Accessibility Links

Interim Market Report 2011 - Info Security Market Commentary

The recession formally ended two years ago. The UK economy, against a backdrop of a slowing world economy, has settled into a period of sub-trend growth and squeezed living standards. By now it is likely that whatever decisions companies took as a consequence of the recession have been implemented. If companies were going to outsource, close, or expand their information security function or otherwise respond to a changed economic and regulatory backdrop, they would have implemented that decision. Whilst we would hate to tempt fate, current circumstances lend towards a stable information security market for the remainder of the year.

During the course of the last year the number of information security practitioners employed in the economy has grown and this has led to what is effectively full employment. Information security, unlike other areas of corporate governance, appears to be far more open about practitioners moving between different sectors. It certainly promotes employment and prevents the ‘silo’ mentality that is clearly manifest elsewhere. Growth in employment has been particularly notable in the financial services and consultancy sectors. It is also encouraging that business continuity is clearly a growth area.

Given the widespread recognition that there is not going to be a quick fix to the UK or for that matter the woes of the wider Western economies, whilst demonstrably still recruiting, companies are exercising a cautious approach to filling their vacancies. Recruitment can be perceived as a form of investment. In spite of the corporate sector enjoying strong growth in profits and sitting on record amounts of cash, corporate investment has not recovered in the way many might have hoped. It is clear the current propensity of companies to recruit is lower than it was six months ago. It is not unusual for an additional interview to be introduced to the process or the necessary authorisation to recruit having to be referred to a higher authority. Recruitment processes are seemingly taking longer to complete. As a result the rate at which vacancies are being filled is currently slower than it was in the final months of 2010.

Cyber Security and Information Security’s Enhanced Profile

Described as the “invisible enemy” by Liam Fox, Defence Secretary, the cyber security threat is becoming a subject not to be ignored. With Washington developing its first military guidelines for the age of internet warfare and the British Government identifying cyber threats as one of the most serious ‘tier one’ national security challenges alongside global terrorism, CISOs and senior politicians met at the annual Cyber Security Summit in London to tackle the issue. Robert Gates, US Defence Secretary, called for a comprehensive international dialogue on cyber attacks, as Liam Fox announced “there is a continuous battle being waged against us, day in day out…electronic attacks on Britain doubled from 2009 to 2010”.

The first major coordinated attack was orchestrated by Anonymous causing chaos for Visa, Amazon, MasterCard and PayPal. Unlike more recent cyber attacks, ‘Operation Payback’ did not seek to access vital security information but to block thousands of users from accessing its sites by carrying out a globally coordinated attack.

More recently Sony was affected with a reported 77 million users’ personal data and credit card details stolen by hackers who successfully brought the Playstation Network to a halt. After six weeks of uncertainty, embarrassment and a reported £105 million cost, Sony restored its Playstation online network and began its hunt for a CISO. However, it was bad news after bad news for Sony as Lulz Security, a small hacking group, reportedly breached one million users’ personal data, including passwords, email addresses, home addresses, dates of birth, and all opt-in data associated with SonyPictures.com. Whilst Sony may have been the worst affected, Nintendo, RSA SecurID, Gmail and CitiBank have all recently announced breaches of secure data.

Further, whilst reports were neither confirmed nor denied and with Google pointing the finger of blame for its Gmail hack at China, it is evident that cyber security hacks and breaches have begun to impact international relations.

The increase in electronic attacks has had a direct impact on the demand for network security professionals. Companies are now strengthening their network security infrastructure. There is an increase in demand for firewall experts with qualifications in Juniper and Checkpoint and for security practitioners with experience of configuring IDS/IPS systems. As the year progresses those who have specialised in network security will be more highly sought after which will increase rates for permanent and contract candidates alike.

Cyber security has become a new buzzword but it does demonstrate the effect of media reporting and the way it enhances the profile of information security. One of the biggest drivers for information security currently is the damage to corporate reputations and consequent loss of revenue through media exposure. Often CISOs trying to educate executive management resort to the response “how is this going to affect our profits?” In spite of this some companies have maintained a high risk tolerance policy that has allowed them to ignore the risks. This is now changing and the media has played an important role in making information security a topical issue. It has resulted in companies being fined and changes to their reporting structure. It also led to policies on encryption, passwords and levels of data that could be transported in an attempt not to be exposed to similar damage. The latest incidents have raised the profile of information security with a strong focus on people, process and technology.

Ultimately what does this increased awareness mean for information security? When addressing executive management CISOs currently have numerous examples they can draw upon to ensure information security is taken seriously. As a result, investment in information security is increasing against a backdrop of lower corporate investment. More companies are now hiring information security staff and those otherwise token CISOs are more likely to be listened to and have their advice acted upon. Companies are also ensuring that their third party suppliers have up to date security policies and information security management systems. This is increasing the amount of work and demand for consultants and contractors to SMEs.

It is perhaps information security’s good fortune that it remains in the media spotlight. Investment in information security is certainly running counter to the investment trends in IT and the wider economy more generally.

ANALYSIS BY SECTOR

End users

Last year the recovery in the end user recruitment market was led by the retail banks. They came to the recruitment market in early 2010 with multiple vacancies. Whilst good for those working in banking it did not necessarily help the rest of the end user recruitment market. Fortunately, the recovery spread to other sectors of not only the financial services sector but the wider economy. Now in 2011 a far more varied range of companies are recruiting. There have been multiple vacancies in sectors such as insurance, investment management, telecoms and utilities. In spite of a lower number of vacancies, with full employment, vacancies on average are taking longer to fill than in 2010.

During 2011 end users have recruited PCI-DSS specialists in order to reduce the reliance on consultancies. As a consequence those working in specialist PCI consultancies have found themselves in demand. Whilst Qualified Security Assessor (QSA) work will always remain independent, PCI-DSS preparations can be carried out internally. Whilst much of this demand has been for single recruits to focus on PCI-DSS work, we anticipate this potentially expanding as larger teams are formed.

There has been an increased demand for IT risk management skills. The ability to carry out application or infrastructure risk assessments and to be able to cross between information security and risk management is becoming an in demand skill. In the banking sector the line between security and risk management is becoming increasingly blurred.

End users are competing for the same candidates as the consultancy sector and information security practitioners are moving in both directions. Many CISOs have spent at least part of their careers working in a consultancy. A Big 4 Director role can be an attractive next step for a CISO. Whilst the financial benefits of working in industry and commerce have traditionally been better, consultancy can offer wider career progression and experience.

We expect the trends established in the end user recruitment market during the first half of 2011 to continue through the remainder of 2011.

Business Continuity

Demand from the business continuity sector was buoyant in the first half of 2011. This was on the back of 2010 when an increased demand for senior level practitioners suggested that business continuity was becoming recognised as a vital business capability. During a period when recruitment budgets were constrained companies were still prepared to recruit
.

In the year to date senior business continuity vacancies have continued to flow with a mix of newly created and replacement hires. The majority of these vacancies have been within the financial services sector where the FSA’s influence is particularly felt.


Companies invariably want to recruit individuals who can bring experience, judgement and leadership. We anticipate that having either recently established or replaced their business continuity management, more lower level vacancies at analyst or senior analyst level will emerge during the second half of 2011.

At the start of 2011 the consultancy sector was actively recruiting business continuity practitioners. This slowed as the year progressed and we are currently uncertain about the level of demand in the second half of 2011.

Most of the business continuity expertise in the UK is based in London and the South East and recruiting locally in other areas of the UK can present challenges. In the year to date there has been a notable increase in business continuity vacancies outside of London. We expect this trend to continue and anticipate more newly created senior and team level business continuity positions in all parts of the UK. Companies demonstrably need to address business continuity across all of their operations. There is always a debate where to locate expertise and how mobile people are prepared to be. However, if this trend continues it will become increasingly practical to live and work in business continuity outside of London and the South East. This year new positions have been created in the Midlands, the North and Scotland.

Awareness of business continuity management continues to improve and global events regularly bring the need for BCM into focus. More recently events in Japan brought supply chain BCM to the fore. The FSA is also continuing to exert pressure on the financial services industry to adequately address its vulnerabilities. As the London Olympics loom closer there is likely to be an increase in business continuity contract recruitment to ensure businesses are prepared and able to react to the “Tsunami of people” due to arrive in 2012.

Consultancies & Security Vendors

Within the consultancy and vendor sector recruitment patterns have remained steady during 2011. After the uncertainty that followed the mergers and acquisitions that took place in 2010 the sector has a clear idea of the skill sets and resources required. Currently much of the demand is for newly created positions within expanding services and solutions divisions. Professional services are the most buoyant with the majority of roles at mid to senior level.

Overall, the supply of candidates seeking consultancy and vendor opportunities is good. Those who previously chose not to seek new positions because of the recession or the uncertainty surrounding mergers are now steadily entering the recruitment market. More public sector security consultants have become available due to cutbacks within government and defence. As cloud computing grows, sales and pre-sales consultants at all levels are reviewing their positions in anticipation of an increasingly competitive market.

It has been apparent that certain security vendors and consultancies have been particularly successful in recruiting the best talent. Those with the strongest reputations and presence in the security market have continued to push the boundaries of new technology. They are able to offer the most exciting projects from both an economic and technological perspective.

As we anticipated in the 2011 Market Report, PCI-skills and penetration testers have been in demand. Consultancies of all sizes from the niche boutiques to the large global entities have recruited in these areas. As a result there have been opportunities at all levels from senior consultant to entry level graduates. Following the trend established in 2010, CHECK Team Leaders and QSAs are again the most in demand candidates and the shortage of candidates with these skills remains acute.

Contract Market

Demand in the contract market during the first six months of 2011 has proven to be unpredictable. At the start of the year demand increased particularly from the investment banks and this caused contract rates in the sector to increase. Candidates with application and infrastructure risk experience became more difficult to source and many were simply moving between contracts for increased rates.

Conversely having reported in the 2011 Market Report an increase in demand for generalist information security and information security policy contractors, this demand has decreased. Demand was coming mainly from the retail banks and as projects have been completed and contractors replaced by permanent staff, the demand has died away.

The public sector remains quiet although consultancies and outsourcers still need contractors to fill skill shortages in projects they have won within the public sector. Many public sector information security contractors have seen their contracts cut short during 2011 particularly if they were sourced directly to a public sector department. This in turn is leading to many contractors who moved from financial services to the public sector during the recession now trying to move back to the financial services sector.

Outsourcers have been particularly successful at picking up work this year, which in turn has opened up opportunities for contractors to work through outsourcers for a range of clients in the public and private sectors.

The main contracting locations during the first half of 2011 have been London and the South East, the North West and Edinburgh. Contractors based in Scotland, and particularly those with access to Edinburgh, are currently in high demand. Shortages of available candidates are causing rates to rise.

We anticipate that demand for contractors from the financial services sector will rise in the second half of 2011. This increase will mainly be for those with information security project risk, technology risk and security risk assessment experience. The last two quarters usually see an increase in contractor uptake as new projects are started or reach a point where a security resource is needed. It is to the benefit of the contract market that by this time the majority of permanent staff are already assigned to other work.

Summary / Predictions

The information security market has an air of normality about it. Demand for information security practitioners, whilst lower than six months ago, is evenly spread across the various sectors of the economy. Candidate shortages are as evident today as at anytime in the past.

Against this, the economic environment that information security practitioners are working in is about as far removed from normal as it ever has been. Even for those with the most optimistic outlook, the simmering sovereign debt crisis in Europe will sooner or later need to be resolved. It will most certainly involve economic pain beyond the borders of the countries directly involved.

In many respects it would perhaps be better to take the pain now rather than live with the uncertainty for what may be an extended period of time. Uncertainty tends to undermine confidence and recruitment markets run on confidence. Unfortunately we have no better idea how the economic chips will ultimately fall than anyone else. Muddling through over an extended period of time is probably the most likely scenario. In the UK it is seemingly consistent with the current sub trend growth and declining standards of living.

In is not surprising that in this environment corporate investment is subdued. In normal circumstances this would badly impact the demand for information security practitioners. It is perhaps fortunate that a number of security breaches have had such widespread publicity. The FSA is determined that the financial services industry properly addresses information security. This has resulted in a welcome flow of investment into information security. Whilst no one should be celebrating, it really is not that type of market, full employment in information security is the result. Ultimately prospects for the information security profession are real and growing.

We expect steady demand for the remainder of 2011. This demand will include risk assessment skills covering both applications and infrastructure and PCI-DSS skills. Those focusing on network security in the contract market are likely to benefit from an increase in demand for their services to counter hacking attacks. Whilst information security consultancies were braced for a tough 2011, they have been able to transfer their focus to the private sector. Demand for their service is likely to be continued to be buoyed by spending on cloud security, PCI and increased utilisation of penetration testing services.

Latest jobs

Security Engineer
  • Location Piccadilly Circus
  • Salary £60,000 - £75,000
  • Job type Permanent
  • Sector Public Sector
  • Description Fast-growing tech consultancy looking for high calibre security professionals to work on prestigious long-term projects.
Principal Auditor
  • Location Greater London
  • Salary c.60,000
  • Job type Permanent
  • Sector Asset management/Funds , Insurance
  • Description   This household name in the industry is seeking a Principal auditor to join their Greater London office, focusing on consumer services and central functions
Interim Internal Audit Manager
  • Location London
  • Salary to. £350 per day
  • Job type Contract/Temp
  • Sector Commerce & Industry, Interim
  • Description This market leader in infrastructure is seeking and internal auditor manager to join their team for an initial period of three months to assist with the delivery of the internal audit plan
Latest news