The effect of the recession on the employment prospects for information security practitioners has been clear for all to see. The total number of people employed in information security is now lower than it was two years ago. Although the number of vacancies are now increasing, unemployment has risen. However, employment in information security is not driven entirely by the economy or business investment.
Information security never stands still. It is constantly evolving and is subject to developments in technology, certification and regulation. As with our previous reports, it is always useful to review these non-economic developments and review how they affected the recruitment market in 2009 and are likely to affect the market in 2010. Here are some of the areas we believe had or will have the biggest influence on the recruitment market:
Changes in the CLAS market
It was feared that when CESG, the Information Assurance (IA) arm of GCHQ, expanded the number of CESG Listed Advisors (CLAS Consultants) in 2009, it could potentially result in a surplus number of consultants and drive down both permanent salaries and contract rates. However, many of the new CLAS Consultants are already employed and generally earning salaries similar to existing CLAS Consultants. We are not anticipating any reduction in the volume of work and it is clear that CESG expects it to increase.
Currently more CLAS Consultants, including some already in permanent employment, are seeking contract roles. However, toward the end of 2009 there was a decrease in demand for contract CLAS consultants as government departments attempted to reduce their dependency on contractors. This could possibly push contract rates lower, however we believe this is a short term development and the demand for CLAS Consultants is set to increase. There are a number of reasons, including the continuing drive to protect personal data, the new Security Policy Framework (SPF), and recently introduced requirements, such as the Information Assurance Maturity Model (IAMM) together with the Privacy Impact Assessment (PIA) and the increased focus on encryption for laptops and removable media.
In response to recent high profile data losses, all organisations handling personal data have been recommended by the government to undertake PIAs. Whilst it remains a recommendation in the private sector it is mandatory in the public sector. As part of compliance with IA Standard No.6, public sector PIAs are likely to be undertaken by CLAS Consultants. Those who are IA Standard No.6 Auditors will be in demand, of which only a few have been specially trained by CESG. The increase in work is expected by the second quarter of 2010. The work will fall to consultancies as well as contractors, increasing demand in both the permanent and contract markets.
Moving into the cloud
A current growth area within IT is Cloud Computing. Although potentially providing significant cost savings it also has a number of security concerns. The users of Cloud Computing rent rather than own the physical IT infrastructure and only pay for the resources they use. Cloud Computing is becoming more popular and with it the security concerns of information being processed within the cloud. According to IDC’s analysis, the worldwide forecast for cloud services in 2009 will most likely be in the order of $17.4bn.
The Cloud Computing Risk Assessment by The European Network and Information Security Agency (ENISA) details the benefits and risks that Cloud Computing offers. Many security measures are cheaper when implemented on a large scale. This applies to defensive measures such as filtering; patch management; hardening of virtual machine instances and hypervisors; human resources and their management and vetting; hardware and software redundancy; strong authentication; efficient role-based access control and federated identity management solutions by default. This also improves the network effects of collaboration among various partners involved in defence. Other benefits include: multiple locations to provide contingency; edge networks giving better service reliability and quality; and threat management as cloud providers can afford to hire specialists to deal with specific security risks.
However, processing data outside of a company’s domain results in risks that require management. The main risks of Cloud Computing highlighted by ENISA are the loss of governance, lock-in, isolation failure, compliance risks, management interface compromise, data protection, insecure or incomplete data deletion and the malicious insider. To counter these risks, security auditors who have a good understanding of securing virtual environments and working with third parties need to be utilised.
Cloud Computing is particularly attractive to SMEs as they attempt to reduce costs. However, to avoid running undue risks they will need to ensure they have undertaken a full risk assessment before moving, storing and processing data in a cloud. If this trend continues, and it is highly likely that it will, there will be more in-house roles for risk assessors with a good understanding of virtual environments. Companies providing cloud services will also spend more on specialist security resources to ensure they are compliant with their clients’ security requirements.
BC vs BR, what is in the name?
Business continuity has progressed rapidly as a discipline. The continuity of operations has become an enterprise-wide, real-time, high stakes concern and has culminated in a new approach called “Business Resilience”.
Business continuity is widely understood to be defensive. It focuses on recovery rather than resilience. Most companies are aware of the core Business Continuity Management principles which include IT disaster recovery, business contingency planning and crisis management. However do they understand and practise business resilience?
Business resilience has a much broader remit than simply continuity of business operations and recovery from a business disruption. It allows a company’s business operations to adapt and respond to internal or external change. It incorporates the wider aspects of its operations and market standing. Business resilience not only prepares for uncertainty it also helps a company to act quickly and decisively on emerging opportunities. Business resilience focuses on opportunity, company brand, diversified and sustainable profits as well as overall protection of the business and the welfare of employees.
The recession has presented many challenges and opportunities. Companies that have a broader understanding of business resilience have not only survived, they have frequently evolved and benefited from the recent market conditions. They are more likely to succeed when faced with major incidents and market changes.
Getting budget approval for business continuity programmes is an ongoing challenge for many business continuity managers. A primary obstacle is getting both financial and political support. Management often requires a demonstrable return before committing investment and only then will adequate funding and an executive emerge to champion the cause.
By presenting business resilience that incorporates traditional business continuity management, an attractive return on investment can usually be demonstrated. With a business resilience solution, senior executives can see the tangible and immediate benefits of it.
Executive management are now far better informed about risk, resilience and planning. Most are receptive to understanding how to make their businesses more resilient. Like business continuity, business resilience can be weaved into individual projects and programmes at various stages allowing for the level of investment to vary. Hopefully UK companies will lead the way in business resilience as the benefits and opportunities will be both local and global. To be effective it ultimately requires ownership and accountability.
In 2010 we expect to see business resilience grow. Whilst some positions will simply be re-labelled business continuity roles, others will become increasingly focussed on genuine business resilience.
Analysis by Sector
End-users
The financial services industry casts a long shadow not only over the UK economy but over corporate governance and information security. Other corporate governance disciplines such as operational risk management and regulatory compliance are substantially the preserve of the financial services industry. As we have written before, a disproportionate number of information security specialists work in banking and financial services. Those companies outside of financial services with the largest market capitalisations are in sectors such as energy, pharmaceuticals, telecoms and FMCG. However, the number of information security staff they employ are significantly less than in comparable banks. It is a characteristic that to a lesser extent is played out across the entire financial services industry. What happens in financial services matters to the information security recruitment market.
Demand for information security staff from the financial services industry essentially collapsed during the first months of 2009. Many information security staff were made redundant as banks merged or rationalised. However, during the course of the year the redundancies slowed and vacancies gradually increased. Then, as in other areas of corporate governance, vacancies recovered during the latter part of 2009. This was particularly evident in those banks that are partially government owned. Having undergone significant re-organisations they began to identify areas where skill shortages existed.
During 2009 it was not unusual for banks to make redundancies and as strategies shifted and skill shortages became evident, to then recruit. Some for instance made redundancies in information security but recruited in technology risk. Others made redundancies in the UK but recruited overseas and vice versa. These shifts have allowed most of those who were made redundant to secure roles and toward the end of 2009 the number of redundant information security staff started to fall and a better balance between supply and demand began to emerge.
Demand was helped by the FSA taking a greater interest in information protection. Some smaller banks appointed their first information security officer. These roles are often varied, taking responsibility for physical security and/or having elements of financial crime to broaden their scope. This helps justify the headcount. Financial crime is becoming a more common responsibility for information security departments to adopt and reflects the greater use of IT in the execution of financial crime.
Outside of financial services, during the first half of 2009 many end-users cancelled their plans to recruit. Candidates would routinely get to the end of a recruitment process to find the vacancy had been frozen or the authority to recruit was not forthcoming. For those out of work it was a frustrating period. By the second half of the year it was clear that at least line managers had the authority to recruit and much less time was wasted by candidates applying for and interviewing for roles that were destined to be cancelled.
The commercial sector, outside of financial services, was buoyed by some major SAP roll outs. Those with experience in the delivery of information security within major SAP implementations can anticipate opportunities as companies, particularly in the FMCG and logistics sectors, shift to SAP.
Unemployment has recently started to reduce and prospects for 2010 look far better than at the start of 2009. The peak level of unemployment was August. Since then the opportunities for IT security specialists to return to work have increased even if the roles offered and accepted are less than their expectation. When the recruitment market significantly improves we expect a number of people to attempt to secure positions more appropriate to their experience and ambitions.
Consultancies & Systems Integrators
During 2009 there was minimal recruitment from the information security practices of the global consultancies, systems integrators and telcos. Many made redundancies although in total probably fewer than amongst the end users. Recruitment freezes led to many vacancies being filled internally with otherwise redundant consultants given the opportunity to work in information security. Towards the latter part of the year some recruitment freezes were lifted primarily for CLAS Consultants with government experience.
With many CLAS Consultants choosing to work as contractors these roles were not necessarily easy to fill. This pushed salaries higher in an otherwise depressed market. We expect the demand for permanent CLAS Consultants to continue into 2010 which may push those who would otherwise prefer contract work to take permanent positions. This has happened in the past. However it may be different in 2010 because in 2009 admissions onto the CESG Listed Advisor Scheme increased. For perhaps the first time in this niche market, supply might meet demand and possibly by the time of the 2010 new admissions, may even exceed it.
The anticipated decline in government spending has not yet been felt in this market. However, with big ticket government inspired IT projects likely to be cancelled or curtailed 2010 could yet prove problematic. Whilst both the public and commercial sectors remain at risk of security incidents and require effective core information security functions, much of the recruitment in this sector is driven by public sector projects. If projects are put on hold or even cancelled there is a risk that information security consultants working on these projects could be made redundant.
In contrast the private sector should experience an upturn in 2010. If the increase in security staff employed by end-user departments towards the end of 2009 translates into new projects, then the consultancies and SI’s involved may need to recruit. This, we hope, will result in an overall increase in information security recruitment within the consultancy and systems integrator sectors during 2010.
The boutique security consultancies continued to recruit cautiously during 2009 against specific business needs. The consultancies that appear to be thriving in this market are those offering niche services such as penetration testing and government security consultancy. As a result there was an increase in demand for penetration testers, CHECK Team Leaders, CHECK Team Members and CREST Consultants. This demand rose during the final two quarters of 2009. We anticipate that demand for penetration testers will increase during 2010 with comparably more opportunities than in other areas of information security.
Business Continuity
Not surprisingly given the economic decline, demand for business continuity staff was subdued during 2009. However, as the economy stabilised and improved towards the end of 2009, a clear improvement in the market emerged providing a positive outlook for 2010.
During 2009 the relationship between business resilience and business risk evolved. Many companies, particularly in financial services, are now reviewing their business continuity management at a strategic level. They are working from the top down to ensure their critical business functions are protected as far as possible. As a result there has been an increase in senior management vacancies. This has stimulated senior level movements and allowed business continuity managers to switch sectors and to bring their knowledge and experience of other sectors with them.
There were few low level business continuity vacancies in 2009. Whilst the requirements exist, budgetary restraints have resulted in recruitment freezes. Business continuity teams have needed to manage without the extra resources they require. As the pressure of work increases and budget pressures are relaxed we anticipate more vacancies will become available in 2010.
The 2012 Olympic Games stand out as a major public sector business continuity programme that will unite public sector business continuity efforts and capability. Flu and health related planning continues to be a major concern for local and central government and the NHS. Phase two of the Civil Contingency Act will include a review of continuity management standards. It is likely that there will be a move towards aligning with at least parts of BS25999. In addition the new Security Policy Framework (SPF) will also include business continuity management standards. This will increase the pressure on public sector business continuity and emergency planning professionals. Notwithstanding the budgetary pressures that the public sector will be subject to in 2010, we expect there to be an increase in demand from the public sector for business continuity management.
The contract business continuity recruitment market was subdued during 2009 until the latter part of the year. Conversely the business continuity consultancy market, as we predicted, grew during 2009. Consultancies offered highly competitive rates that allowed clients to benefit from the assurance they provide without charging a significant premium when compared to the rates charged by independent contractors. Many leading business continuity / business resilience consulting practices have ambitious growth plans for 2010. We anticipate there will be ongoing recruitment within the business continuity consulting market in 2010.
Information Security Contract Market
Contracting within information security was difficult during 2009. Many contractors had concerns as to whether ongoing contracts would be continued and many had to accept lower daily rates. Those who found themselves out of work faced strong competition for the much lower number of contracts that became available.
Typical daily rates fell between 10% and 20% during 2009 and there was a noticeable absence of senior level contract positions. Many companies, having reviewed their budgets, sought to make cost savings. Reducing both the number and rates for contractors was an obvious source of cuts. In some instances, where contractors were being used on ongoing projects, contractors were removed in favour of otherwise redundant permanent staff.
The pool of available contractors was increased by redundant permanent staff who were prepared to look at both contract and permanent opportunities. This created more competition and downward pressure on rates. As the competition for contract vacancies increased during 2009, some previously full-time contractors started to consider permanent positions in order to find a more stable income source.
In the 2009 Interim Market Report we noted that the number of CLAS Consultants for the October intake was being increased. An additional 200+ CLAS Consultants were added to the list. Expectations by many of the new CLAS Consultants were that their rates and utilisation would immediately increase. This has not proven to be the case as the majority of existing CLAS Consultants have built up their reputations and skills within the public sector over a significant period of time. In fact the number of CLAS roles during the second half of 2009 decreased and more were being released to consultancies rather than individual contractors. Only those CLAS Consultants with a strong delivery track record were in demand. This led to consultancies recruiting more permanent CLAS Consultants. As a result many of the new CLAS consultants may wish to look at taking up permanent positions within consultancies to gain relevant sector experience.
By the end of 2009 permanent information security positions were starting to increase as companies got their information security budgets back. This increase has not been replicated in the contract market. Many companies will most likely be looking to fill their permanent positions where possible and resort to the contract market if that fails or other gaps in their resources emerge. We are not anticipating an upturn in the information security contract market until the end of the first quarter in 2010.
Summary / Predictions
Information security has had a tough recession with collapsing demand and significant numbers of redundancies. However, as the economy stabilised towards the end of 2009, the number of redundancies significantly reduced and what we hope will be an extended period of rising demand began.
Amongst end users, the financial services sector appears set to lead the way. Within the consultancy sector we are more optimistic for those consultancies undertaking commercial projects. We have concerns about the durability of demand from consultancies substantially engaged in public sector work. It is unlikely that public sector largesse can continue at current levels of spending. We are expecting the number of lower level business continuity positions to increase and for the contract market to improve by the end of the first quarter. Penetration testers look likely to be in demand during 2010. Whilst we anticipate a focus on the CREST qualification, CHECK Team Leaders will continue to be in demand.
However any recovery will need to be seen in the context of an environment where unemployment will most likely continue to rise for some months yet. Beyond that there are fiscal deficits that will need to be addressed together with what is going to be the painful restructuring of the UK economy. Notwithstanding the resilience of the IT industry, a combination of both cautious companies and information security practitioners will most likely result in a recruitment market that for many, at least in the short term, will remain problematic. |
|
|
