Interim Market Report 2008 - security market analysis

General tightening of recruitment market

• Drop in new vacancies primarily due to consulting sector

• Steady flow of new vacancies from other areas

• 23% increase in candidate registrations

• Defensive registrations up to 17% - highest level for over 2 years

• Budgetary constraints putting pressure on salary increases

Market dynamics

Candidate registrations increased during the first half of 2008. These were noticeable in the banking sector and in a number of other areas, as constraints on IT spending have led to a reduction in the number of new projects. Candidate registrations from the consultancy sector were surprisingly low. However, given the reduced number of vacancies, it appears that candidates currently prefer to stay with the employer they know.

Overall, the number of vacancies fell, mainly due to a significant drop in vacancies in the consultancy sector. More generally, there was a slower but steady stream of vacancies from all other sectors.

Salary increases have declined. This is because there are now more candidates available and competing for vacancies, as well as the fact that for many companies recruitment budgets are tighter and recruitment is not the priority that it more recently has been.

Analysis by sector

End-user market

2008 has been a mixed year for the end-user market. High profile data leakages have spurred demand, whereas the economic outlook has made companies more cautious. Fortunately, the dominant influence has been the need for companies to continue to invest in their information security capability to mitigate their reputational and regulatory risks. This demand may have been skewed in the first half of the year by two large financial institutions undertaking significant improvement programmes.

The banking sector witnessed a number of such improvement programmes during the first half of 2008. This resulted in a significant change in their recruitment patterns as these improvement programmes generally require very specific skill sets, including cryptography, Idm and vulnerability assessment. There was less demand for people with standard information security consulting or managerial backgrounds.

The commercial sector has benefited from the heightened awareness of the importance of information security. Media comment, high profile government data leakages and regulations such as PCI are ensuring that companies continue to invest in information security. A number of smaller companies have recently appointed their first information security officer.

However, the market is suffering from a corporate squeeze on IT spending. This is reducing the need for risk assessments and, as a consequence, fewer in-house consulting roles are being created across the end-user sector.

Since the burst of the dotcom bubble and subsequent washing through of the related over-investment in IT, information security practitioners have enjoyed a demand led recruitment market where their skills have been increasingly scarce and valued. The recent economic uncertainty and employment security fears have led to a slightly better balance between supply and demand.

There has been an increase in the number of defensive registrations, particularly in some sectors. Equally, others have become more cautious and prefer the perceived security of their existing employer. Overall, the availability of candidates in the recruitment market has improved and few roles are remaining unfilled for a prolonged period unless they are highly specialist or have an unrealistically low salary.

Contract

The first half of 2008 has been mixed for information security contractors. The financial services sector is one of the largest users of information security contract staff and budgetary constraints have affected both the demand for contractors and the rates available. Budgets are under pressure and many groups are electing to source candidates internally. However, some clearly have business critical requirements and contract roles will become available as these projects progress.

Shorter 3 month rolling contracts are becoming more common rather than guaranteed 6 to 12 month contracts which were previously required to attract candidates.

The number of contractors actively seeking work has increased, which is resulting in a more competitive market and pressure on rates. The contract market is the first to be hit in any sort of downturn as companies use its inherent flexibility to cut costs. However, as 2008 progresses we expect more companies will look to contractors to provide the skills they are lacking internally. This will reduce their risk of investing in a permanent resource while economic uncertainty continues.

There is currently high demand from central government. High profile losses of data have increased the demand for specialist information security contractors already holding high level security clearance. New policies affecting the way data can be handled and stored are being introduced and demand for CLAS consultants is expected to continue. They are the only personnel accredited to write and implement the policies and procedures and, as a consequence, their rates are rising as demand outstrips supply. Demand is currently high in London and the South West.

Demand for information security contract staff in the defence sector is increasing with opportunities in computer network defence for skills such as intrusion detection analysis and those with expertise in sanctuary and AV tooling. The increase in techniques and technologies to attack secure networks are continuing to develop as organisations are using a holistic approach to try to prevent, monitor and respond to the various attacks.    

Consultancies have been utilising their own permanent resources on projects. However, some SMEs have won work in central government and defence and have needed to recruit externally. They have chosen to employ contractors to cover specific short term requirements.

Consultancies & Systems Integrators

Compared to 2007, there has been a downturn in recruitment within the consultancies and systems integrators. Then, demand was driven by public sector projects and contracts. Whilst these projects are still running, they have not created the ongoing demand we had anticipated. This is most likely due to staff being redeployed internally away from clients in financial services and commerce. Some lower level security roles are also being off-shored and there are consultancies that are undertaking structural reviews of their security practices and their wider business.

Recruitment is continuing but at a slower rate. The skills most in demand from the consultancies and systems integrators have been identity management and penetration testing, two areas that were also “hot” in 2007.

·         Identity management solutions are being implemented in a variety of organisations and the consultancies involved require skilled security practitioners to design and implement solutions. Identity management professionals are frequently required to have a mix of good technical knowledge, architecture and design as well as strong soft consulting skills.

·         Penetration testing is a necessary process to ensure data is kept secure and is often outsourced to a service provider where the majority of vacancies occur. Although during 2007 it was primarily CHECK Team Leaders and Members that were in high demand, in 2008, good penetration testers without CHECK, particularly those with application penetration testing skills and a consultancy background, have been sought. These roles have primarily been for consultancies that are not CESG CHECK approved and it may be an indication that the market is now moving towards CREST approved penetration testing service providers.

In both of these areas there has been a shortage of strong candidates, requiring some consultancies to adjust their requirements and recruit from end-users, particularly the financial sector. They are then developing them into external security consultants.

The number of security professionals from consultancies and systems integrators entering the recruitment market has fallen. This is most likely caused by the perception that there are currently only limited opportunities and, unless they are facing redundancy, they may be safer in their current employment. This has resulted in a shortage of good candidates available to those consultancies and systems integrators that are recruiting. Multiple offers for strong candidates are still common.

Although some consultancies streamlined their recruitment process in 2007, there has often been less urgency to recruit this year. Budgets have become tighter and this is being reflected in lower salaries. Some offers for non-urgent recruitment have been made below a candidate’s existing salary. 

Business continuity

Information security has benefited recently from several high profile security failures. These failures move security from being a theoretical to a practical challenge. Business continuity benefits similarly from high profile failures. However, while continuity continues to play an important role in business risk management and most sectors are working hard to ensure they have robust business continuity management in place, economic pressure is restraining recruitment. The underlying demand caused by the acknowledged need to meet best practice standards is there; getting sign-off for budgets is proving harder.

The large consultancy firms are aware of the demand for business continuity improvement and have been recruiting experienced business continuity consultants consistently through the first half of 2008. We expect this trend to slow down in the second half of the year, in response to budget restrictions.  

System integrators have not had the same appetite for growing their business continuity divisions and business continuity recruitment with the major outsourcing companies has slowed. Group-wide reorganisations have played a major part in this and resulted in recruitment being put on hold. However, this is a potential source of demand for continuity professionals that is likely to respond quickly to client needs. If demand for business continuity services increases, major outsourcing companies will need to be competitive in this area when working on major business systems outsourcing bids.

Historically, banking and finance has always been the most active sector and, whilst budgeting pressures will affect some recruitment, we are expecting the consistent flow of business continuity vacancies to broadly continue. These will be a mix of organic growth, replacement and newly created roles. 

Business continuity and IT continuity projects appear to be working closer together and there is an increase in demand for IT services continuity management candidates. IT continuity is rarely an area where costs can be cut and the business impact of poor IT service continuity is widely understood. As a result, IT service continuity solutions and testing are getting much more attention.

We predicted that there would be an increase in demand for business continuity contract employees throughout 2008, driven by BS25999 compliance and an increase in business continuity project work in general. We have seen some evidence of this. However, permanent employees are still preferred by most business continuity managers. For higher level consultancy contracts there is strong competition from the consultancies that often have a strong offering to meet their clients’ needs.

Vendors

The vendor market is characterised by opportunity, innovation and competition. It is an exciting and rapidly changing market with a stream of new products and companies. For example, transaction security and the increasingly sophisticated techniques of criminals is an area that is receiving considerable media coverage. As a result, demand for new products and solutions to counter the threat is driving sales and business growth.

Recruitment for sales and business development professionals remains steady and vacancies tend to be the result of organic growth. Vendors are expanding across Europe and this will continue as the demand for security products grows. However, in Europe it is harder to find specialist technology and business skill-sets than in the UK. The UK has always been the preferred first European headquarters for growing technology vendors and consequently has a larger pool of specialists to draw upon. To source security specialists to support this development will therefore require well thought out and delivered recruitment campaigns.

Vacancies that span technical engineering, pre-sales and technical support are likely to continue to emerge and will be less affected by economic pressures. It is clear that security managers, directors, CISOs and other IT security budget holders are not willing to compromise on enterprise IT security.

Supply is currently meeting demand and there are no major skill shortages in the vendor market. However, in a competitive market where sales, communication and technical expertise are vital there is always a shortage of people who really excel.

We predicted that the vendor market would expand their information risk and security consultancy capability, not to compete with the large consultancies, but to meet the demand for trusted consultancy services as well as strong technology and support. Growth in consultancy capability has been evident and we expect it to continue.

In spite of a generally strong market, some larger product companies have made redundancies, particularly amongst their senior management. In some cases these have caused reason for concern and market speculation. There have been few mergers and acquisitions and the wave of big company acquisitions has passed. However, there is some consolidation and acquisition of technology intellectual property.

Summary / predictions

There is now lower demand for IT security specialists. Public sector projects are slowing and causing a fall in demand from the consultancy sector. Commercial end users are generally continuing to recruit and two major banks are supporting demand with large-scale security improvement programmes.

Currently there are few unemployed IT security specialists and those who have been made redundant are managing to secure either contract or permanent work. In the present economic climate, whilst IT spending is starting to be squeezed, it is being countered by the increased awareness of the importance of security and the regulatory environment.

To date, total employment in the economy has been rising. When, as appears likely, it begins to fall, a less benign recruitment market will most likely develop and the market will probably remain subdued for an extended period of time. Fortunately, however the market develops, it is unlikely to be a re-run of the post dot.com debacle.