There has never been a better time to work in the IT security business. Primarily because the threats are growing ever bigger with data breaches, nation state hackers and ransomware. It is of little surprise that organisations of all sizes are in need of IT security professionals. But filling those roles is becoming more and more difficult for employers.
Our IT security salary survey has revealed that salaries for infosec professionals have risen over the last twelve months by around six percent. Karla Joblin, director at recruitment firm Beecher Madden says that demand is increasing as more companies build cyber-teams to fight ever more data breaches and other security incidents.
“Demand is part of the reason for the increase in salaries but the other factor is a focus on the quality of candidates. Many companies who already have cyber-defence teams will now pay a premium, but only for the best people,” she says.
She adds that demand has increased over the last year and consulting firms are still growing and end-user companies are building out their teams. “Vendors are also still in growth mode and have a variety of opportunities available,” she adds.
Glyn Phillipson, head of cyber-security and payments technology at Nicoll Curtin, a global FinTech and Change recruitment agency, says that demand for cyber-security professionals has been constant over the last twelve months when many of his firm's clients were doing little to no hiring elsewhere.
“Q4 is normally a quiet time for hiring, but there was a constant demand until Christmas and even in the first few weeks of the year,” he says. Phillipson adds that he hasn't seen a noticeable change in salaries yet, but predicts that as his clients are more frequently competing for the same candidates, we will see “an increase in compensation and an increase in demand for contractors”.
He adds that over the last year, and judging by the amount of hires his firm's key clients made year on year, there has been a large increase in requirements and “interestingly a swing back to the UK from offshore locations”.
Martin Ewings, director of regional sales and specialist markets at IT recruitment firm Experis UK & Ireland, believes that demand is at “an all-time high”. He adds that recent research revealed that the most sought-after skills in this area are CISSP (Certified Information Systems Security Professional), SIEM (Security Information and Event Management), IDAM (Identity Access Management), ArcSight, penetration testers and biometrics.
“However, there is an increasing shortage of talent with these skills – just 103,000 people worldwide hold a CISSP, one of the main cyber-security certifications,” says Ewings.
Business are having a tough time filling IT security roles and thus, says Ewings, businesses are willing to pay more to bring in the right people with the right skill sets and experience. He points to research carried out by his firm that revealed that the average salary for permanent IT security professionals now stands at £58,003, up 7.95 percent on last year's figures. He says that IT security day rates are also on the rise – up 4.98 percent year-on-year (£443 on average), as many companies turn to short-term contractor support to help plug the gaps.
Phillipson says that there are more requirements for skilled individuals than there are people available. “Qualifications seem less important as, given the high demand, employers are having to be more flexible, but real life experience in cyber-security remains a ‘must' for blue chip companies,” he adds.
Given the high demand and apparent lack of available talent, employers are having to show flexibility on years of experience, qualifications and industry exposure, according to Philipson. He adds that “ideally, an employer will require a certain level of certification and education but compromises are being made.”
Darren Anstee, chief security technologist at Arbor Networks, says that while there is a shortage of security professionals and this will apply upward pressure on salaries, what must be taken into account here is that most organisations are not in the business of ‘security' and “thus paying higher rates for expertise outside of whatever their core business happens to be is not something they really want to do”.
“Many organisations, if they can, will opt for managed security services rather than scaling up their own teams if this works for them from a cost / risk perspective,” he says.
Jobling says the shortage of trained people has been pushing up salaries but this “cannot increase forever”. Indeed, it has to tail off, but perhaps not just yet.
“What we saw towards the end of 2016, was an increase in the amount of candidates being offered sponsorship. Companies are going to start looking into different ways to attract the talent they require,” she says.
Qualifications and getting into the industry
The shortage maybe pushing up salaries in the short term, but qualifications will be important, even at entry level, says Jobling.
“Having taken a qualification shows their dedication to this career path and these candidates are getting jobs ahead of candidates without qualifications. At a more senior level, experience is more important than qualifications, although we are seeing some companies make a CISSP mandatory,” she says.
But Ewings says that infosec isn't always about having the right qualifications.
“Talent can come in many forms, and it's important for businesses to look for individuals with the aptitude and enthusiasm to learn new skills, and then give them the relevant training and freedom to experiment with new technologies. This will help businesses to not only mitigate the risks today but also future-proof their organisations,” he says.
Anstee says that qualifications are important as they let hiring organisations know whether a candidate should have the right skills and background knowledge to fulfil a role.
“However, practical experience and the ability to apply book-learning to real world situations are even more important. Security never stays still so everyone must learn on the job, with the best people being able to keep up to date technically whilst applying that acquired knowledge to the business risks in the organisation(s) they work within,” he adds.
The infosec industry continues to attract young people into the fold. Jobling said that for someone getting into cyber-security now, at school, university or post-grad level could set themselves up for a great career. “Girls should also consider cyber-security as a career more than they do. The roles are varied, not just technical and the industry really does want to have some diversity,” she says.
Phillipson says that IT security is a rapidly growing and ever more important part of all business now. “For young people considering a career, IT Security will continue to provide interesting and well compensated opportunities,” he says.
Increasing professionalisation and new roles
While the debate continues over how important qualifications are to having a job in the IT security industry, Anstee says that qualifications aren't the be all and end all – “experience is still a bigger driving factor in salary expectation.”
Jobling thinks we are still at the beginning of an increasing professionalisation of the industry affecting wage demands.
“Companies are making cyber-security a priority and those companies that have established teams, are seeing value. As a result, they are looking for better qualified individuals with a proven track record. These people are being paid a premium. So, it is not an obvious correlation, but related to how security is evolving within organisations as well,” she says.
Jobling adds that over the last few years new specialism have appeared such as mobile and cloud security due to technology evolving. “The same is true for security within the IoT. Roles such as cyber-awareness didn't really exist then either. It is a result of companies taking cyber-security seriously and understanding the need to educate their business.”
Continued career success
Staying up to date and having a specialism is key if you want to have continued career success in IT security, according to Jobling. She says that companies might want an IAM specialist and becoming an expert in one area will see you progress and earn more money. “However, if your long-term goal is to become a CISO or director, then variety is going to be important as you need to demonstrate your business acumen as well as technical understanding.”
Anstee says that infosec professionals need to be able to understand the risks that their organisation faces as well as applying people, process and technology to keep those risks at an acceptable level without putting (business) barriers in place.
“One key skill is the ability to absorb technical information and make it relevant to non-technical personnel, so that they understand the value of a control and don't simply see it as a barrier,” he says.
Brexit and infosec
A report by resourcing company BPS World has warned that one of the main challenges facing employers in the UK in 2017 will be the impact of Brexit on the ability to attract talent, particularly in the high-value digital, technical and engineering industries where recruiters are already struggling with severe skills shortages.
Simon Conington, founder of BPS World says that 2017 is going to be a pivotal year for the UK economy as it appears to head out of the EU door.
“The decisions the government makes now on the implementation of Brexit will affect our ability to attract the talent we need to grow,” he says.
“The impact will be felt immediately as talent will not come to the UK if they know they will have to leave within two years. We urge the government to continue to ensure we have access to skilled people, particularly in sectors where we're already struggling to find the talent we need.”
While there have been concerns that Brexit could put a stopper on hiring and salaries, Jobling says that the proposed departure from the EU has so far only resulted in a short pause on hiring in some organisations.
“Once the result came in but demand is as strong as ever. Candidates relocating to the UK have been a little more hesitant but are still considering the UK as a place to work. Of course, this could change in the next 12 months as we learn more about what Brexit really means,” she says.
Phillipson says that it is too soon to say if Brexit is having, or will have an effect, on infosec salaries as the process simply hasn't started. “2016 was a challenging year for IT recruitment in finance. I am sure Brexit played a part in this but we saw no effect on demand for IT security professionals,” he adds.
The job market for infosec professionals still looks very good, which means that salaries and career mobility will also be good. The IT security professional can almost name their price in the current market. For employers, the right incentives have to be in place to attract the top talent; it's a seller's market out there so professionals should ensure they have the skills and knowledge in order to get the most lucrative opportunities.
Salaries are also being increased by new fields such as cloud, mobile and IoT security, meaning infosec professionals have the change to spread their wings and earn more.In the end though, money isn't everything if you don't like your job. There comes a point where money becomes less important and being happy doing what you love pays in different ways. Not everyone wants to be a CISO. Luckily, there are plenty of roles out there to suit all infosec professionals.
|All private sector||All public sector||Banking||Health||Retail||Government||Manufacturing|
|IT Security Manager|
|IT Security Officer
|IT Security Architect|