DIFFICULT RECRUITMENT MARKET FOR CANDIDATES
| Information Security |
Jun 2007 |
Dec 2007 |
Jun 2008 |
Dec 2008 |
Jun 2009 |
| |
|
|
|
|
|
| New vacancies |
63 |
65 |
58 |
50 |
25 |
| Closing vacancies |
31 |
29 |
33 |
20 |
12 |
| Candidates registering |
179 |
195 |
240 |
230 |
280 |
| Defensive registrations |
15% |
15% |
17% |
20% |
53% |
| Overall salary increase |
16% |
14% |
13% |
4% |
4% |
- Every statistic reveals how hard the current information security market is for candidates
- The number of new vacancies fell to 25. Vacancy generation is down across all sectors and is 57% lower compared to the corresponding period in 2008
- At just 12, closing vacancies are 64% down on the corresponding period in 2008
- The number of candidate registrations is rising and is 36% higher than at the height of the recruitment market in June 2007
- At 53%, defensive registrations are a major factor and have accelerated over the last six months, continuing the upward trend since mid 2007
- At 4%, salary increases are at historically low levels, but have stabilised
MARKET COMMENTARY
The UK and global economy is in recession and the path to sustainable growth remains uncertain. Whilst green shoots may have been spotted, the financial crisis has a long way to go before we have a clear view of what the future holds. Employment is a lagging indicator and for many it will no doubt feel like a recession until unemployment starts to fall.
The raw statistics in terms of vacancy creation and number of candidates being forced into the information security job market remain daunting. Vacancy levels are at multi year lows. Redundancies will continue as companies rationalise and adapt to a smaller economy and more limited business environment.
In the present market, for those who have been made redundant the major obstacle in finding another job is not simply competition from other information security practitioners, but the lack of vacancies.
Frustratingly for candidates, those departments with vacancies often have inflated expectations. There is a recession and, not unreasonably, Heads of Department after years of candidate shortages believe they now have the opportunity to recruit their ideal candidates.
They are also working in a corporate environment where any external recruitment is being conducted on a highly selective basis. The authority to recruit externally has to go through higher levels of ratification and is required to demonstrate to a wider audience that they are recruiting people who almost precisely meet the requirements of the job specification.
The competition for positions is heavily made up of people who are being forced through redundancy, or its threat, into the recruitment market. Their interest is simply to secure another position. Understandably, many well qualified information security practitioners believe it is too risky to change job and are staying with their existing employer. This view is a triumph of perception over reality. Unlike last year, when changing jobs was considered safe, any potential damage to a company’s business prospects are already clearly visible.
The dramatic fall in the number of new vacancies not only reflects widespread external recruitment freezes, but a lack of investment in new systems and ventures. The fall in the number of open vacancies indicates that vacancies are being filled more quickly than they are being generated and is a sign that supply is outstripping demand. The information security recruitment market is revisiting the period in the early years of this decade, when, after the dotcom bust, IT investment collapsed.
The information security market, more so than other areas of governance, has become a buyers’ market. Employers are now in a very strong bargaining position. Those who have been made redundant or have a pressing requirement to change jobs need to be more flexible about the type, location and salary of the positions they consider. Not surprisingly this is depressing salaries. Senior practitioners are most likely to face unemployment and therefore face the greatest downward pressure on their earnings. Junior practitioners are generally in more stable positions, but face lower bonuses and, currently, less opportunity for progression.
Potential positives
The information security recruitment market may be at or past its worst point. There are some positive signs, together with indications that more companies plan to recruit later this year.
Companies cannot freeze recruitment indefinitely. If business critical staff are not available internally, they must be sought externally. As time goes on the propensity to externally recruit increases.
- Banking and financial services, usually a significant part of the market, has been particularly badly hit. Demand fell precipitously following the demise of Lehman Brothers. There are some tentative signs that demand is now starting to recover.
- Unfortunately, commerce and industry currently shows no signs of improvement.
- There is some demand from the consultancy, systems integrator, telco and government sectors.
- There is a perception that the government sector is a safe haven. As a result, many security practitioners are seeking to gain CLAS accreditation and government sector project experience. However, public finances may dictate that demand from the government sector will fall as costs are cut and new projects delayed, scaled back or cancelled.
Information security recruitment is highly correlated to business investment and therefore economic growth. Business investment results in new systems and projects that require input from security professionals. Once sustainable economic growth emerges, and the signs of this are better now than at any time during the last year, demand for security practitioners will ultimately follow.
CANDIDATE AVAILABILITY
Redundancy or fear of redundancy is the reason most security practitioners are currently entering the recruitment market.
Redundancies have been concentrated amongst management and this has resulted in a pool of unemployed senior personnel chasing end user and consulting roles. This has in part been a consequence of mergers reducing the number of managerial positions and generally the business imperative to reduce costs and therefore headcount, falling disproportionately on senior and therefore expensive staff.
There are far fewer good quality junior and mid-level candidates being made redundant and many are electing to stay with their existing employer. They perceive the current recruitment market as an unlikely place to secure a better position. They are also reluctant to take the risks associated with moving to a new company. As a consequence, even given the large pool of redundant staff, it is more difficult to source candidates for junior and mid-level vacancies than for managerial positions.
A feature of the current recruitment market is the requirement amongst many companies to seek additional levels of approval to recruit. This can have the unfortunate effect of making the recruitment process “stop start” as it becomes delayed or aborted. This has caused some candidates to withdraw from the recruitment market.
ANALYSIS BY SECTOR
Here are some observations and conclusions by market sector:
END USERS
The financial services industry is the major part of the end user recruitment market. As reported earlier, the industry essentially ceased to recruit following the demise of Lehman Brothers in September 2008. There are now signs of a revival with a small number of banks starting to recruit and others reporting the need, but not yet having the approval to do so.
Redundancies in the sector, heavy until recently, are now declining. Many security practitioners have become more flexible in their requirements in response to the limited number of new positions that are now becoming available. Whilst any improvement is a welcome development, against the last five years, the sector remains substantially depressed.
In our last market report, we noted that many commercial groups were still looking to appoint their first information security specialist. This was caused by the need to comply with PCI–DSS, increased awareness of the subject following the 2008 government data leakages and a need to align with ISO 27001. This demand has ceased. The publicity around the data leakages has now died down and PCI is now a business as usual activity. In the current economic climate, few commercial companies are considering creating new positions in information security.
Once companies perceive their markets have stabilised, we expect the widespread recruitment freezes and headcount limitations to be gradually eased. Latent demand is growing as staff who have left or have been internally redeployed need to be replaced.
Redundancies have largely been in the £60-£130,000 salary range, with candidates in the £40-£60,000 range reluctant to enter the recruitment market. For some, they perceive little point, for others, the perceived risk is too great. The effect has been much lower numbers of high calibre junior to mid-level candidates in the market. We anticipate over time this will ease, as the professional or personal need to change jobs becomes more pressing.
CONSULTANCIES & SYSTEMS INTEGRATORS
Demand from consultancies and systems integrators has been limited so far in 2009. Several security professional services practices have been reorganised and restructured. Where possible, rather than make redundancies, their staff have been redeployed from commercial clients onto government projects. This has depressed the need to recruit externally.
The fear of changing employer has pervaded security practitioners working in the sector in the same way it has in others. In reality, the risk is more apparent than real as those consultancies that are recruiting would be unlikely to be planning redundancies. Whilst candidate registrations from the sector are lower, there were defensive registrations from mid to senior level staff with security policy and compliance skills.
Demand to recruit has come from those consultancies with government contracts. Demand has held up for security consultants with relevant experience, especially those who are CLAS accredited. It has also held up for mid-level security consultants with security architecture and policy skills, and with good commercial and consulting skills.
MSc Information Security graduates have struggled to find their first role. Consultancies and SIs have not been recruiting at this level. It will leave a skills gap in 2010 when these employers will be seeking to recruit MSc graduates with experience in commercial consulting.
Within the boutique security consultancy market, there has been little recruitment. However some have recruited on the back of contract wins and others as their competitors succumb to the adverse business environment. Demand has mostly been for mid-level and for specialist skills such as penetration testing or government security consultancy.
VENDORS
Recruitment in the vendor market remains subdued. Acquisitions, such as Check Point’s acquisition of Nokia’s security appliance business, have continued. Any potential recruitment has then been substituted by rationalisation and redundancies.
Whilst redundancies from both smaller and larger vendors such as Microsoft have been a feature of the vendor market, new entrants into the UK vendor market have created positions. These have been at levels from country manager to pre-sales specialists. Some security vendors, due to their strong product offerings and market position, have recruited sales, pre-sales and technical post-sales roles.
There is evidence that demand from vendors is increasing. This may be a short term improvement as budgets from the start of the year are released or it may be a more fundamental turn in the market. Whilst economic conditions make this seem unlikely, it is equally unlikely that demand will drop back to the severely depressed levels in the final quarter of 2008.
BUSINESS CONTINUITY
The business continuity market has not escaped the recession. There are fewer vacancies, more redundancies and a highly competitive recruitment market. However, media coverage and a better understanding of the need for business continuity by executive management have led to new business continuity projects and programmes. Whilst these have the potential to drive demand for business continuity professionals, they are not always being converted into live vacancies.
Active demand has continued for support positions at analyst and coordinator level and they are providing career opportunities for less experienced people. Whilst we expect more demand at this level, budget restrictions and recruitment freezes will result in other business continuity related vacancies remaining “on hold”.
Although the business continuity consulting market has slowed, it has also benefited from companies postponing in-house recruitment and employing consultancies. The consulting recruitment market is highly competitive and those consultancies that have continued to recruit require candidates with strong consulting backgrounds and the right qualities to thrive in a consulting environment.
The fact that consultancies are recruiting demonstrates confidence in the long term prospects for the sector. Demand appears to be building and we expect the business continuity consultancy market to grow in the latter half of 2009.
The swine flu pandemic is being closely followed by the media, and companies are reviewing their pandemic plans. Pandemic flu related contract positions are already evident and permanent job descriptions are now making some reference to pandemic planning experience.
There is a build up of business continuity project work and mounting pressure to recruit or find alternative solutions. Improved economic confidence will no doubt speed up the release of business continuity vacancies and allow formal demand to increase.
CONTRACT MARKET
The information security contract market became more competitive during the first half of 2009, as many permanent and contract information security professionals were made redundant or had their contracts terminated. Rates in the contract market are reflecting the new realities of supply and demand. There is also far more caution. A year ago most contract recruitment processes would last a matter of days. Now the process can stretch to several weeks.
Fixed term contracts, based on pro rata permanent salaries, rather than daily contract rates, are now frequently offered. Some companies are seeking to replace contractors with permanent employees. This is done internally from those at risk from redundancy or by recruiting permanently from the pool of unemployed security practitioners at reduced salaries.
The majority of the contract roles in the end user market are currently at the junior to mid levels. There has been a dramatic fall in the number of senior roles. This is due to permanent employees replacing contractors and projects requiring senior consultants being put on hold or cut. Senior candidates who might otherwise be available for more junior positions are being discounted. Companies are frequently unwilling to recruit contractors they believe could move mid-project if they received a better offer.
Within the government and defence sectors there was strong demand for contractors through to end of the April 2009 financial year. However, the first sign of budgetary pressure has come with a drop in the number of new projects together with their associated demand for contract assistance, as 2010 budgets have been lost. That said, the number of CLAS consultants employed as contractors within the public sector has been stable as they provide support to ongoing projects. There was also some evidence of new projects towards the end of the second quarter of 2009.
The future of this market is uncertain. A future change in government is likely to lead to a change in spending priorities. Many IT based initiatives could be scrapped, therefore reducing demand for contractors. We also anticipate that the CLAS intake this year will be increased by up to 50%, dramatically increasing the supply of those qualified to undertake public sector work. This will affect CLAS consultant charge rates from October if government departments decide to recruit on the basis of price rather than experience.
In the second half of 2009, we anticipate that the contract market will remain cautious and cost conscious, with companies in all sectors using contractors on a tactical basis:
- Larger consultancies will seek to increase margins by using more permanent staff
- SME’s will try to reduce the risk of carrying under-utilised permanent staff by taking on contractors to bid for and complete any work they win
Information security breaches are likely to increase. Companies have cut back on information security and, in some cases, absorbed it into their IT function. Spending on new tools and applications has reduced, potentially weakening the overall effectiveness of security systems. A particular threat is the growth in the number of disgruntled employees who have been made redundant or fear it. This will most likely lead to an increase in demand for contract forensics and information security consultants.
SUMMARY / PREDICTIONS
Given the unprecedented contraction in the UK economy, it is not surprising the impact it has made on the information security recruitment market. Conditions have been similar to those that existed in the early part of the decade after the bursting of the dotcom bubble.
There are, however, tentative signs of improvement. While the market remains depressed, the widespread recruitment freeze in banking and financial services is starting to lift. There is a limited increase in activity from companies in the consulting, systems integration and telco sectors. There is also a build up of latent demand for business continuity professionals. The contract market has stabilised at much lower levels of demand and the increase in the availability of experienced security practitioners has depressed rates.
Whatever happens to demand, it is likely that there will be further redundancies as the corporate sector consolidates and any rebound in the economy will take time to filter through to employment.
In our view, the information security market may be at or possibly past its nadir. While market conditions for information security professionals are ultimately dependent on the economy, those pursuing careers can take comfort from the fact that IT is constantly evolving, presenting new security challenges that will support the need for their services. The technical, reputational or political risks of security breaches are better understood across all economic sectors and, in the medium to long term, information risk and security will remain a growing profession.
Other sections
To view further sections of this report, please visit:
- Executive summary
- Information Security – salaries
|
|
|
