Corporate GovernanceRecruitment

Mid Year Market Report 2012Information Security

BARCLAY SIMPSONMID YEAR MARKET REPORT

2012INFORMATION SECURITY

01/ ExECUTIvE SUMMARY/102/ MARKET ANALYSIS/203/ MARKET COMMENTARY/404/ SECTOR ANALYSIS/505/ OUTLOOK/806/ SALARY GUIDE/907/ METhODOLOGY/1708/ ABOUT BARCLAY SIMPSON/18

OfficesLondonEdinburghNew YorkDubaihong KongSingapore

DisciplinesInternal AuditRiskComplianceInformation SecurityBusiness ContinuityLegalTreasury

CONTENTS

ExECUTIvE SUMMARY01

Welcome to Barclay SimpSon’S 2012 mid year information Security market report

This is the 8th year we have produced a market report summarising and analysing recruitment trends in information security. This mid year report serves to review developments in the year to date and to provide an insight into how the recruitment market for information security practitioners may develop during the remainder of 2012 and beyond. We place great value on professional reaction to our reports and would appreciate your comments or any requests for further clarification or information.

an overview of the corporate governance recruitment market and an in-depth analysis of economic and business trends can be found in our corporate Governance market report. it can be assessed in section 8, ‘about Barclay Simpson’, together with market reports covering all other areas of corporate governance.

Offers of employment were regularly made and acceptedSix months ago we reported that information security was the best performing sector of corporate governance. Companies were clearly investing in information security and demand was in the process of expanding away from the financial services sector. however we were aware of the deterioration in sentiment and in our opinion avoiding a major crisis and ‘muddling through’ with anaemic growth in 2012 was the best we could hope for.

If those conditions were met we believed it would allow the information security market to remain strong with offers of employment readily made and accepted.

Recruitment is a form of investmentOur hopes were not met. In April it was announced that two quarters of negative economic growth had left the UK economy technically in recession. Whilst ‘muddling through’ may be the best way to describe the affairs of the Eurozone, any end to the Eurozone crisis appears as distant as ever. Recruitment is a form of investment and investment is based on confidence. When companies and individuals are confident they invest and recruit, when they are not they are more likely to sit on their hands and wait for developments.

Threat of redundancy no greater than usual Within this environment the information security market continues to function. the number of information security practitioners employed in the economy remains stable, companies are still recruiting albeit at lower levels and the careers of information security practitioners are advancing. Notwithstanding the lack of opportunities available there is no evidence that the threat of redundancy is any greater than usual. however given the current level of uncertainty it is difficult to perceive an immediate return to anything like historic economic growth and recruitment patterns.

for many information security practitioners securing a new position is a frustrating process.

When companies and individuals are confident they invest and recruit, when they are not they are more likely to sit on their hands and wait for developments.

“

1

MARKET ANALYSIS02

information Security employment holdinG up

We reported at the start of 2012 that as a result of a number of high profile cyber attacks and data leakages, information security had moved up the political and commercial agenda. We believed that in a problematic recruitment market information security was holding up better than other areas of corporate governance. In our view there was no doubt that both government and corporate executive management were continuing to take information security recruitment seriously and that no one wanted to be embarrassed by failures.

Regardless, and no doubt to the benefit of the profession, failures somehow continue to happen. The recent debacle concerning continuity of service at Royal Bank of Scotland is just the latest example. the overall cost of the failure, if and when it is ever calculated, would with the benefit of hindsight certainly dwarf the cost of having put the appropriate controls and contingencies in place. hindsight is a wonderful thing.

Given this it may be disappointing to note that the surge in recruitment that was apparent during 2010 and 2011 is now over. Whilst employment in information security is holding up it is clear that companies are currently no more likely to recruit information security practitioners than in other areas of corporate governance.

VacancieS

Fewer but more broadly based vacancies The number of vacancies marginally declined in the first half of 2012 from 48 to 44. Whilst the number is lower it is encouraging that the source of vacancies is more broadly based than it has ever been. vacancies in the end user market are no longer concentrated in financial services. the sources of vacancies have broadened out to include all areas of commerce. The consultancy and SI markets are also providing an appropriate number of new opportunities. There have been declines in the contract market and government related consultancy. Vacancies continue to be primarily mid level and demand has continued for experienced penetration testers. Demand is also elevated for data privacy specialists and data protection specialists as regulatory changes in this area result in more demand from the financial sector.

Given that the actual number of vacancies is not significantly lower when compared to 2011, it is disappointing that they are not resulting in the volume of accepted offers we would normally expect. clearly recruitment budgets exist but managers are not being encouraged or sanctioned to spend them. however sentiment towards recruitment continues to be positive and many managers are optimistic that their budgets will not only remain in place for the remainder of the year but they will also be given the opportunity to spend them.

In our view there was no doubt that both government and corporate executive management were continuing to take information security recruitment seriously.

“

2

• New vacancies

• Outstanding vacanciesthe source of the statistics and explanation of the terms used can be found in section 07, ‘methodology.’

candidate reGiStrationS

Information security practitioners feel safe Candidate registrations have increased and were not driven by defensive registrations. This is surprising given the level of uncertainty when people usually prefer the security of their existing employment relationship. however, information security recruitment has historically been sensitive to corporate investment as new technology and systems require additional resources. This creates opportunities for career advancement. Clearly investment is currently being deferred and this has limited the potential career advancement open to information security practitioners.

Given there are few redundancies in information security and most practitioners feel safe in their careers, there is perhaps no reason for them not to enter the recruitment market. Registrations have been biased towards more senior practitioners. Those with less experience are perhaps not feeling as confident in the marketability of their experience and qualifications. Registrations have also been buoyed by candidates from the Eurozone, particularly Portugal, Spain, Italy and Greece. Many are disadvantaged by not having good enough English to work in a professional capacity.

redundancies are currently low. Defensive registrations are primarily coming from the public sector or consultancies to the public sector or from those who work in a few specialist areas where their skills have become less relevant.

rate of placementS

Rate still falling To provide a better insight into the dynamics of the information security recruitment market, we are now producing a graph that plots the rate at which placements are made during the three year period under review. In order to provide a scale, we have taken our results from the first six months of 2010 as our 100% benchmark. the graph demonstrates the willingness of companies to recruit during the period, rather than simply registering vacancies and arranging interviews. it reflects the rate at which candidates are being offered and are accepting jobs.

as in other areas of corporate governance, in spite of the number of vacancies only marginally falling, accepted offers fell from 71% to 61%. Vacancies and interviews are not translating into accepted offers in the way we would usually expect. The reasons are because companies are falling back on internal candidates and the number of counter offers from existing employers. The explanation is perhaps twofold. Firstly, in the current market it is only the best candidates who are receiving offers and these are the people companies usually want to retain. Secondly, managers are most likely concerned that if they lose a team member they may not be able to automatically recruit an external replacement.

3

• Placement rate (%)

• Candidates registering (%)

• Defensive registrations (%)

MARKET COMMENTARY03

conteXt

We believe that the weakness in the information security market, where companies are unwilling to commit to external recruitment, is primarily the result of eurozone inspired uncertainty. There is no recent record of the economy flatlining in the way it is. In this environment companies simply wish to maintain their productive potential and minimise costs and investment until the economy improves.

how would we summarise the current recruitment market? • Firstly, few companies have formally

announced recruitment or headcount freezes. however many, in spite of conducting external recruitment campaigns, ultimately decide to recruit internally. Companies are putting immediate cost considerations ahead of recruiting the most appropriately qualified information security practitioners.

• Secondly, companies are not making redundancies. The percentage of candidates entering the recruitment market because they feel their job security is threatened is within historic norms. Outside of the information security contract market there is no significant pool of immediately available candidates.

• Thirdly, there is a higher proportion of information security vacancies with smaller and medium sized companies, who do not have the skill base to recruit internally.

• Fourthly, companies will usually only commit to recruiting an external candidate provided the candidate is not only of a high calibre but also closely matches their criteria.

• Finally, the most sought after information security practitioners remain difficult to source. Not unreasonably they are coveted by their existing employers and when offered an alternative position are far more likely to be counter offered.

No longer simply about experience The market is no longer simply about qualifications and experience but also about commercial and interpersonal skills or what are popularly known as business facing skills. Security practitioners increasingly need to communicate with management and understand the commercial implications of what they are doing. Because of this, as standards rise, almost regardless of market conditions, there is a shortage of appropriately skilled information security practitioners that companies require.

Intention but not confidence to recruitCurrently there is the intention but frequently not the confidence to recruit externally. There is however significant latent demand. In our view it would only take a modest upturn in confidence for a return to more usual market conditions. In fact, as we have previously observed, any suspension in recruitment activity ultimately leads to a bounce when the pent up demand to recruit is relaxed.

4

The market is no longer simply about qualifications and experience but commercial and interpersonal skills, or what are popularly known as business facing skills.

“

SECTOR ANALYSIS04

end uSerS

Demand less reliant on financial servicesWe reported at the start of the year that demand from end users was becoming less reliant on banking and financial services and more reliant on the rest of the commercial sector. We believe this is a positive development. Political and commercial developments have provided information security with a business critical status and this has extended the career development opportunities open to information security practitioners. end users are currently more likely to sanction information security recruitment than at anytime in the past and we are encouraged by the number of smaller companies that are still looking to recruit.

Number of vacancies has declinedIn spite of this, the number of vacancies from end users declined during the course of 2011. This trend has continued into 2012 with companies seemingly remaining at full strength and having no need to recruit externally. one exception has been at ciSo level where recently there has been substantial recruiment activity. There does not appear to be any specific reason for this.

Given the shift in demand away from financial services it is now more appropriate for us to provide a brief review of the individual sectors where information security practitioners are likely to be in demand.

Financial servicesThe financial services industry and particularly the banks undertook substantial information security recruitment during the course of 2010 and 2011. Many departments were established and existing teams built up in response to regulatory pressures as a result

of the financial crisis. By the end of 2011 this demand had dissipated and in the year to date there has been little external recruitment. Many of the larger groups, as in other areas of corporate governance, are relying on internal resources. the financial services industry remains under great pressure to cut costs. in spite of a number of groups indicating that they intend to recruit later in 2012, without a catalyst such as a resolution to the eurozone crisis, active recruitment is likely to remain subdued.

Oil and gas The energy sector is currently a growth area for information security. Security incidents have increased and there is concern about data loss and the damage it could do. There is heightened awareness at executive level that information security needs to be adequately addressed. One immediate area of concern that is not exclusive to the industry is the use of mobile devices such as tablet computers and smartphones particularly when they are connected to corporate networks. mobile and network security is currently an area that end users are prepared to invest in.

Telecoms consolidation in the telecoms industry has effected change in the information security departments within the sector. Whilst consolidation is inherently destabilising, whatever rationalisation may occur in the longer term, short term it has boosted the number of information security practitioners employed.

The information security departments of most telecom groups are based outside of London and locally, within the regions, they do not have large pools of potential candidates to select from. however, demand from the telecoms industry has resulted in more regional demand for information security practitioners than usual. as these groups seek to protect their commercial and intellectual property assets, they have expanded their information security capabilities by recruiting good

quality corporately experienced information security and it risk managers. The expansion of these departments has helped provide regional opportunities that had disappeared as a result of consolidation within the financial services industry.

Smaller companies Smaller companies are still coming to the market to appoint their first information security specialist. These companies are highlighting PCI-DSS as a major concern and wish to prevent data leakages and subsequent reputational damage. Demand is still coming from a range of sectors including media, travel, leisure and retail.

Political and commercial developments have provided information security with a business critical status and this has extended the career development opportunities open to information security practitioners.

“

5

conSultancieS and SyStem inteGratorS

Recruitment market has only recently slowedin the first half of 2012 the larger global consultancies and system integrators (Sis) undertook substantial recruitment with many having multiple vacancies within their growing security professional services practices. A number of boutique consultancies also recruited incrementally, adding to overall demand. There were also vacancies within Security Operations Centres (SOCs), the majority of which were at security analyst and senior analyst level but also included some team leader and management positions.

New technology experience highly marketableDemand continued to be driven by mid to senior level consultants. more senior roles require people management skills together with business development and bid response capabilities. the skill sets in demand have been broad and range from security architecture through to risk management and security policy. In some instances niche skill sets have been sought including experience of specific emerging vendor solutions. as relatively new technologies there are few candidates with the necessary experience. it would potentially be a worthwhile investment for security specialists with an interest in these areas to invest time in familiarising themselves with the latest security products. As in other areas of security, consultants are expected not only to have technical skills but also to

be business savvy and have good client facing skills.

Lower government demand Demand for government security consultants from the consultancy and SI sector is now lower. Identity Management continues to be in demand primarily from the multinational consultancies including the Big 4. PCI-DSS, which has become business as usual, is still a sought after skill set, however usually these consultancies are seeking PCI-DSS as part of a broader skill set rather than as pure specialists. penetration testers are still in demand but there has been less movement which is most likely due to the staff retention strategies deployed by many consultancies in the sector.

vacancies are being withdrawnrecently the recruitment market has slowed. recruitment processes have become more protracted with longer time frames between application, interview, and offer stage. It is currently not unusual for vacancies to be withdrawn and, as in most other areas, for internal candidates to be selected during the final stages of the recruitment process. The caution that is affecting other areas of the information security and wider corporate governance recruitment market is now affecting the sector.

BuSineSS continuity

Now a mature marketAfter strong demand for business continuity expertise during the course of 2011 it became evident by the end of the year that demand was easing and that there were fewer vacancies.

This trend continued into 2012 with business continuity budgets seemingly squeezed in the early months of the year. encouragingly, during the second quarter, a number of vacancies emerged which provided the market with a welcome boost.

Less reliant on financial servicesThe financial services sector, which has historically provided the bulk of vacancies in business continuity, is currently less dominant. vacancies in the sector have been for more junior positions and have come from larger groups. to counter this, and following a trend established last year, there are an encouraging number of newly created roles from sectors outside of financial services. These are frequently at start up management or senior management level and should ultimately lead to further recruitment.

Consultancies less activeEstablished business continuity consulting practices are currently less active in the recruitment market compared with 2011. however there are pockets of growth particularly from newly established business continuity consulting practices. these will no doubt promote competition in the consulting sector and create demand for those business continuity practitioners with good consulting experience.

No increase in redundanciesFor most vacancies in business continuity candidate availability remains good. Whilst there are currently fewer candidate registrations, the number of vacancies is down on last year. there is little evidence that economic uncertainty is leading to any increase in the number of

6

redundancies which remain well within historic norms and below the levels reached in both 2010 and 2011. however there is clearly sufficient uncertainty for some potential candidates to prefer the security of their existing employment relationship.

The Olympics have certainly raised awareness of business continuity management and businesses that are likely to be affected should have prepared plans to deal with the potential disruption.

Steady demand anticipatedBusiness continuity is now a mature recruitment market. Like others it is currently suffering from subdued demand as companies look to minimise their costs and curtail external recruitment where necessary. notwithstanding any further adverse economic developments we anticipate steady demand for the remainder of the year and for demand to increase should economic uncertainty improve.

contract market

Companies under pressure to reduce contractor countIn our previous market report we concluded that given the uncertain economic outlook it was difficult to predict the direction the contract market would take in 2012. We assumed that there would most likely be a significant improvement or contraction in demand. in reality demand has remained broadly flat. companies are releasing vacancies as there is clearly a need to secure additional resources. however, given the uncertainty surrounding the economy it is

taking longer to get approval. Turnaround times which would usually be a week are often now extending to a month. In some cases this is leading to the preferred candidate accepting an alternative position.

Contractors favoured for their flexibility Companies are under pressure to reduce their contractor count. Contractors are favoured for their flexibility but, in cost conscious times, they are frequently deemed too expensive. however, this pressure is being exerted irrespective of the need to complete necessary information security projects. a rather perverse response has been for consultancies to be employed on projects that contractors would otherwise have been employed to complete. this rarely provides the cost savings that prompted the action. It does however reclassify the cost away from spending on contractors to consultancies. Faced with increased demand, the consultancies have been taking on contractors to deliver end user work that they would have otherwise have done directly.

Shift in demand underwayDemand for contractors in areas where demand has traditionally been strong such as financial services and the public sector, is in decline. there is a shift underway with oil and gas, telecommunications and the utility sectors together with system integrators and consulting now forming the majority of the opportunities in the contract market.

Traditionally the demand for information security contractors rises in the second half of the year. We anticipate this trend to stay in place but anticipate that given

the ongoing uncertainty in the economy, recruitment processes will be extended and final approval will need to be sanctioned at higher levels of authority.

Main skills in demandthe main skills currently in demand are within application security, penetration testing and role based access control. It is still difficult to find good application security specialists and penetration testers as the majority are on long term contracts or have rolling contracts with a variety of clients they have built relationships with. Banks have recently been focusing more on user access control rights. This has led to more contractors being recruited to manage projects to ensure users have appropriate privileges.

There are currently a higher number of contractors out of work or who have recently had their contracts terminated. This is reducing rates for generalist information security contractors.

2012 also saw the first year that we released a dedicated survey of information security contractors (www.barclaysimpson.com/info-security-contractor-survey2012). The survey showed that the majority of contractors are still working within London and the South of England but there had been a shift from the traditional areas of employment.

Companies are under pressure to reduce their contractor count.

“

7

OUTLOOK FOR 201205

We along with most others were happy when the cracks in the finances of the eurozone were papered over in 2009. it was convenient to believe that structural adjustments and economic growth would take care of the debts.

touGh political choiceS need to Be made

however, Government debts are excessive not simply because they have borrowed too much, but because they are underwriting the debts of their domestic banks. These same banks have been supporting their governments by buying their debt. the banking crisis will not be over until the sovereign debt crisis is resolved and vice versa. Tough political choices need to be made whilst economies continue to fester under too much debt and too little growth. Unfortunately we see no immediate end in sight.

SloWdoWn iS GloBal

For those who believe that the ‘grass may be greener’ elsewhere, readers may be interested to learn that the vast majority of information security practitioners are employed by companies who make their recruitment decisions on a global basis. If a multinational commercial or financial services group is not recruiting information security practitioners in the UK, then our perspective allows us to be pretty sure they are not doing so anywhere in the world. currently information security recruitment markets are consistent throughout the developed world. caution prevails.

Whilst Chief Information Security Officers are frustrated because they are unable to recruit the staff they want and information security practitioners are frustrated by the lack of opportunity, unless the economic situation deteriorates further, the vast majority remain in secure employment.

SiGnificant latent demand eXiStS

Our view has not changed in the last six months. We perceive there is significant latent demand for information security expertise. The economy does not need to return to even historic growth rates for this demand to be released. What it does need is a resolution to a problem that for almost a year now has regularly prompted market participants to believe the eurozone is teetering on the edge of a break up.

Tough political choices need to be made whilst economies continue to fester under too much debt and too little growth.

“

8

in this mid-year report we are including a Salary Guide. this Guide is designed to provide information security professionals with advice and guidance on the salaries and the overall remuneration packages currently available to them.

Most information security professionals, even if they are not looking to change employer, are keen to know their market worth. Given the huge diversity of information security professionals this is not easy to address. Further, whilst Cvs and experience get interviews, it is character and personality that get offers of employment and a tangible measure of market worth. equally the way the market rewards information security professionals is not perfect. Every company, like every information security professional, is different. Two otherwise similar information security professionals may enter the recruitment market and ultimately accept materially different salaries. any offer of employment is usually evaluated against a number of both objective and subjective parameters. Salary is only one parameter, albeit usually the most important one. Further, for many information security professionals the number of potential opportunities open to them can be frustratingly limited. This may be a consequence of their level of experience or by reason of where they are prepared to work.

We provide these caveats and fight shy of calling this section a ‘Survey’ because we are aware that the information security recruitment market is sufficiently diverse and every acceptance of a new position is sufficiently unique that it defies simple categorisation. Given that, without doubt information security professionals and their employers want ‘guidance’ and this is what this section attempts to provide.

This guide is split into three sections:• The first section is a review of the

pressures and influences on salary levels within information security.

• The second discusses salaries within the context of the wider remuneration packages that are usually available to information security professionals.

• Finally, we provide guidance on what we believe to be the most likely salary ranges available to a cross section of information security professionals with specific qualifications and experience followed by a more generic guide.

InfluencesThe best that can be said about the UK economy is that it is low growth. Whilst unemployment is seemingly falling, a rise is most likely only being kept in check by weakness in the economy putting a severe squeeze on pay. Real earnings along with living standards are falling. There is little to feel good about.

if recruitment is a form of investment, which we believe it is, then from our perspective companies are not investing. it is apparent companies are routinely looking to recruit internally rather than invest externally in what is likely to be the best option. Whatever the demand for information security professionals, it is against a backdrop of employers pushing costs down and postponing investment where possible.

You will have read earlier in this report that there is significant latent demand for information security professionals. Also amongst end users there is a widening out of demand from its traditional base in financial services. however, where information security professionals are being recruited, employers are invariably seeking a precise skills match.

SALARY GUIDE06

It is apparent companies are routinely looking to recruit internally rather than invest externally in what is likely to be the best option.

“

9

Offers rejected as deemed too low to provide some insight into the market, we have compared the percentage of offers that were rejected as being too low in 2011 with the percentage in 2012.

The rise from 31% in 2011 to 42% belies a number of factors. Firstly the data comes from a diverse market. The number of end-user offers rejected as being too low is only 26% indicating that most end users are prepared to make realistic offers. This is perhaps logical given that offers are only likely to be made to those candidates who meet all their requirements. there is an onus on companies to make offers that will ultimately be accepted.

The overall 42% rejection rate is primarily due to the consulting sector. here some candidates during the recruitment process can set unrealistically high salary expectations. however many consultancies particularly in the current market expect prospective recruits to be attracted by their brand and the career opportunities they can offer. They frequently make offers that are no better and sometimes even below what the prospective recruit is currently earning. There is also a culture of counter-offering in the sector so a once keen potential recruit accepts an increased package to stay at their current employer.

Motivation for entering the recruitment marketit is interesting to review the motivation of information security practitioners entering the recruitment market during the course of the last 6 months against a similar period 5 years ago.

The analysis is broken down between those who are primarily motivated to increase their salary, those who feel they have no choice because of real or apparent threat to their job security and the majority who are simply seeking career progression.

at 14% defensive registrations are close to their long term average and half what they were in the recession in 2009. despite perceptions otherwise companies are retaining staff and like other corporate governance arenas there is no large pool of redundant information security staff.

The still relatively high percentage of candidates registering for salary purposes in 2012 is due to information security practitioners, particularly those with niche skills, within the consulting sector where salary tends to be as important as career development. This is different to in-house where practitioners are overwhelmingly likely to enter the recruitment market for career development reasons. This is particularly the case for those working in smaller IS departments.

Notwithstanding the primary motive for the majority of candidates entering the recruitment market is career development, most information security professionals as a by-product of changing employer also seek an increase in salary.

Increase in base salariesWe have updated the chart of the average salary increase achieved by information security practitioners changing jobs.

• Motivation for entering the recruitment market 2007 (%)

• Motivation for entering the recruitment market 2012 (%)

• Offers rejected as too low (%)

• Increase in base salary (%)

10

in our market report we noted overall salary increases averaged 9% in the second half of 2011 against 13% in the first half. it has, however, moved back up to 11% which is encouraging. It is indicative that there is not a pool of information security practitioners in the recruitment market willing to accept whatever salary is offered. As the vast majority are in secure employment, they not surprisingly do wish to be adequately compensated for moving. although many offers have been made at similar salaries to what candidates are currently receiving, a high proportion of these offers are being declined.

Distribution of salary increasesAverages usually hide a wide cross section of results and it is no different in the case of the salary increases achieved by information security professionals changing jobs. During the course of the last year the distribution around the 11% average is described in the chart below.

the breakdown reveals a wide distribution of increases. in fact 23% of information security professionals moved for increases of less than 5%.

From a salary perspective the current recruitment environment can be summarised as follows. The number of companies actively recruiting is lower than usual and many ultimately recruit internally. however those that do need to recruit externally will only do so if information security professionals closely meet their requirements. notwithstanding the recessionary/low growth influences buffeting the economy the supply of candidates and particularly those with the skills and experience companies wish to recruit is restricted. To recruit information security professionals with the necessary skills, companies need to make realistic offers that include increases not significantly less than historic norms.

Salary Vs remuneration

Whilst base salaries always catch the headlines, offers of employment invariably include other benefits which together with base salary go to form overall remuneration. Base salary and overall remuneration can be significantly different. in this section we will go through the other benefits that usually are or may be included in offers of employment.

holiday entitlement As a general rule holiday entitlements are more generous in the public sector. In the private sector the range is between 20 and 30 days. The number of days holiday granted is frequently related to the level of seniority and can also be linked to the number of years service. If the latter is the case then the initial holiday entitlement is likely to be lower than it might

otherwise be. As a strategy it represents a good way of rewarding loyalty and retaining staff but a poor way of attracting staff.

At a senior level we would consider 23-24 days holiday to be usual and for 90% of offers to fall into a 22 to 26 day range. We would be sympathetic to an information security practitioner objecting to a 21 day holiday entitlement and be very pleased to be party to an offer of 27 days or over. At head of Information Security level two extra days can be added.

An increasingly popular benefit is to provide employees with the opportunity to buy additional holidays. This is usually up to 5 days and they are purchased through salary sacrifice. • Distribution of salary increases (%)

As the vast majority are in secure employment, they not surprisingly wish to be adequately compensated for moving. Although many offers have been made... a high proportion of these offers are being declined.

“

11

Bonuses The majority of companies offer some form of bonus. however, bonuses, whilst potentially a good way of retaining and motivating staff, are almost invariably an inefficient way of attracting them.

Bonuses are usually non contractual, often discretionary and may be paid on the basis of corporate or personal performance or a combination of the two. There is often a qualifying period. The difficulty with bonuses is that whilst an information security practitioner entering the recruitment market, having benefited from a bonus, will add it to their base salary, they are more inclined to discount bonuses from potential employers. This goes some way to explaining what can otherwise be relatively high increases in the base salaries achieved by information security practitioners moving between employers.

Given that potential recruits are likely to apply some form of discounting to whatever prospective bonus is offered, it would be ultimately cheaper to simply roll the bonus into the base salary.

Bonuses vary considerably and as it stands a typical offer made to an information security practitioner will contain a non contractual offer of a bonus. Given the difficulties that they tend to engender bonuses are now more likely to begin accruing from the time that employment starts rather than from the start of an annual qualifying period.

We would expect at a senior level any prospective bonus to be in the range of 5-10% and perhaps double that at head of information Security level. Anything less would be considered derisory and anything significantly above would be considered generous.

Pensions For new recruits final salary pensions no longer exist in the private sector. For those who still benefit from them they have become increasingly valuable and the cost of giving them up to join a new employer often too expensive to consider.

it would be unusual for a company not to offer some form of pension benefit. pension schemes in the private sector are invariably money purchase where the company commits to making a contribution based on a percentage of salary. Whilst there is often a short qualifying period before contributions commence, a period in excess of six months would be considered unusual.

Most arrangements require the employer to make a contribution based on a fixed percentage of base salary. The employee may or may not be required to match it. Frequently employers will be prepared to match additional contributions made by the employee up to a fixed percentage. The percentage may increase with the age of the employee, their years of service and their level of seniority.

at a senior level we would consider an employer contribution of 3% matched to an additional 5% employee contribution typical. this leaves the employer contributing 8% out of an overall 13% pension contribution. Generally larger more established companies have more generous pension arrangements.

Cars / Car allowances Cars or car allowances have become a less common benefit at a senior level and their popularity with both employers and employees is declining. They can still be expected where a role requires significant travel and at head of Information Security level. In terms of overall remuneration

a car allowance is frequently offered in lieu of a car and is often considered as non pensionable salary when evaluating overall remuneration.

Other benefits The most valuable of these is Critical Illness Cover which is expensive to provide and it is usually restricted to senior roles. however, private health insurance is common and may be extended to all immediate family members. Life assurance, usually linked to a pension scheme, is normal as is payment of at least one professional subscription. Other benefits may include season ticket loans in London, gym membership, subsidised dental care, personal and accident insurance and staff discounts. These are generally low value benefits.

Flexible benefits This refers to schemes where employees are offered limited core benefits but receive an additional amount, usually a percentage of their base salary. This addition they can either take as salary or choose to buy from a menu of additional benefits. These schemes became popular 10 years ago but have not been universally adopted.

Flexible working this term refers to the opportunity to vary hours of work. Whilst potentially popular, it is not a common benefit. Most offers of employment in the private sector will list core hours and an employment base which is usually not formally negotiable. however, many companies, once employment starts are often prepared to be more flexible on say start and finish times and are ultimately more concerned with output rather than simply attendance.

12

Salary Guidance

The figures below are what we believe to be the most likely salary ranges available to a cross section of information security practitioners. We also provide a more generic end user guide. This is split between banking, financial services non banking and commercial end users which have been divided between larger FTSE 100 or equivalent groups and smaller FTSE 250 or equivalent groups. We then go on to provide a generic guide for those in consultancies and SIs. This is split into Big 4, SIs, large consultancies and boutique consultancies.

The salary ranges quoted are for good rather than exceptional individuals and take no account of other benefits in addition to the salary that usually accrues to information security professionals such as bonuses, profit sharing arrangements or pension benefits.

Salary chart Selected profileS london reSt of uk

PCI QSAPracticing QSA working with external clients and managing their entire PCI compliance programme.

£65 – £75,000 £55 – £65,000

Security and Compliance ManagerSecurity Manager responsible for the business meeting the compliance standards such as ISO27001 and PCI.

£55 – £65,000 £50 - £60,000

Security Presales EngineerSecurity Presales Engineer within a security vendor. Technology focus on network security.

£65 – £80,000 £55 – £70,000

Information Security ManagerInformation security background in a small financial services company. 3 years management experience. No permanent reports. Will utilise consulting firms and contractors on an ad-hoc basis.

£74 – £81,000 £63 – £69,000

head of Information SecurityManaging a team of 8 security professionals in a financial services company, assisted by 2 more junior managers. 10 years management experience and 17 years information security experience.

£118 – £132,000 £90 – £98,000

Senior Data Protection Analyst Team member in a small DP department for a large mobile telecommunications group. Proven experience in a similar role and ISEB qualified.

£43 - £50,000 £38 – £45,000

Network Security Team LeaderWorking in a FTSE 100 group leading a team of 6-8 network security specialists, reporting directly to the head of information security. 10 years experience.

£82 – £87,000 £70 – £76,000

head of Business Continuity Major financial services group, a large team to manage/supervise. Established career history within BCM required.

£108 – £116,000 £90 – £98,000

Information Security AnalystGeneric information and IT security consulting and project delivery in a large retail financial services group. 4 years experience.

£42 – £48,000 £36 – £45,000

13

Salary chart Selected profileS london reSt of uk

Senior Business Continuity Consultant Working for a large consultancy firm, delivering and managing consulting engagements and in some cases managing junior staff. Some sales and business development responsibility.

£63 – £69,000 £56 – £62,000

SIEM ConsultantTechnical specialist with strong skills with a leading SIEM solution such as ArcSight or RSA envision. Design, implementation and integration experience. Client facing consultative role.

£55 – £65,000 £52 –£62,000

EMEA Manager of Data ProtectionMedium to large insurance group. No direct reports. EU Data Privacy legislation experience.

£75 – £85,000 £65 – £71,000

Identity & Access Management ConsultantSolid skills in identity and access management design and architecture. Background of working in consultancy, with good client-facing skills and bid work experience.

£63 – £70,000 £57 – £65,000

CLAS Consultant Senior level in a security practice of a large consultancy or SI. Skills in security architecture, security policy formulation and review, and risk assessment. Also undertakes business development activities.

£65 – £74,000 £60 – £67,000

Senior Security Consultant Working for an SI, undertaking security consultancy and delivering on security projects for a large-scale client. Senior person also involved in bid / proposal work and mentoring team members.

£66 – £75,000 £59 – £68,000

ChECK Team Leader Working in a penetration testing practice within a consultancy. Responsibility for some client management and mentoring less experienced penetration testers.

£69 – £79,000 £67 – £73,000

Salary chart contract information Security poSitionS london reSt of uk

Information Security Consultant Providing information security advice across the business, ranging from policy review and development, to information risk reviews. holds CISSP or CISM.

£450 – £550 per day

£400 – £500 per day

Technology Risk Consultant Good technical understanding with the ability to identify, assess, manage and report risk. Working with different projects within the organisation on varying technologies.

£500 – £600 per day

£400 – 500 per day

Penetration Tester SME in application security, code reviews and vulnerabilities, attacks and countermeasures with a deep knowledge of hacking and penetration testing techniques, methodologies and tools across web application and infrastructure.

£450 – £600 per day

£400 – £550 per day

Data Privacy Analyst Experience of DPA 98 and EU Privacy Directive 95/46/EC, to provide specialist privacy knowledge and support.

£400 – £500 per day

£350 – £450 per day

14

Salary chart 2012 end uSerS Banking non Banking FS commercial

ftSe 100 equiValent

commercial ftSe 250 or

Smaller

Info Security Analyst 2 yrs

£30 – £37,000 £30 – £35,000 £27 – £32,000 £25 – £28,000

Info Security Analyst 3 yrs

£37 – £45,000 £36 – £44,000 £33 – £39,000 £30 – £34,000

Info Security Analyst 4 yrs +

£45 – £55,000 £45 – £55,000 £41 – £48,000 £36 – £42,000

Info Security Manager (team under 5)

£75 – £100,000 £73 – £95,000 £70 – £90,000 £68 – £90,000

Info Security Manager (team 5+)

£90 – £125,000 £88 – £120,000 £85 – £110,000 £77 – £100,000

head of Info Security (dept under 10)

£118 – £140,000 £115 – £135,000 £100 – £126,000 £90 – £126,000

head of Info Security (dept 10+)

£160,000+ £140,000+ £150,000+ N/A

Business Continuity Analyst(2 +)

£37 – £46,000 £37 – £46,000 £36 – £42,000 £31 – £40,000

Business Continuity Manager (4+ no team)

£45 – £80,000 £50 – £85,000 £50 – £75,000 £45 – £68,000

Data Protection Analyst (2+)

£36 – £42,000 £36 – £42,000 £36 – £42,000 £35 – £40,000

Data Protection Manager (5+ no team)

£55 – £90,000 £55 – £80,000 £55 – £85,000 £55 – £80,000

15

Salary chart 2012 conSultancieS and SiS Big 4

SyStemS integrator

larGe conSultancy

Boutique conSultancy

Consultant £32 – £46,000 £35 – £49,000 £35 – £49,000 £37 – £52,000

Senior Consultant £43 – £52,000 £45 – £60,000 £45 – £60,000 £47 – £64,000

Manager (Principal Consultant)

£56 – £70,000 £62 – £78,000 £62 – £78,000 £62 – £80,000

Senior Manager(Managing Consultant)

£72 – £95,000 £70 – £87,000 £70 – £87,000 £70 – £90,000

Director (Practice Lead)

£100 – £130,000 £90 – £110,000 £95 – £120,000 £95 – £120,000

Penetration Tester (under 4 years exp)

£28 – £43,000 £30 – £48,000 £30 – £48,000 £32 – £50,000

ChECK Team Member £40 – £50,000 £40 – £55,000 £40 – £60,000 £40 – £60,000

ChECK Team Leader £58 – £90,000 £60 – £85,000 £60 – £85,000 £65 – £90,000

16

METhODOLOGY07We speak directly with heads of department to discuss their current and future recruitment requirements.

“As recruitment consultants we spend much of our time talking to and dealing with information security and human resources departments. We speak directly with a number of heads of department to discuss their current and future recruitment requirements to gain a broader picture as well as a qualitative perspective which is invaluable for our market review. We also attempt to portray the market in terms of quantitative data based on a sample of 35 information security departments.

The core statistics provide the following key information:

vacancies• number of vacancies generated

during the period

• number of vacancies at the end of the periodThis, over time, provides guidance on the rate at which vacancies are being generated and an indication of the ease with which companies are filling these vacancies.

Registrations• number of candidates registering

in the periodThis monitors the flow of candidates into the recruitment market and, combined with the number of vacancies generated, gives an insight into the balance of supply and demand.

Defensive registrations• the proportion of candidates

registering for defensive reasonsThe percentage of candidates registering with Barclay Simpson because they have been made redundant or perceive the threat of redundancy (i.e. who register for defensive reasons), can provide a useful insight into the behaviour of the recruitment market.

Rate of placements• the rate at which placements

are being madeThis is based on the number of placements made during the period and is a good indication of the propensity of companies to actually recruit rather than simply register vacancies and conduct interviews. It is presented in relative rather than absolute terms with 100% being the highest rate in the three year period under review.

17

ABOUT BARCLAY SIMPSON08

Barclay Simpson is an international corporate governance recruitment consultancy specialising in internal audit, risk, compliance, information security, business continuity, legal and treasury appointments. Established in 1989, Barclay Simpson works with clients in all sectors throughout the UK, Europe, Middle East, North America and Asia-Pacific from our offices in London, Edinburgh, New York, Dubai, hong Kong and Singapore.

We add value by using our unique focus on corporate governance, our highly experienced specialist consultants and access to both the local and international pools of corporate governance talent. Our strength lies in our ability to understand client and candidate needs and then to use this insight to ensure our candidates are introduced to positions they want and our clients to the candidates they wish to recruit.

An overview of the corporate governance recruitment market and an in-depth analysis of the economic and business trends that are likely to shape the overall recruitment market can be found in our Corporate Governance Market Report. We also produce other specialist reports, each of which can be accessed for free on our website:

www.barclaysimpson.com/2012-mid-market-report-corporate-governancewww.barclaysimpson.com/2012-mid-market-report-internal-auditwww.barclaysimpson.com/2012-mid-market-report-compliancewww.barclaysimpson.com/2012-mid-market-report-riskwww.barclaysimpson.com/2012-mid-market-report-legal

Barclay SimpsonBridewell Gate, 9 Bridewell PlaceLondon EC4V 6AWTel: 44 (0)20 7936 2601Email: bs@barclaysimpson.com

18

If you would like to discuss any aspect of the reports please contact the following divisional heads:

Corporate Governance Adrian Simpson as@barclaysimpson.comInternal & IT Audit Daniel Flynn df@barclaysimpson.comCompliance Sacha hughes sh@barclaysimpson.comRisk Matt Brown mb@barclaysimpson.comInformation Security Mark Ampleford ma@barclaysimpson.comLegal Jane Fry jf@barclaysimpson.com

To discuss our regional and international services please contact:

Scotland Liam hughes lh@barclaysimpson.comEurope Tim Sandwell ts@barclaysimpson.comMiddle East Matt Crocombe mc@barclaysimpson.comAsia Pacific Russell Bunker rb@barclaysimpson.com

North America Daniel Close dc@barclaysimpson.com

Corporate GovernanceRecruitment

Mid Year Market Report 2012

Corporate Governance