There has never been a better time to work in the IT security business. Primarily because the threats are growing ever bigger with data breaches, nation state hackers and ransomware. It is of little surprise that organisations of all sizes are in need of IT security professionals. But filling those roles is becoming more and more difficult for employers.

Our IT security salary survey has revealed that salaries for infosec professionals have risen over the last twelve months by around six percent. Karla Joblin, director at recruitment firm Beecher Madden says that demand is increasing as more companies build cyber-teams to fight ever more data breaches and other security incidents.

“Demand is part of the reason for the increase in salaries but the other factor is a focus on the quality of candidates. Many companies who already have cyber-defence teams will now pay a premium, but only for the best people,” she says.

She adds that demand has increased over the last year and consulting firms are still growing and end-user companies are building out their teams. “Vendors are also still in growth mode and have a variety of opportunities available,” she adds.

Glyn Phillipson, head of cyber-security and payments technology at Nicoll Curtin, a global FinTech and Change recruitment agency, says that demand for cyber-security professionals has been constant over the last twelve months when many of his firm's clients were doing little to no hiring elsewhere.

“Q4 is normally a quiet time for hiring, but there was a constant demand until Christmas and even in the first few weeks of the year,” he says. Phillipson adds that he hasn't seen a noticeable change in salaries yet, but predicts that as his clients are more frequently competing for the same candidates, we will see “an increase in compensation and an increase in demand for contractors”.

He adds that over the last year, and judging by the amount of hires his firm's key clients made year on year, there has been a large increase in requirements and “interestingly a swing back to the UK from offshore locations”.

Skills shortage

Martin Ewings, director of regional sales and specialist markets at IT recruitment firm Experis UK & Ireland, believes that demand is at “an all-time high”. He adds that recent research revealed that the most sought-after skills in this area are CISSP (Certified Information Systems Security Professional), SIEM (Security Information and Event Management), IDAM (Identity Access Management), ArcSight, penetration testers and biometrics.

“However, there is an increasing shortage of talent with these skills – just 103,000 people worldwide hold a CISSP, one of the main cyber-security certifications,” says Ewings.

Business are having a tough time filling IT security roles and thus, says Ewings, businesses are willing to pay more to bring in the right people with the right skill sets and experience. He points to research carried out by his firm that revealed that the average salary for permanent IT security professionals now stands at £58,003, up 7.95 percent on last year's figures. He says that IT security day rates are also on the rise – up 4.98 percent year-on-year (£443 on average), as many companies turn to short-term contractor support to help plug the gaps.

Phillipson says that there are more requirements for skilled individuals than there are people available. “Qualifications seem less important as,  given the high demand, employers are having to be more flexible, but real life experience in cyber-security remains a ‘must' for blue chip companies,” he adds.

Given the high demand and apparent lack of available talent, employers are having to show flexibility on years of experience, qualifications and industry exposure, according to Philipson. He adds that “ideally, an employer will require a certain level of certification and education but compromises are being made.”

Darren Anstee, chief security technologist at Arbor Networks, says that while there is a shortage of security professionals and this will apply upward pressure on salaries, what must be taken into account here is that most organisations are not in the business of ‘security' and “thus paying higher rates for expertise outside of whatever their core business happens to be is not something they really want to do”.

“Many organisations, if they can, will opt for managed security services rather than scaling up their own teams if this works for them from a cost / risk perspective,” he says.

Jobling says the shortage of trained people has been pushing up salaries but this “cannot increase forever”. Indeed, it has to tail off, but perhaps not just yet.

“What we saw towards the end of 2016, was an increase in the amount of candidates being offered sponsorship. Companies are going to start looking into different ways to attract the talent they require,” she says.

Qualifications and getting into the industry

The shortage maybe pushing up salaries in the short term, but qualifications will be important, even at entry level, says Jobling.

“Having taken a qualification shows their dedication to this career path and these candidates are getting jobs ahead of candidates without qualifications. At a more senior level, experience is more important than qualifications, although we are seeing some companies make a CISSP mandatory,” she says.

But Ewings says that infosec isn't always about having the right qualifications.

“Talent can come in many forms, and it's important for businesses to look for individuals with the aptitude and enthusiasm to learn new skills, and then give them the relevant training and freedom to experiment with new technologies. This will help businesses to not only mitigate the risks today but also future-proof their organisations,” he says.

Anstee says that qualifications are important as they let hiring organisations know whether a candidate should have the right skills and background knowledge to fulfil a role.

“However, practical experience and the ability to apply book-learning to real world situations are even more important. Security never stays still so everyone must learn on the job, with the best people being able to keep up to date technically whilst applying that acquired knowledge to the business risks in the organisation(s) they work within,” he adds.

The infosec industry continues to attract young people into the fold. Jobling said that for someone getting into cyber-security now, at school, university or post-grad level could set themselves up for a great career. “Girls should also consider cyber-security as a career more than they do. The roles are varied, not just technical and the industry really does want to have some diversity,” she says.

Phillipson says that IT security is a rapidly growing and ever more important part of all business now. “For young people considering a career, IT Security will continue to provide interesting and well compensated opportunities,” he says.

Increasing professionalisation and new roles

While the debate continues over how important qualifications are to having a job in the IT security industry, Anstee says that qualifications aren't the be all and end all – “experience is still a bigger driving factor in salary expectation.”

Jobling thinks we are still at the beginning of an increasing professionalisation of the industry affecting wage demands.

“Companies are making cyber-security a priority and those companies that have established teams, are seeing value. As a result, they are looking for better qualified individuals with a proven track record. These people are being paid a premium. So, it is not an obvious correlation, but related to how security is evolving within organisations as well,” she says.

Jobling adds that over the last few years new specialism have appeared such as mobile and cloud security due to technology evolving. “The same is true for security within the IoT. Roles such as cyber-awareness didn't really exist then either. It is a result of companies taking cyber-security seriously and understanding the need to educate their business.”

Continued career success

Staying up to date and having a specialism is key if you want to have continued career success in IT security, according to Jobling. She says that companies might want an IAM specialist and becoming an expert in one area will see you progress and earn more money. “However, if your long-term goal is to become a CISO or director, then variety is going to be important as you need to demonstrate your business acumen as well as technical understanding.”

Anstee says that infosec professionals need to be able to understand the risks that their organisation faces as well as applying people, process and technology to keep those risks at an acceptable level without putting (business) barriers in place.

“One key skill is the ability to absorb technical information and make it relevant to non-technical personnel, so that they understand the value of a control and don't simply see it as a barrier,” he says.

Brexit and infosec

A report by resourcing company BPS World has warned that one of the main challenges facing employers in the UK in 2017 will be the impact of Brexit on the ability to attract talent, particularly in the high-value digital, technical and engineering industries where recruiters are already struggling with severe skills shortages.

Simon Conington, founder of BPS World says that 2017 is going to be a pivotal year for the UK economy as it appears to head out of the EU door.

“The decisions the government makes now on the implementation of Brexit will affect our ability to attract the talent we need to grow,” he says.

“The impact will be felt immediately as talent will not come to the UK if they know they will have to leave within two years.  We urge the government to continue to ensure we have access to skilled people, particularly in sectors where we're already struggling to find the talent we need.”

While there have been concerns that Brexit could put a stopper on hiring and salaries, Jobling says that the proposed departure from the EU has so far only resulted in a short pause on hiring in some organisations.

“Once the result came in but demand is as strong as ever. Candidates relocating to the UK have been a little more hesitant but are still considering the UK as a place to work. Of course, this could change in the next 12 months as we learn more about what Brexit really means,” she says.

Phillipson says that it is too soon to say if Brexit is having, or will have an effect, on infosec salaries as the process simply hasn't started. “2016 was a challenging year for IT recruitment in finance. I am sure Brexit played a part in this but we saw no effect on demand for IT security professionals,” he adds.

Final package

The job market for infosec professionals still looks very good, which means that salaries and career mobility will also be good. The IT security professional can almost name their price in the current market. For employers, the right incentives have to be in place to attract the top talent; it's a seller's market out there so professionals should ensure they have the skills and knowledge in order to get the most lucrative opportunities.

Salaries are also being increased by new fields such as cloud, mobile and IoT security, meaning infosec professionals have the change to spread their wings and earn more.

In the end though, money isn't everything if you don't like your job. There comes a point where money becomes less important and being happy doing what you love pays in different ways. Not everyone wants to be a CISO. Luckily, there are plenty of roles out there to suit all infosec professionals.
  All private sector All public sector Banking Health Retail Government Manufacturing
Security/Data Analyst
 Junior  35000 25000  35000 35000 35000 25000  25000
 Mid range  47000 35000 55000 47000 50000 35000 35000
 Senior/large org  60000 50000 65000 60000 60000 50000 50000
 small org  90000 80000 250000 90000 90000 75000 75000
 medium org  110000 80000   110000 110000 85000 90000
 large org  180000 95000 500000 180000 180000 90000 125000
IT Security Manager              
 small org  55000 40000 75000 55000 55000 40000 40000
 medium org  65000 50000 81000 65000 65000 47500 50000
 large org  75000 55000 85000 75000 75000 55000 60000
IT Security Officer
 small org  45000 35000 45000 45000 35000 35000 35000
 medium org  55000 40000 58000 55000 40000 40000 40000
 large org  65000 47000 70000 65000 50000 47000 50000
Penetration Tester              
 junior  40000    42000        
 mid range  57000    55000        
 senior  67000    85000        
Security Consultant              
 junior  46300            
 mid range  63900            
IT Security Architect              
 junior  65600 57000 65000   65000 65000 65000
 mid range  80000 70000 85000   85000 73000 80000
 senior  100300 79000 110000   110000 80000 90000