Updated: 2016 will be a very good year for cyber-security professionals

There's gold in them cyber ills
There's gold in them cyber ills

2016 will be a good year for workers in the UK, according to the latest labour survey from Manpower Group, but cyber-security specialists will be laughing louder than most on the way to the bank.

Based on a survey of 2102 UK employers, Manpower concluded that the adjusted Net Employment Outlook has jumped two percentage points to +7 percent as companies plan to hire more staff in the New Year.

High tech industries like cyber-security are doing especially well, Manpower said. “Recent high profile data breaches such as those at TalkTalk and Sony have created a surge in demand for cyber-security experts,” the company said, noting it had seen a four-fold increase in demand for IT security specialists.

A shortage of skilled workers is driving salaries to dizzying heights. Some cyber-security specialists can charge £3000 a day while in rarer cases the figures can be as high as £10,000 per day, claimed Manpower UK managing director Mark Cahill.

However, one cyber-security company boss cautioned against rushing into the boss's office to demand a rise. Simon Crosby, CTO and co-founder of Bromium, said these types of fees are paid to consultancy firms, not individuals, for short-term contracts -- “$500 per hour for the guy but he gets $120K per year”.

But there's little doubt that rates are high. A quick search on jobs site Indeed.co.uk found 101 jobs in cyber-security, 58 percent of which offered salaries in excess of £50,000 per year.

The explosion in rates of pay is down to classic supply and demand. “There are millions of cyber-attacks every day with a total cost to the global economy of up to $575 billion a year,” Cahill said. “The shortage of people with the required skills means salaries for this new breed of specialists are vast – Christmas really has come early for this in-demand group.”

With the government pledging to increase spending on cyber-security and companies under pressure from customers and investors to avoid more breaches, professionals with the right qualifications and experience are well positioned to ride a wave of investment. “Companies are having to invest heavily to protect themselves and they now believe that cyber breaches are inevitable, with their focus moving to responding to attacks rather than just prevention,” Cahill said.

Simon Crosby, CTO and co-founder at Bromium, said, “There is a huge need for skilled cyber-professionals, who have to meticulously analyse and mitigate the vulnerabilities in complex enterprise IT systems.  They are paid well  but it's one of those jobs which, if done poorly, has very limited career prospects; and when done well, enables the CEO and Board to sleep at night.”

Matthew Anderson, director EMEA at the SANS Institute, said: “It comes as no surprise that organisations are having to pay increasingly high salaries for security professionals. Although the top-end pay scales quoted in the report are rare, salaries will remain relatively high as the demand for well-trained security staff significantly outstrips supply. Organisations need to look at their graduate recruitment programmes and consider employing individuals with the right aptitude for a career in  security. Those new recruits can then be trained and put to work relatively quickly. Many recent graduates of SANS Cyber Academy had no experience in the field prior to training and now find themselves with multiple job offers. Rather than competing over a small pool of experienced professionals, employers can build teams from within by implementing better selection and training processes.”

Steve Armstrong, certified instructor at the SANS Institute, said, "The problem with these types of surveys is that it results in allegations of security professionals and more likely recruitment staff that take a hefty percentage of the fees. Additionally, we see people rushing to the market with minimal experience, poor skills and limited analytical ability. The organisations that employ those that follow the money get a false sense of security as not everything that is expensive is actually the best.”

Paco Hope, principal security evangelist at Cigital commented: “In the grand scheme of things, application security is a classic ‘pay me now or pay me later' scenario. Businesses who saw themselves through lean times by cutting back on information security may find interest coming due today in the form of technical debt. Because they need security now and need it fast, it is more expensive than if they had invested in information security talent gradually over the long term. The good news is that there is a huge push in the industry, with examples like the Building Security In Maturity Model (BSIMM), to write down, share, and make software security scaleable. Cloud based offerings, managed services, and other technologies will help absorb the increased demand. The financial pinch is surely temporary while the information security industry creates scalable mechanisms both for securing software and training up the people who will secure it.”

Sign up to our newsletters