Every year, Acumin collates information gleaned from placements they’ve made across the information-security sector, and publishes the results as their Salary Index. The key takeaway from the latest of their surveys is that, for the right people, salaries continue to rise. The reasons are several, but hardly complicated: this is an industry where the demand for people with the right skills continues to out-pace supply, and from Acumin’s perspective, that doesn’t look likely to change greatly in the coming months.
“Two or three years ago the market was very client-driven, but it’s very candidate-driven now,” explains Ryan Farmer, Acumin’s senior resourcer. “Before, you’d get an organisation who’d meet and like two or three people then think about it a bit, but they’re now aware of the time constraints and competition in the marketplace – that if they don’t snap up the right person when they have the chance, that person will go somewhere else.”
Cyber security issues have caught the public imagination, and nobody wants their company to be the next one on newspaper front pages following an embarrassing data-loss incident. Just as important – if largely hidden from public view – compliance with industrial standards such as ISO 27001 has moved from being desirable best practice to, often, a basic requirement in conducting business with other security-minded entities. So information-security professionals have never been in higher demand, and within the sector, certain skills are in desperately short supply.
“CHECK and CREST-registered penetration testers have become much more in demand,” says Acumin’s pen-test specialist consultant, “because they’re not looking for new jobs so less are available. They’re often embedded already, and their employers know how valuable they are – so they’re using all sorts of weird and wonderful tactics to retain them. Guys on an £85,000 base are being taken off permanent salaries and put on to day rates of £500 per day in some cases – so it’s basically impossible for them to leave, as no-one else is going to pay them any more. Or, they’re giving them shares in the business, or promising them a cash bonus if they stay another year.”
“There are, however, alternatives,” he continues. “More and more employers are hiring experienced systems engineers, application developers and systems admin/Linux consultants with some understanding or experience of pen-testing who can become CHECK or CREST accredited in a relatively short time. The benefits of doing this are that the requirement is covered, and often at a lower starting salary – so an issue is solved at lower cost but the employer still gets a candidate with a solid commercial grounding and the relevant skill set. “
Demand is similarly dynamic across both the specialist security consultancies and within end-user businesses, to whom information security is of paramount importance. Traditionally, sectors such as banking and online gambling have led the way in employing in-house security professionals, but that trend is now becoming the norm across other industries too.
“We’re seeing a lot more end-users building out their capabilities, growing their security functions internally and bringing certain outsourced elements back in house,” says managing consultant Scott West. “They want that because it gives them more control and they can tweak the service just that little bit more effectively to their needs. But consultancy hiring is still good across the board as well.”
Within what looks increasingly like a seller’s market, there are still things job-seekers can do to make themselves more attractive to potential employers. One key area is the development of business focus and acumen, as opposed to security, prowess.
“We often see rejections because of a lack of soft skills, says Farmer. “The demand at the moment is for senior security personnel who have an ability to manage relationships within the business. Some people who’ve been in the industry longer, they may have come from hobbyist backgrounds and they’re deeply technical, but they’re not progressing because they don’t have that business-facing skill set. Then you see people coming up with 10 or 15 years’ less experience and progressing past them, because they can do that broader internal consultancy.”
The message is clear, both to businesses looking to hire infosec professionals, and for the people looking for a new job: if you have the skills, you have the upper hand.
“It’s become a very cut-throat environment,” says our specialist consultant. “Companies are having to work out ways of getting people. It’s not just about a salary – it’s about interesting roles, add-ons to the basic package, work-from-home contracts and lifestyle issues. It’s about why the candidate should choose them over somebody else, really.”
The latest Acumin Salary Index, covering both Permanent salaries and Contract day rates across the End-User, Consultancy and IT Security Vendor markets is available to download here.
For any questions or queries, call the Acumin team on 020 7987 3838.