, if we fail to adopt some form of free movement or an efficient visa application system, corporate security specialists in particular will be heavily affected as travel throughout Europe will become more complicated.

Language skills make Dublin preferred location

Although the international business language is English in many multinational businesses, outside the UK language skills are important.

As 67% of security professionals do not speak another European language and 78% of security professionals who are also British Citizens do not speak another European language, this makes Dublin the most popular destination for security professionals looking to remain in the EU. Frankfurt, Paris and Amsterdam are other popular choices, with 12% of security professionals speaking German and 10% French.

Any exodus is dependent on the outcome of the UK Government’s negotiations with the EU and, for the time being at least, London remains the main ecosystem and European centre for financial services. For the better candidates, the perception remains that career opportunities and salaries are better here than in other EU cities.

If Brexit had a significant negative impact on your career or job prospects, would you consider moving to a country within the EU?

43%Yes

57%No

2017



5Sector analysis

23 Section 5 | Sector analysis

CONTEXT

Following several years of sustained earnings growth, the recent rise in inflation has led to a fall in real earnings for many in the UK. However, a combination of cyber threats, data leakage events, terrorist attacks and incoming regulation have benefited security professionals. Salary increases for both corporate security and information and cyber security professionals who have changed employers are up. Higher than average increases for those who have stayed, however, are often linked to promotion or to a counter offer. Promotions are a good way of motivating and retaining staff, whereas counter offers are much less successful, with many security professionals who have been persuaded to stay purely by a salary increase, with no material change to their conditions or the nature of their job, choosing to re-enter the recruitment market within 12 months. Less experienced candidates, particularly those who have remained with their employers, have reported the least satisfaction with their compensation.

Asked what they would most like to change about their jobs, security professionals cited salary (32%) and career development (25%) well ahead of other criteria. Overall, job security has improved over the past 12 months, dropping from 7% to 4% in terms of being something to change.


What would you most like to change about your job?

10%

19%

31%

2016 2017

32%

21%

11%

25%25%

Salary

Work/life balance

Job content

Career development

Job securityMy managerRecognition

7%

6%2%

4%

4%3%

24Section 5 | Sector analysis

QUALITATIVE FEEDBACKIn our survey, we also gave security professionals the opportunity to respond qualitatively to the question “If there were something you could say to your employer, what would it be?” Interestingly, unlike other areas of corporate governance, the strongest theme coming though was not to do with salaries or working conditions, but was about the role of security within organisations and the organisational culture overall:

“They are a great employer, but the organisational culture is skewed to finance (understandably), but at the expense of thinking about security.”

“Don’t devalue the role security plays in the company.”

“Lack of focus and commitment creates challenging environment.”

“Improve the spirit and culture of the organisation. Move away from the money fuelled corporate approach - attract the best by having the best working atmosphere.”

“Develop security as a profession.”

This bigger picture focus also extended to the approach within security:

“Focus on vision and strategy.”

“Invest in broad based security measures, don’t focus solely on cyber.”

And to managing Brexit proactively:

“Start communicating to the EU employees about Brexit, how the company will approach it for its EU employees esp. if they will support relocation initiated by the employee to another site.”

There was demand for help with professional development:

“Ensure continuous external professional development for personnel.”

“Increase the managerial footprint and allow greater development.”

And encouragement to go further with the work/life balance:

“Provide suitable work / life balance and review individuals situation uniquely not in clusters.”

“I would like the flexibility to work from home on a regular basis.”

There were some comments relating to remuneration:

“Pay your employees what you know they are worth, not what you think you can get away with.”

But there were more positive comments than negative:

“Really love it here, I feel empowered and trusted.”

“Pretty happy.”



BANKING & FINANCIAL SERVICES The financial services sector saw a high degree of activity at the start of 2017 and, despite slowing towards the middle of the year, remains buoyant. Following a number of senior moves, the larger banks continue to invest in a range of transformation projects and smaller organisations, that have historically relied on external providers, have begun to develop in-house expertise. Geopolitical factors, such as the cyber threat from so called ‘rogue nations’, have been the greatest area of investment and focus in financial services, increasing demand for candidates with threat intelligence and incident response experience. The three lines of defence model, implemented some time ago, has become much more fluid as banks begin to consolidate Technology Risk and Security.

Other areas of focus within financial services include Identity and Access Management (IAM), with a number of organisations currently building bespoke IAM products and solutions. GDPR is of course a priority, with responsibility resting with the Chief Data Officer.

Candidate availability continues to be the greatest challenge across the sector with demand outstripping supply in every skillset, which has created an extremely candidate driven market. Most cyber and information security candidates will have multiple opportunities available, creating upwards pressure on salaries. This is reflected in our survey, where security professionals who changed role in the past 12 months achieved an average increase of 18%, slightly above the sector average of 17%. This compares favourably to Risk (16%) and Audit (13%). Average bonuses were 17%, with 44% reporting an increase on 2016 and a further 42% reporting their bonus was about the

Sector analysis


same. This is further reflected by the 68% of security professionals in banking and financial services who believe they are adequately compensated.

Career development (39%) was the main reason cited by security professionals who changed jobs in the past 12 months, with salary and work / life balance equal at 26% and job security at 8%.

For those who remained with their employer, the average salary increase achieved was 5.9%. This figure does not take into consideration counter-offers and promotions. Once adjusted to reflect this, the figure drops to 2.6%. It is no surprise, therefore, that 35% of security professionals who have not changed job cited salary as the main driver to consider entering the recruitment market.

Job security

Salary increase


Career development


2016

2017

22%

30%

201726%

39%

26%

9%

5

Companies considered part of Critical National Infrastructure, such as pharmaceutical, telecoms and utilities businesses invested heavily several years ago and continue to have large functions.

The GDPR implementation deadline of May 25th 2018 is now less than a year away and more and more organisations are beginning to make in-roads into their GDPR projects. Companies have hired security professionals to conduct risk assessments and GAP analysis for the security of the data, answering the question of who has access to data and whether they need it. Additionally, privacy professionals or technology and information risk professionals are needed to develop and implement policies to ensure compliance. GDPR is a very new regulation and a mature market for these skills does not currently exist. Whilst some candidates are very familiar with the regulation, few people are experts in the field. In the absence of this, candidates are advised to emphasise skill such as PCI-DSS and more general governance and risk experience.

The Internet of Things (IoT) has led to a number of additional demands. For example, smart metering has driven demand in the energy sector. Manufacturing is another area where knowledge of IoT is required. Fridges, televisions, vacuum cleaners, home security and even toasters can now be connected to the internet. These technological advances also expose home networks to infiltration by hackers who can steal data or spy on inhabitants. Ensuring IoT connected devices are secure is essential.

Macro factors also contribute to the recruitment market. For example, the oil and gas sector is one sector where the cost-cutting and rationalisation of security departments over the past few years have reversed along with the recovery in the price of oil.

COMMERCE & INDUSTRYAverage salary increases for those changing jobs in commerce & industry at 19% were higher than Banking & Financial Services and matched only by consulting. As cyber and information security continues to create headlines, legal firms, manufacturers and FMCG companies have begun adopting an in-house capability. Having previously not been considered to be at risk, companies in these sectors have developed an understanding that high quality security and leadership is critical in all industries.

Average salary increases for those who remained with their employer were 5%, in line with the sector average. However, bonuses, generally lower than in financial services for other areas of corporate governance, were the highest in security at 18%. The financial services premium paid to lawyers, risk managers, auditors and compliance professionals does not appear to apply to security.



Average bonuses in security


Commerce & Industry

Consulting

Public Sector

Overall

17%

2017

11%

12%

18%

15%


CONSULTANCIES & SYSTEMS INTEGRATORSThe increasing number of cyber-attacks and threats has resulted in significantly more business for consultancies and systems integrators, leading to increased recruitment across the industry. Candidate supply remains challenging and competition is high. Businesses that are most agile and responsive in their recruitment processes are enjoying the most success in securing the best talent. This is reflected in our survey, with security professionals who changed jobs in consultancy achieving above sector average increases of 19%, up from 12% in 2016.

(Insert chart - see table 33 attached)

The main skills that are in demand remain the same as last year, namely a broad range of technical security skills with the ability to speak at C Level and, in particular, candidates with expertise in Penetration Testing, Incident Response, Security Engineering and Architecture.

In addition to this, there has been a surge in demand for candidates with cloud security and digital transformation project experience, which isn’t surprising given the shift organisations are making from legacy systems to the Cloud.

With the GDPR deadline approaching, there is also high demand for security consultants with relevant skills and experience to guide clients to become GDPR ready.

5Sector analysis


60%

40%

20%

0

2016 2017

Salary increase for job movers

Bonuses in consulting are lower than in both Financial Services and Commerce & Industry at 11%, although the average pension contribution is 16%. Career progression was cited by 52% of security professionals who changed employers in the past 12 months, with salary increase (24%) and work life balance at 14%.

12% 19%


2017


Job security

Career development

Salary increase24%

52%

14%10%



THE CONTRACT MARKETIR35 tax legislation has had a significant impact across the contract market, affecting public sector companies, including government owned regulators, in all sectors including financial services. A significant number of contractors and, in some organisations whole teams, have resigned from their roles for fear of falling inside of IR35. This has led to an increase of available contractors on the market and we have seen in previous years how an over-availability of contractors can bring down the average market contract daily rate. However, although there are more contractors available, this has not yet affected the market daily rate and rates remain stable. This is unusual and is challenging the question of a security skill shortage, at least in the private contracting sector.

There has been a demand for technical skills and experience related to Security Operations/SIEM and Security Architecture. Governance, Risk and Compliance contract roles have been less in demand, with the exception of GDPR/Data Protection related roles. We are finding that there is an appetite for permanent hiring on the GRC field, whilst the contract budget is kept for specific technical change or business as usual roles.

29 Section 6 | Salary guide

Salary guide

Barclay Simpson analyses the salary data that accumulates from the placements we make in the UK. This provides a guide to salaries for security professionals. The salary ranges quoted are for good rather than exceptional individuals and take no account of other benefits in addition to salary that usually accrue to security professionals, such as bonuses, profit sharing arrangements and pension benefits. For more information on salaries in security and resilience, please contact Mark Ampleford ([email protected]) on 020 7936 2601.

6BARCLAY SIMPSON MID-YEAR REPORT 2017 SECURITY

Selected profiles - permanent

Senior Data Protection Analyst Team member in a small DP department for a large mobile telecommunications group. Proven experience in a similar role and ISEB qualified.

Security Analyst Generic information and IT security consulting and project delivery in a large retail financial services company.

Senior Security Consultant Working for an SI, undertaking security consultancy and delivering on security projects for a large-scale client. Senior person also involved in bid/proposal work and mentoring.

Senior Business Continuity Consultant Working for a large consultancy firm, delivering and managing consulting engagements and in some cases managing junior staff. Some sales and business development responsibility.

PCI QSA/PCIP Practising QSA working with external clients and managing their entire PCI compliance programme.

SIEM Consultant Technical specialist with strong skills with a leading SIEM solution such as ArcSight or RSA envision. Design, implementation and integration experience. Client facing consultative role.

Identity & Access Management Consultant Solid skills in identity and access management design and architecture. Background of working in consultancy, with good client-facing skills and bid work experience.

Security & Compliance Manager Security Manager responsible for the business meeting compliance standards such as ISO27001 and PCI.

Security Manager Security background in a small financial services company. Demonstrable management experience. No permanent reports. Will utilise consulting firms and contractors on an ad-hoc basis.

EMEA Manager of Data Protection Medium to large insurance group. No direct reports. EU Data Privacy legislation experience.

Network Security Team Leader Working in a FTSE 100 group leading a team of 6-8 network security specialists, reporting directly to the Head of Security. 10 years’ experience.

Head of Business Continuity Major financial services group, a large team to manage/supervise. Established career history within BCM.

Head of Security Managing a team of 8 security professionals in a financial services company, assisted by 2 more junior managers. Significant management experience and wide security experience.

Security Architect

Application Security Engineer

Penetration Tester

40 50 60 70 80 90 100 110 120 130Salary £000

London Regional

140 150

30Section 6 | Salary guide

Selected profiles - contract

Security Architect Review and creation of technical security designs. Deployment of Security solutions and architecture, exposure to mobile/cloud/network solutions. Holds CISSP/TOGAF/SABSA/ knowledge of OWASP.

Data Privacy Officer/Lead Experienced in the security and regulatory implications of Data Protection compliance with emphasis on EU General Data Protection Regulation. Holds ISEB/ PDP/CIPP/E.

Data Privacy Analyst Experience of DPA 98 and EU Privacy Directive 95/46/EC, required to provide specialist privacy knowledge and support.

Security Consultant Providing security advice across the business, ranging from policy review and development, to information risk reviews. Holds CISSP or CISM.

Technology Risk Consultant Good technical understanding with the ability to identify, assess, manage and report risk. Working with different projects within the organisation on varying technologies.

SOC Consultant Technical specialist with strong skills in leading SIEM solutions such as design, implementation and integration. Often also involved in elements of policy oversight and review.

PCI Consultant PCI Consultant who can work with the client to ensure compliance to PCI-DSS standards.

Penetration Tester SME in application security, code reviews and vulnerabilities, attacks and countermeasures with a deep knowledge of hacking and penetration testing techniques, methodologies and tools across web application and infrastructure.

Business Continuity Consultant Managing a team of 8 security professionals in a financial services company, assisted by 2 more junior.

300 350 400 450 500 550 600 650Per day £

London Regional

700 750

Salary guide

31 Section 6 | Salary guide

6BARCLAY SIMPSON MID-YEAR REPORT 2017 SECURITY

32Section 6 | Salary guide


Business Continuity Analyst (2 yrs+)

Info Security Analyst (3 yrs)

Info Security Analyst (4 yrs+)

Data Protection Manager (5 yrs+ no team)

Business Continuity Manager (4 yrs+ no team)

Info Security Manager (team under 5)

Info Security Manager (team 5+)

Head of Info Security (dept under 10)

Head of Info Security (dept 10+)

30 40 50 60 70 80 90 100 110

N/A

Salary £000 120 130 140 150 160 170

Salary chart - consultancies and SIS

Penetration Tester (under 4 yrs exp)

Consultant

CHECK Team Member

Senior Consultant

Manager

CHECK Team Leader

Senior Manager

Director (Practice Lead)

30 40 50 60 70 80 90 100 110Salary £000 120 130 140 150 160 170

+++

Big 4 Systems integrator Large consultancy Boutique consultancy

Banking Non-banking FS Commercial FTSE 100 equivalent Commercial FTSE 250 or smaller

Salary chart - end users

7About Barclay Simpson

Barclay Simpson is an international corporate governance recruitment consultancy specialising in internal audit, risk, compliance, security & resilience, business continuity, legal and treasury appointments.

Established in 1989, Barclay Simpson works with clients in all sectors throughout the UK, Europe, Middle East, North America and Asia-Pacific from our offices in London, New York, Dubai, Hong Kong and Singapore.

We add value by using our unique focus on corporate governance, our highly-experienced specialist consultants and access to both the local and international pools of corporate governance talent.

Our strength lies in our ability to understand client and candidate needs and in utilising this insight to ensure our candidates are introduced to positions they want and our clients to the candidates they wish to recruit.

For more in-depth coverage, comprehensive reports and compensation guides exist for the Internal Audit, Risk, Security & Resilience, Compliance and Legal recruitment markets. These can be accessed from the links below.

www.barclaysimpson.com/internal-audit-mid-year-report-2017

www.barclaysimpson.com/risk-management-mid-year-report-2017

www.barclaysimpson.com/compliance-mid-year-report-2017

www.barclaysimpson.com/security-and-resilience-mid-year-report-2017

www.barclaysimpson.com/legal-mid-year-report-2017

We also produce other specialist reports, each of which can be accessed for free on our website: www.barclaysimpson.com

Barclay SimpsonBridewell Gate, 9 Bridewell PlaceLondon EC4V 6AWTel: 44 (0)20 7936 2601Email: [email protected]

33 Section 7 | About Barclay Simpson


34Section 7 | About Barclay Simpson

Feel free to share our reports with colleagues or friends and, if you would like hard copies of any of the reports, or would like to discuss any aspect of them, please contact the following divisional heads:

Internal & IT Audit David Jarrold [email protected]

Risk Antony Berou [email protected]

Compliance Tom Boulderstone [email protected]

Security Mark Ampleford [email protected]

Legal Jane Fry [email protected]

Interim Andrew Whyte [email protected]

To discuss our international services, please contact:

Europe/Middle East Daniel Close [email protected]

Asia Pacific Russell Bunker [email protected]

North America Gareth Carpenter [email protected]


Security Mid-Year Report 2017 Compensation & Market …and reviews the corporate governance...

Documents

Transcript of Security Mid-Year Report 2017 Compensation & Market …and reviews the corporate governance...