You are on page 1of 25


Market Report

Barclay Simpson Market Report 2009

Barclay Simpson Market Report 2009


01. Executive summary

02. Information Security – market analysis

03. Information Security – salaries

04. Appendices

I. Sample structure

II. Graphs of key indicators

III. Data tables by specialism


protracted period of low inflationary growth. What is the extent of period of de-leveraging is world are now in recession and the only the problem in the UK? Whilst the government now underway. as it has in of risk and withdrawal of credit is now taking most notably in equity. The cost of property and housing. leverage became unsustainably high. The UK economy and the its toll on the wider world economy. the leading US investment banks no longer de-leveraging is now underway. A significant Unfortunately. been partially nationalised. A short sharp recession does not appear to be the most likely outcome. most notably in equity. The re-pricing high. willingness to take risks exist as independent entities and two increased and leverage of those do not exist at all. The cost of money was too wider world economy would be facing their low. This is the 19th year we have produced a market report summarising and analysing recruitment trends in corporate governance and the fifth year we have published a specialist report on information security. In the space of a year. it certainly is now. certainly if market commentators politically inspired economic miracle. with the effects of the If it was not clear before. raw material. Bubbles of low inflationary growth. Barclay Simpson Market Report 2009 INFORMATION SECURITY 01. the problem was not contained became unsustainably portion of the UK banking industry has to the financial services industry. anticipated that the banking sector and risk was mispriced. EXECUTIVE SUMMARY Welcome to Barclay Simpson’s 2009 Information Security Market Report. the willingness to take risks increased and After a protracted period current difficulties. 02|24 . Bubbles inflated. credit crunch already a number of months old. After a and investor behaviour are to be trusted. the financial systems in North America. Europe and other parts of the world will need to be recapitalised as all losses are eventually recognised. It is likely that the de-leveraging process is set to continue and asset prices will decline further. as both and housing. three out of the five mispriced. property other countries. A stressful economically developed countries of the wealth and demand fall. how long? which may well sound reasonable. TOP LINE CONCLUSION At the start of 2008. We place great value on professional reaction to the Report and would appreciate your comments. Ultimately. that the UK economy did not undergo some few people. it would still be twice the average of the previous ten years. risk was inflated. raw material. A stressful period of money was too low. questions are how deep and wants bank lending to return to 2007 levels.

the pertinent question for this report is how the economic environment will affect the employment prospects of those working in corporate governance. This will represent the highest level of government borrowing since modern records began and will take government borrowing to 60% of GDP. as a discipline it will 2009. governance resources are likely to remain World economic growth is likely to be intact. Employment is a lagging indicator. The potential for a significantly worse outcome is substantial and ultimately Government spending will be forced to decline. together with the Whilst employment in corporate developed economic world.5% company remains viable. • Inflation. This is forecast that it will approach 3 million. The median estimate employment in the UK economy. inflation is set to undershoot its 2% target during 2009. Commodity prices have fallen steeply and with the economy shrinking. 1. For many. Barclay Simpson Market Report 2009 INFORMATION SECURITY TOP LINE CONCLUSION continued However. This is forecast to continue into the wider economy. Usually. which only six months ago was perceived to be an economic threat. There are some predictions recession. That does not mean that people who less than 2%. A worse outcome is possible. is for the UK economy which peaked during 2008 at 29. The problem for those who are made reached an 11 year high and is climbing redundant (and if your employer no longer The UK economy. A worse outcome is possible. The median estimate is for the UK do better than many others. unemployment only starts to rise significantly once an economy is in recession and is often slow to respond positively once growth re-commences. leave will be replaced or that redundancies will • At almost 6%. has fallen from a 16 year high and is likely to fall significantly further. In the final months of 2008. rapidly. Provided a economy to contract by a further 1. together with the exists then you will be made redundant). unemployment has already not occur. its corporate in 2009. with most days bringing announcements ECONOMIC HIGHLIGHTS of redundancies. It will shortly exceed 2 million and. that is to come.5 million. is already in likely to become increasingly problematic. Total to continue into 2009. • The UK economy. to contract by a further is now declining. it became abundantly clear that the rate at which jobs were being lost in the UK economy was accelerating. 03|24 . higher by 2010. The prospect of deflation cannot be ruled out. is already in governance will broadly follow trends in recession. is forecast to be significantly world. • The UK budget deficit is currently forecast to be £78 billion in 2009 and £128 billion or 8% of GDP in 2010. will with plenty more bad news on employment developed economic be to secure another position.5% in 2009.

the financial services industry in the UK is in the process of shrinking.OVERVIEW many financial institutions. and for the benefit of all of those of us who make a living either directly or indirectly out of corporate governance. Whilst governments certainly created the monetary conditions that allowed the banks to expand credit. is a protracted In this context. reporting process. even including The vast sums that have been spent on some of the apparently more conservative corporate governance in the financial services building societies. They then seemingly At the very least better risk identification. a smaller more regulated financial services industry will emerge. and started over a year economic threat since. The credit debacle. a slow down unlike any that we have witnessed in twenty years… 04|24 . it was the executive management of CORPORATE GOVERNANCE . and in response to every to be taken. more regulation is no doubt on its way. in twenty years… with the opportunity to dramatically expand the the greater the political response will be. has proven misplaced. disingenuous when our own Northern on short rather than long term performance there is as yet little Rock was offering 125% mortgages. Barclay Simpson Market Report 2009 INFORMATION SECURITY Fortunately. policy would have provided much So how is it looking in the corporate better value in regulating the financial governance recruitment market? services industry. funds. who failed to take sector have seemingly done little to stop the account of the risks they were taking. it seems rather incentivised remuneration packages based widespread redundancies. structured investment vehicles and other Governance will become more transparent activities to go unregulated. For those expecting a knee jerk reaction and a drive to immediately strengthen governance functions. However. for those expecting widespread redundancies. governments created the has not adequately protected shareholders or that we have witnessed monetary conditions that provided the banks the wider economy. compounded the error by allowing hedge evaluation and reporting will be demanded. the role of corporate governance will be re-evaluated. is a protracted slow down in corporate governance recruitment. allowed the conditions to exist for credit to be a slow down unlike any expanded. premise that management would be prudent in their action because of their responsibility to Whilst it is perhaps convenient to suggest protect shareholders. a more restrictive monetary consequent economic crisis. low interest rates ago. it is yet to happen and is most likely many months away. credit they made available. there is as yet little evidence. What does appear to be underway and started over a year ago. from a more restrictive monetary policy that would have saved the economy from asset This lies in the future. and the bail out of Long-Term Capital relegated and otherwise unacceptable risks appear to be underway Management. The proverbial cherry on the cake being the $50 billion alleged loss at Madoff. Credit simply and form a much greater part of the moved from regulated to unregulated areas. Ultimately. What does 1997. As part of this process. Since caused the interests of shareholders to be evidence. Now it remains a price bubbles and its present predicament. that the fault lies entirely in sub-prime A rather more convincing explanation is that For those expecting lending in the United States. The deeper the recession. Globally. Unfortunately. corporate governance has slow down in corporate and a huge increase in the supply of money appeared to have a pro management bias that governance recruitment. question of managing the banking and In hindsight. Corporate governance No doubt there were few votes to be gathered is set to become high profile.

The vast from our various surveys that the corporate majority of internal auditors are employed in governance recruitment market has not three sectors . the economy is the financial services industry: continuing to contract. have so far shown no indication of doing so. be subdued in the moved on. However. are not entering the recruitment market. • The Big 4.the public sector. it is clear more failures and closures will occur. a slowdown internal auditors will the market has regained its composure and in recruitment seemingly started in 2007. Whilst the market has slowed and has resulted in the closure of resident internal the pockets of weakness that we described audit departments. Unfortunately for those who are. Not surprisingly. To what extent. it has than in other areas of governance. • The financial services industry is now contracting. given the economic backdrop. retail developments in the participants seemingly became immune to wider economy. However. the Big 4 and ground to a halt. Here is a brief summary of the individual often seemingly from nowhere. the shrinking number of vacancies is clearly apparent. To what built up slowly. almost a surprising propensity to recruit. the rate at which the economy is losing jobs is accelerating and • Recruitment in the public sector has slowed further declines in corporate governance and those employed in it will probably stay recruitment activity will occur. Barclay Simpson Market Report 2009 INFORMATION SECURITY In recent years. as we reported last year. is dependent on developments in the wider economy. Demand for internal auditors only started to There is little doubt Governments have invariably responded with decline steeply during the last quarter of 2008. is that vacancy creation has slowed significantly and there is little immediate prospect of it picking up. They have perhaps learnt from past mistakes. There is little doubt that in our interim report are spreading. During the past two years. however. outside of their annual graduate intake. There is little doubt that demand for internal auditors will be subdued in the short to medium term and that the number of redundant internal auditors will rise. they have recruited very few internal auditors. Sub-prime and credit crunch redundancies that have occurred have primarily extent. which have corporate governance markets: gripped the corporate governance recruitment market almost overnight and brought internal & Computer Audit about head count and recruitment freezes. To date there have been limited redundancies and given the travails of the sector. that demand for lower interest rates and in a matter of months However. given the numbers they employ. 05|24 . unless they are obliged to do so. Market been in sectors such as house building. there have been few redundancies and that the number The difference now is that whilst the current in internal auditing and a lower number of redundant internal economic crisis dwarfs all others. Significant redundancies are unlikely in the short term. the number of internal auditors in the recruitment market could significantly increase. many internal auditors. short to medium term To date. For those departments who are recruiting. is dependent on entered the vernacular two years ago. should they undertake any significant redundancies. it remains a frustrating process. and financial services where corporate failure bad news. put. The auditors will rise. many ‘crises’ have blown up. who in past slowdowns have invariably shed staff. The number of suitably experienced candidates can often be limited. What is clear.

Redundancies were up and recruitment freezes became common place. For many vacancies. number of redundant risk managers is growing. Barclay Simpson Market Report 2009 INFORMATION SECURITY Risk Management Risk management continues to come under more pressure than other areas of corporate governance. Tighter controls is the cause or the symptom of the current on private investment pools and hedge funds crisis. recruitment activity declined well qualified candidates readily available. The significantly during the second half of 2008. the shortage of candidates that has characterised the market in recent years has dissipated. whilst others have lost their independence. Compliance and it seemed improbable only a few months ago. Sectors that fared relatively better missing. This is as a result of the large numbers of risk managers employed in investment banking and the extent of the losses and rationalisation in the sector. There is also and enforce severe penalties on companies notable demand for risk managers with and approved persons who breach regulations. junior compliance positions and Senior/ Head of Compliance type roles were becoming rare. Not surprisingly. It is continuing to take action of the consultancy sector. Once likely to impact on the UK’s view of regulation the current economic crisis abates. towards the end of the year that only business critical recruitment was being undertaken. 06|24 . overall demand is high levels of risk management and robust likely to be subdued as the financial services compliance controls. A the retail financial services markets where further noticeable development is that credit many of the vacancies required taking some and market risk are becoming more closely responsibility for implementing TCF. Solvency II. There is no doubt. the mandate and mortgage lenders. the FSA continued its risk and However. there are now significant numbers of Not surprisingly. Well known names such as Lehman Brothers and Bear Stearns no longer exist. As predicted. In the meantime. Only candidates requiring little or no training and who could immediately add value were being considered. In these instances the responsibilities include asset and wealth management and the of the role are being absorbed and distributed insurance sector. there are pockets of relatively principles based approach to regulation strong demand. commonly understood and transparent risk management processes are likely to Despite regulatory pressures to maintain emerge. intermediaries and to recruit externally is now more frequently packagers. In response The FSA does not plan to deviate from its work to the increase in the number of risk on MiFID or CRD nor let up in the focus to transformation projects there is steady mitigate the risks presented by market abuse demand from the risk advisory divisions or financial crime. it clearly emerged industry is recapitalised and reorganised. Further. that risk will be on the agenda for 2009 and this is management will remain centre stage. internally. This is resulting in what is becoming known as ‘convergence risk’. where function and one that is likely to be recast many banks either collapsed or merged. particularly in to their deteriorating credit portfolios. turnaround and workout The Treating Customers’ Fairly deadline for experience as banks are looking to respond 2008 impacted recruitment. restructuring. in the light of developments. the SEC will be investigating the effectiveness of its regulatory regime as a One may debate whether risk management result of the Madoff debacle. The sectors bearing Whilst risk management remains a critical the brunt were investment banking. aligned. Internationally. and retail insurance markets. reaffirmed that principles become more is driving recruitment in the wholesale significant in times of market turbulence. the insurance during 2008 and its 2008/9 Business Plan sector’s capital management programme. however. more in the sector.

consultancies and those working in-house in risk assessment or project roles. Investment in IT retrenchment and rationalisation continues. there is unlikely to be any upturn in the market in the near term and redundancies and unemployment are likely to track developments in the wider economy. Barclay Simpson Market Report 2009 INFORMATION SECURITY Whilst the number of redundant compliance Information Security staff is now growing. for those security practitioners companies looking to recruit there is a much with government and wider range of candidates available who are military experience. security of government projects and demand Further. 07|24 . both in the private and public Demand for compliance staff is likely to sectors. information security extends into all areas of the economy. whilst redundancies are back. many positions in compliance are essentially guaranteed as a requirement Recruitment in banking and financial services to conduct business. far more likely to be flexible in terms of the geographic locations. more regulator led and have a better defined role than previously. sectors and salaries they will actively consider. is declining and directly affecting IT security vendors. as asset management and asset servicing. is resulting in improvements in the However. redundant recruitment sign off procedures are becoming investment banking compliance candidates are more common and unemployment amongst generally highly regarded in other sectors such security practitioners is increasing. for the first time in some years. Security departments are now more independent of IT. leakages. the Hannigan the appointment of Report. However. In consolation. is resulting in improvements in the security specialist. Unfortunately. On a positive note. Information security is not the target for cost savings that it once was. potentially broadly based. Areas of relative Areas of relative strength are FTSE 250 strength are FTSE 250 companies who are still pressing ahead with companies who are still the appointment of their first information pressing ahead with security specialist. the Big to exist as an industry wide process of 4 are no longer recruiting. Not surprisingly. security of government there is now a pool of redundant security projects and demand for practitioners. Recruitment freezes and elongated requirements. However. Further. and is not substantially dependent remain subdued in the medium term and on financial services. which followed government data their first information leakages. there is is now particularly subdued and it is clear less certainty that businesses will continue that after a strong period of demand. information security is clearly better integrated into businesses than in previous downturns. some vacancies remain difficult to fill. Demand is therefore limited to business critical recruitment. which followed government data military experience. the redundancies and widespread unemployment that characterised the recruitment market for security practitioners in 2001 and 2002 are unlikely to return. Not surprisingly. the Hannigan for security practitioners with government and Report. Fortunately. if companies are Demand for information security staff going to recruit externally they will have high noticeably declined in the second half of expectations of finding a very close fit to their 2008. Looking ahead.

The problem menacingly. only thing you can say with certainty is that it the pool of redundant people grows and will be significantly higher than it is now. It is clear that we assumed that dispensability of corporate governance. the problem is not simply the deleveraging. However. but the the accompanying falls in asset prices would ability of the host business to survive either be contained and that any damage would be independently or otherwise. fail or undertake defensive and the damage to the wider economy mergers. Corporate governance is integral to business and most departments are leanly staffed. the ferocity of the process from markets. However. securing employment becomes increasingly problematic. governance practitioners will rise. or even the public sector. destroy the morale of those who remain and then leave open the problem of sometime in the future having to find replacements. do lose their jobs. Whilst you can take your pick as with recessions is that for those people who to where unemployment will be in one month. during 2009. As vacancy creation collapses. secure business. It is clear. Redundancies are expensive. Barclay Simpson Market Report 2009 INFORMATION SECURITY Outlook Last year we anticipated a painful period of Unfortunately. Unemployment is already starting to climb you are unlikely to lose your job. the pain is disproportionately six months or a year from now. if you are working in a relatively most pessimistic commentators’ forecast. for has been far greater than perhaps even the most people. that as businesses retreat sector. perhaps the distributed. redundancies will follow. Whatever the rise. 08|24 . as is substantially limited to the financial services already the case. Unfortunately. we believe it will be the number of unemployed corporate proportionately lower in corporate governance.

as changing employer involves risk. only the depth and length of the recession is Defensive registrations are up as those who in question. some feel that entering the recruitment might expect a short shallow recession. • Q4 sees sharp reduction in vacancies • Dramatic fall in salary increases During the final quarter of 2008. Against that. 09|24 . a rather more telling statistic is the closing statistic is the closing number of vacancies. number of vacancies. most commentators then believed much of this risk is more perceived than that the UK and developed world at worst real. previous six months. This was from the number of were generated. caused by those who are out of work vacancies generated accepting salaries below their pre. but then fell away in the final quarter. in the second half of 2008. years. was broadly consistent with the previous two the number of defensive registrations rose. there The average salary increase achieved Whilst some comfort was a significant slowdown in the rate at by changing jobs in the second half of might initially be taken which new information security vacancies 2008 fell dramatically to 4%. 50 versus 58 in the from the number of vacancies generated in redundancy earnings. Whilst However. potentially under threat is rising. the rate of December 2008. in the second half of Whilst some comfort might initially be taken 2008. the second half of 2008. INFORMATION SECURITY – MARKET ANALYSIS SIGNIFICANT SLOWDOWN EVIDENT IN FINAL QUARTER OF 2008 Information Security Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008 New vacancies 56 63 65 58 50 Closing vacancies 24 31 29 33 20 Candidates registering 214 179 195 240 230 Defensive registrations 14% 15% 15% 17% 20% Overall salary increase 15% 16% 14% 13% 4% During the first six months of 2008. 50 versus 58 in the a rather more telling previous six months. which has fallen from 33 which has fallen from 33 in July 2008 to just in July 2008 to just 20 in 20 in December 2008. Barclay Simpson Market Report 2009 INFORMATION SECURITY 02. In fact. The recession has now started to are made redundant or feel their position is show up in our market data. enormity of the economic developments. although marginally down. vacancy generation was broadly maintained into the third quarter of 2008. The trend is now set for a significantly lower number of vacancies. This was perhaps surprising given the The fall in registrations is not surprising. the • Drop in registrations as candidates number of vacancies generated in the reluctant to move information security and business continuity The number of candidate registrations fell recruitment market. It is market for purely discretionary purposes is clear that nothing so benign has transpired and not something they currently wish to do.

Firstly. We expect this to US government. including PCI. It is likely to pre-sales and technical operational roles. proactive you are. The reason for the decline is The reasons for the current downturn are twofold. the impact is likely to be very similar. A great deal of work has been undertaken various levels of PKI to using PKI as well as IdM on the Transglobal access information on For example. need to purchase the technology and recruit staff to implement. in the public sector there are a Secure Collaboration Program (TSCP). The number of information security specialists being forced into the recruitment market is rising and the number of vacancies is falling. the growing scope of FSA regulation and countering reputational risk following highly publicised data leakages. configure and maintain it. If more cautious and secondly. there (PKI) may replace this demand in the Identity is now a government are areas of the recruitment market where and Access Management (IAM) market. Within many companies. This said. the more is less backfilling required. particularly following the high profile data losses of Managed Security Services (MSS) and Security 2007 and 2008. demand has recently a professional qualification and developing In the UK. the better. integrate. budgets for new technologies have been frozen and recruitment suspended. there fear the threat of redundancy. This is now a government as a Service (SaaS) are still recruiting at all requirement. following the high potential employers. way of securing information and avoids the New roles in PKI should emerge in 2009. Focusing on Another niche area which has experienced how you can improve your marketability - strong demand has been Identity Management perhaps doing things such as completing (IdM). In the UK. previously budgets were cut in anticipation of a downturn there had been strong demand for penetration and the uncertainly of the run up to the testers to assist in determining a company’s Iraq War. as people you find yourself in this situation or simply become more wary about changing jobs. that the private sector will follow and some Outsourcing is proving to be a cost effective consultancies are already progressing this. involving demand remains strong. These are usually stand alone roles reporting to the COO. However. has been concluded. This Against this rather downbeat backdrop. for anyone who loses their the bulk of penetration testers are becoming job. particularly make a real difference to your appeal to recruitment. involving various levels of PKI to levels from VP / managerial positions through access information on hard drives. profile data losses of it is possible that Public Key Infrastructure 2007 and 2008. The last time this happened was in 2002. the number of continue during 2009. security status. number of long-term projects which are already is essential for companies dealing with the funded and recruiting. There is still demand from companies wishing to appoint their first Information Security Officer. Head of Risk or CIO and result from various pressures. requirement. many start up internet companies lost their funding and Although demand is now declining. encrypted hard drives will increase. However. post the dotcom bust. Barclay Simpson Market Report 2009 INFORMATION SECURITY MARKET COMMENTARY Unemployment now evident There is now unemployment in information security. 10|24 . Then. the consultancies that employ different. the number slowed due to the fact that most Sarbanes of encrypted hard drives relationships within the industry – can Oxley compliance. IT projects have been put on hold. which was driving IdM will increase. This hard drives.

but there conferences and and sanctions will be introduced under the is an increase in demand for accreditation as security publications Data Protection Act for the most serious more companies in the region announce their throughout 2008. which can hold clearances on a contract basis and can sponsor an SC or DV clearance to work on government projects. breaches of its principles. complex organisations are ensuring and a raised awareness of information security they have information security standards and across government departments. However. These information security management is growing. and in some cases working with consultancies to improve their Information Security Data leakage The Information Commissioner is to be was a topic for Management Systems (ISMS). This was the result of fines security professionals. many new information security positions are still being generated. but in Qatar. The private policies that are in line with global best practice sector has responded by investing in privacy and are building information security teams personnel and aligning with ISO 27001. Accreditation granted new powers to conduct “spot checks” many industry to ISO 27001 is still not common. is too late. which for many contracts. included more encryption. As a consequence. relocating is a big decision which public sector. Demand for effective data leakage within the public sector. Bahrain. Local national banks and that an organisation is not commercially commercial groups are expanding. into the region. Barclay Simpson Market Report 2009 INFORMATION SECURITY Data leakage Middle East market growth Data leakage was a topic for many industry The Middle East is becoming a popular conferences and security publications alternative for UK based information throughout 2008. Within the public sector. This process can take up to two months. the Hannigan report These developments require robust corporate was commissioned. there is currently enhanced interest in gaining work in the public sector. This will affect both This was the result certification. the private and public sectors and will no doubt of fines imposed lead to increased demand for privacy staff The Middle East offers numerous on the private during 2009. not only in Dubai There is now increased awareness of and the UAE. humiliation of the However. A way round this is to work through a consultancy. which highlighted where governance and the demand for globally improvements could be made to reduce recognised compliance. sector and media opportunities within information security. penetration testing Large. Contracting to Government should only be made after careful research Demand for security staff in the public sector and consideration. Whilst the region imposed on the private sector and media is not immune to the global slowdown. 11|24 . Kuwait information security and its role in ensuring and Saudi Arabia. humiliation of the public sector. there are costs involved and if clearance is not used within a year the process has to be completed again. together damaged or its reputation and trust with multinational groups who are migrating publically compromised by data leakage. is generally considered to be more immune to the recession than the private sector. It can be a problem gaining the necessary security clearance in the required time frame.

The number of candidates less staff. They only recruited security consultants on the back of winning new business or replacing essential leavers. The number of vacancies registered declined This has had mixed affects. government security consultants and penetration testers. The exception is likely skills that were required offers and are often counter-offered to stay to be from those consultancies benefiting in 2007 and reflect with their existing employer. Any recruitment that has been taking place is primarily at mid level. Sls and the practitioners are likely to stay with their government sector. although many better qualified individuals the number of security specialist staff used identity management are preferring to stay out of the recruitment specialists. The boutique security consultancies were even more cautious in their recruitment during 2008. Recruitment freezes the nature of projects. market and remain with their existing security consultants employers. at times. These were the same to enter the market can still receive multiple be subdued in 2009. These were mostly new positions in projects and contracts where they were able to immediately place additional security consultants. particularly in government and by certain major outsourcers. At the same time. Security practitioners have been moved on to other projects and some security practices and businesses have been restructured and reorganised. has been taking place there were some cases of very urgent lost major contracts and therefore required is primarily at mid recruitment. particularly in the government sector. even though the data-leakages themselves have. Firms involved in Any recruitment that during the course of the year. Really good candidates who chose We anticipate that demand will continue to and penetration testers. with demand for security architects. 12|24 . have been used as a sales tool to increase for security architects. telcos with security professional services existing employers. identity management specialists. There have been a select number of consultancies. will continue and many of the best particularly in the A number of consultancies. with demand competing for each vacancy is increasing. These were the same skills that were required in 2007 and reflect the nature of projects. SIs and telcos with security practices that recruited significantly in these areas in 2008. from contract wins. such data losses level. practices. have occurred during 2008. government on contracts. Barclay Simpson Market Report 2009 INFORMATION SECURITY Analysis by sector Consultancies & Systems Integrators The consultancies and systems integrators It is hard to discuss this market sector without reflected developments in the wider economy mentioning the significant data losses that during 2008. now have recruitment freezes.

Barclay Simpson Market Report 2009 INFORMATION SECURITY End users Information security departments started the Candidate availability has been mixed. organisation were not automatically replaced. demand for compared with recent years it is steadily information security staff in the financial rising. However. Demand in commerce has held up better with many smaller companies still appointing their first information security specialist. A positions were put on hold. budgets were number of contractors are starting to compete reviewed and any recruitment needed to for permanent roles even though they will be sanctioned at a higher executive level. Those who are full-time risk This trend in the market looks set for 2009. Currently. less technology related risk assessments are required. may offer within end users is inevitably affected as below previous earnings. in the development slows. No vacancies were registered in Hannigan. often not be considered by the hiring or HR Information security staff that left the managers. who are under no threat. This is a continuation of an established trend and this impetus is largely caused by the growing scope and recognition of ISO 27001. but who might otherwise have looked for discretionary Demand held up until the end of quarter 3 purposes. prefer the security of their existing when. Candidates with blemished CVs are services sector dropped sharply. demand from end users will be this area during the second half of 2008. At that time the credit crunch and its redundancy or the perceived threat of this. rather less take up. New technologies have Employers are more likely to match. assessors should consider broadening their In spite of the positive benefits of PCI and skill base. there was a significant decline in the number of new vacancies. The combination of fewer jobs and more During economic slowdowns. closely tied to developments in the wider UK and world economy. Information security case of unemployed candidates. Others. Some finding it more difficult to secure interviews. in a similar fashion to other areas of employer. feel effects on the wider economy had yet to be they have little choice but to search for another felt in information security recruitment. PCI and vendor assessments. either through leakages. projects are scaled down and than improve existing packages and. property and media sectors curtailed their recruitment plans. most notably in the retail. is often badly hit. many commercial companies. job. It is year buoyed by the need to fix potential data clear that many candidates. by the end of 2008. PCI has had an impact in a number of sectors and is being used by information security managers to justify their budgets. IT investment candidates is resulting in lower salaries. corporate governance. 13|24 . unemployment is still low but After Lehman Brothers failed.

resulted in enhanced security concerns. contractors as those who have been made redundant from permanent roles will also be The Data Protection Act gained weight during looking for contract work. Strong demand for CLAS consultants 2008 was characterised by less work in the continued throughout 2008 with long term high private sector but growth in the public sector. Security report in the first half of 2008 and on developments in the economy. in to longer. Companies will most likely want to review their privacy policies. much of which will be CLAS defence work. The Hannigan report highlighted a number of areas that required attention within the public sector and resulted in increased security awareness amongst its senior management. as a result of some large characterised by less fines. Many Some contractors were requested to move into CLAS consultants are working with more than permanent positions to cut costs. with rates falling approximately 10% highly skilled CLAS consultants are being tied for generalist information security positions. contractors were in demand across all sectors. This will see an increase in roles for information assurance. High profile data leakages. There will many companies needed to act on the findings almost certainly be more competition amongst and recommendations. more companies will be expected to be ISO27001 compliant and this could increase the number of roles for ISO 27001 implementers and lead auditors. we anticipate that the mergers in the financial services industry will result in an increased demand for consultants with network security and architect skills to assist with systems integration. Barclay Simpson Market Report 2009 INFORMATION SECURITY Contract market At the start of 2008. cryptographic experts and CLAS consultants. more lucrative. New frameworks have been awarded in the public sector and are due to begin during the second quarter of 2009. A large intake of new CLAS for work resulted in more competition for consultants eased demand. 14|24 . especially those individuals with identity management skills. The FSA released its Data The private sector will be more dependent the public sector. coupled with a number of ambitious projects that required an increase in the collection of sensitive data. profile central government projects remaining The increased number of contractors looking a big user. This increase will be the result of third party suppliers using security as a selling point and the expectations laid out by various governing bodies on information security management systems. Much of this work is being carried out as part of compliance with ISO27001. However. which could see an increase in related contract roles. In 2009. although long-term positions. we expect demand from the public work in the private for data privacy and third party security sector to be broadly consistent with 2008. sector but growth in assessments. one public sector client and this demand will at specialists such as identity management least remain if not increase in 2009. 2008 and more spot checks may be carried out throughout 2009. experts and penetration testers were able to maintain their rates. used more contractors during 2008 In 2009. 2008 was Financial services. In 2009. contracts.

information security Despite this. Thankfully. Looking ahead into next year. as more experienced candidates are prepared to accept less senior roles. security specialists employed in the UK There is now more caution and some have economy at the end of 2009 than there looked to downsize. As a consequence. the financial integration projects that will take place as a with the move towards services industry contracts. It will be interesting to see if the reality matches the expectation. particularly specialists will directly way to compensating for business continuity with the move towards ISO 27001. as now. information security specialists will for the UK government If this growth in other sectors continues. As a result of redundancies. More companies will be looking The industry has driven standards. ISO 27001. job applications have become more competitive. 15|24 . more disproportionate effect on the market. more or indirectly be working job losses in the financial services industry. is making it more difficult for inexperienced candidates. Unfortunately. it directly or indirectly be working for the by the end of 2009 than will create new opportunities for business UK government by the end of 2009 than ever before. cases whole teams of business continuity It is clearly not simply a local UK problem. recruitment slowed As a result. then we predicted increased media coverage and the new British that the prospects for the employment of Standard (BS25999) was released in 2008. Consolidation is likely as some be worried about the nicety of whether smaller consultancies struggle to ensure that their information security departments they will be well placed to benefit from the are up to standard. Would the damage to the financial system be business continuity has benefited from contained? If it was not. Teams to become ISO 27001 compliant and the If the current trends can grow quickly and specialist positions contract market should benefit from major continue. a recent Continuity Central report found that the majority of companies expect business continuity spending to be maintained in 2009. Many companies will be too more competitive as consultancy fees are focussed on fighting for their survival to being squeezed. eventual upturn. business continuity has suffered In last year’s report we predicted that the in economic downturns. continuity specialists to expand their ever before. It is also making the contract market more competitive as otherwise unemployed business continuity specialists make themselves available for contract work. This is depressing salaries and. experience. Budgets have tightened and crossed into the wider economy and is bigger expansion plans have been curtailed. Almost half said that it would be the same in 2009 as it was in 2008 and about a quarter believed it could increase. information security specialists would be Business continuity now has a higher profile more closely tied to developments in the and executive management is more conscious wider economy than many might otherwise of its benefits. the recession is like to believe. other sectors have gone some If the current trends continue. it has a result of banking mergers. there have been more people in the job market out of necessity rather than purely for career development reasons. there will be fewer information significantly in the second half of the year. The market is becoming are now. we expect some areas Banking and the wider financial services of strength in the security market. Against this backdrop. Barclay Simpson Market Report 2009 INFORMATION SECURITY Business continuity Summary / predictions Historically. particularly are common. making any solutions more difficult. When. is affecting the global economy. start in 2009. but professionals have been disbanded. as companies have outcome for 2008 would be finely balanced. after a confident start to 2008. However. the damage has having an effect. sought areas in which to cut costs. Within business continuity consultancy. Data industry is by some distance the largest Protection Act spot checks are scheduled to employer of business continuity staff. In some than even the most pessimistic predictions.

This is the lowest ever recorded. as a factor of supply and demand. This will be combined with severe budgetary pressure as companies seek to reduce costs. as the supply of information security specialists increases and the demand for their services falls. Outlook for 2009 If the normal patterns of supply and demand are followed. The bargaining position of information security specialists has weakened. progression. salaries. do not necessarily wish to offer them the lowest salary that they might accept. are for good rather than exceptional individuals and take no account of other benefits that can Many candidates in these difficult times are accrue to information security specialists becoming less interested in salary and more such as company cars. particularly those based on corporate performance. Many companies. In reality it is not that simple. 2. many information security specialists will be pleased to get through 2009 with a secure job. nor do they take concerned about qualitative factors. Those people who are employed and their job security is not under threat. these candidates are likely to require an even bigger premium on their salary to compensate for the perceived increase in risk they are taking by moving jobs. will fall. given the economic backdrop. given the economic circumstances. 16|24 . for whom we have were able to have offers accepted that provided an approximate salary range they were less than redundant candidates had could realistically expect to achieve. will have no need to accept a lower salary than they might do otherwise. Outside of base salary. the second half of 2008. However. The economy has entered territory that it has not been in for over 15 years. Barclay Simpson Market Report 2009 INFORMATION SECURITY 03. Further falls are likely to be mitigated by two factors: 1. it is likely that discretionary bonuses. This provides a useful guide to salaries information security specialists fell to 4% in and salary trends in information security. The profiles previously been earning. Corporate costs were closely This survey consists of 20 profiles of typical controlled during 2008 and some companies security specialists. They will be recruiting against established salary grades and will rightly want someone to join who is motivated and has not just accepted because they have no other realistic alternatives. such as account of non-contractual bonus and profit potential security of employment and career sharing arrangements. INFORMATION SECURITY – CURRENT SALARIES OVERVIEW Salary survey Salary increases are significantly down for 2008 Barclay Simpson analyses the salary data that accumulates from the placements we make in The average salary increase accepted by the UK. should fall. In fact. even though a candidate is unemployed.

and risk assessment.000 £52-61. Security Analyst Experience including monitoring and awareness for £36-40.000 recovery knowledge and experience. undertaking security design and £64-73.000 £30-37. £50-60. Proven client relationship building and presenting experience. Also undertakes business development activities.000 or Manager.000 £49-56.000 Operations Team Leader.000 £53-62.000 £50-55. Likely to be working for a retail bank or other financial institution. Identity Management Consultant Solid skills in identity and access management design and £57-65.000 basic.000 architecture.000 £22-30. Executive level consultancy and team leading experience. Data Protection Manager Extensive data protection management experience gained in large corporate enterprises which would often include large £62-71.000 information security. Senior Business Continuity Consultant Broad business continuity experience with strong external £54-63.000 £46-55.000 answering directly to the head of department. this skilled penetration tester will have good client-facing skills and be able to £52-60.000 £57-66. Senior Security Sales Consultant An experienced sales professional who consistently overachieves. Background in either consulting or from a policy role in a larger department. Penetration Tester Working for a boutique security consultancy. £45-55.000 £55-60.000 undertake application penetration testing.000 250 or small FTSE 100. with good client-facing skills and bid work experience. Background of working in consultancy.000 financial services. Small scale team leading responsibilities. Disaster Recovery Test Manager Working in the investment banking field with excellent disaster £57-68. Skills in technical and non-technical security areas such £58-67. CLAS Consultant At a senior level within the security practice of a large consultancy or SI.000 OTE £90-100.000 £45-54.000 £49-54. A career history working for large complex organisations in lead positions for DR testing. Business Continuity Manager Business continuity management experience gained in £57-68.000 medium to large scale financial services groups.000 basic. Reports into the Security £27-35. 17|24 . Security Architect Working for a consultancy. Working for a security vendor and reporting to the Sales Director OTE £100-110.000 as security architecture. Operational Security Manager Managing 2-3 personnel within a mid-sized department and £60-66.000 £47-56. Information Security Officer Sole information security person (no reports) appointed to a FTSE £58-64.000 consulting experience in a multi sector project environment. code level reviews and reverse engineering. Senior person also involved in bid / proposal work and mentoring team members. as well as security policy formulation and review.Barclay Simpson Market Report 2009 INFORMATION SECURITY London Rest of UK Security Operations Engineer A junior member of a network security ops team in a 24/7 managed service environment. IDS / IPS etc.000 architecture for large-scale client projects. Monitors security devices such as firewalls.

ISO 27001 Consultant (Contract) An ISO 27001 Lead Auditor working for a consultancy. providing £450-550 £350-450 advice on data privacy in line with the data protection act and per day per day industry guidelines. gap analysis. Identity Management Consultant (Contract) A skilled IdM consultant with experience of various identity management suites from the leading providers. Working in a commercial environment they will have good client-facing skills. articulate.000 focus to their information security experience Head of Information Security Managing a team of 20 security professionals in a financial £110-125. 18|24 . assisted by 2 more junior managers. security policy review and selection of controls to align with the standard. Business Continuity Analyst (Contract) Working in the financial services industry with a good £225 – 320 £200-300 grounding in business continuity. Role would £550-600 £500-550 include advice on ISO 27001 implementation.Barclay Simpson Market Report 2009 INFORMATION SECURITY (continued) London Rest of UK Big 4 Senior Manager Individual with business development experience and a policy £80-95. risk per day per day assessment.000 £68-74. Will have had £650-700 £550-600 exposure to the identity management process from beginning to per day per day end. CLAS Consultant (Contract) Experienced CLAS Consultant responsible for security policy £700-800 £500-600 development during government programmes such as Risk per day per day Management Accreditation Document Sets (RMADS) and associated documentation.000 £80-88. focused with per day per day good team working skills. Data Privacy Consultant (Contract) Working with financial and commercial organisations.000 services company.

Data tables by specialism 19|24 . Barclay Simpson Market Report 2009 INFORMATION SECURITY Barclay Simpson Market Report 2009 INFORMATION SECURITY APPENDICES 04. Appendices I. Graphs of key indicators III. Sample structure II.

SAMPLE STRUCTURE This report is based on quantitative data REGISTRATIONS gathered from a sample structured as follows: • Number of candidates registering in each • 50 internal audit departments market segment • 30 risk management departments This monitors the flow of candidates into the recruitment market and.e. provides guidance on the rate report on the average percentage salary at which vacancies are being generated and an increase achieved by people moving between indication of the ease with which companies employers. In addition to the numbers. 20|24 . can provide a useful insight into the behaviour of the recruitment market. gives an • 35 information security departments insight into the balance of supply and demand. Barclay Simpson Market Report 2009 INFORMATION SECURITY APPENDIX I . VACANCIES • Number of vacancies at the start of SALARIES the period • Salary survey • Number of vacancies generated during • Salary increases the period In addition to an updated salary survey. over time. who register for defensive key information: reasons). we speak directly DEFENSIVE REGISTRATIONS with a number of heads of department to • The proportion of candidates registering for discuss their current and future recruitment defensive reasons requirements as well as the broader picture to gain a qualitative perspective which is The percentage of candidates registering with invaluable for the market commentary. of the relative bargaining power that exists between employers and potential recruits. Barclay Simpson because they have been made redundant or perceive the threat of The core statistics provide the following redundancy (i. we This. which is often a good indication are filling these vacancies. combined with the • 30 compliance departments number of vacancies generated.

they have almost halved 21|24 .GRAPHS OF KEY INDICATORS New Vacancies • New vacancies down across the board • Drop in new vacancies lower in information security than the other 3 areas Closing vacancies • Closing vacancies even more sharply down • In Risk Management and Compliance. Barclay Simpson Market Report 2009 INFORMATION SECURITY APPENDIX II .

Barclay Simpson Market Report 2009 INFORMATION SECURITY Candidate registrations • High numbers of candidate registrations continue • Significant increase in registrations in Compliance • Significant decrease in Internal & Computer Audit Defensive registrations Percentage of candidates registering with Barclay Simpson because they have been made redundant or perceive the threat of redundancy. • Significant increase in redundancies or the threat of redundancy in all areas of corporate • Defensive registrations now account for over 40% of new Compliance candidates 22|24 .

Not unreasonably. 23|24 . Corporate governance personnel working in the private sector are often awarded annual bonuses based on either their personal or overall corporate performance. Barclay Simpson Market Report 2009 INFORMATION SECURITY Overall salary increase* • Salary increases relatively stable in Internal & Computer Audit and Risk Management • Salary increases have dropped significantly in Compliance and Information Security * Percentages based on introductions made by Barclay Simpson during the quarter. before bonuses become due. Allowance has been made for the value of company cars but for no other benefits. often up to a year. tend to include their existing bonus but exclude potential bonuses from a new employer. These bonuses become part of their salary package. when weighing their existing salary package against an offer of alternative employment. When joining a new employer there is generally a qualifying period. corporate governance professionals. We would estimate that this accounts for approximately 5% of the increase that people receive as a result of changing position.

Barclay Simpson Market Report 2009 INFORMATION SECURITY APPENDIX III .DATA TABLES BY SPECIALISM Dec 2006 Jun 2007 Dec 2007 Jun 2008 Dec 2008 Corporate Governance New vacancies 419 398 333 321 228 Closing vacancies 236 227 216 227 113 Candidates registering 904 922 894 885 915 Defensive registrations 10% 13% 19% 18% 29% Overall salary increase 18% 17% 16% 17% 10% Internal Audit New vacancies 80 89 84 79 58 Closing vacancies 36 52 39 37 23 Candidates registering 297 322 312 356 242 Defensive registrations 12% 16% 17% 19% 28% Overall salary increase 14% 13% 12% 12% 11% Risk Management New vacancies 85 198 127 77 53 Closing vacancies 95 117 77 72 37 Candidates registering 124 195 249 241 257 Defensive registrations 5% 4% 8% 17% 25% Overall salary increase 21% 24% 21% 16% 15% Compliance New vacancies 85 119 107 99 67 Closing vacancies 59 67 76 62 33 Candidate registering 198 172 146 165 186 Defensives registrations 10% 13% 26% 32% 41% Overall salary increase 18% 19% 22% 21% 11% Information Security New vacancies 56 63 65 58 50 Closing vacancies 24 31 29 33 20 Candidates registering 214 179 195 240 230 Defensive registrations 14% 15% 15% 17% 20% Overall salary increase 15% 16% 14% 13% 4% 24|24 .