2007 was a good year to be in information security professionals, according to figures from the recruitment agencies specialising in the field.
Information security professionals switching jobs during the year could expect to boost their salaries by about 15 per cent, and wages levels for those with experience in finance and government projects rose steadily.
Some high-profile data leakages kept information security in the headlines and thereby ensured it remained a board-level issue and received the funding it needed. At the same time, severe flooding in many parts of the UK in August reminded many companies of the need for good business continuity planning.
On the other hand, 2007 ended on a note of uncertainty. The British economy started to feel the reverberations of the US property slump, with credit suddenly becoming tight, and this fed through to a slowdown in the housing market and even resulted in a run on a bank – the first time that had happened since 1866.
How these events will affect the recruitment and job prospects of information security professionals is still unclear, experts say. Many of the banks have already imposed a freeze on new recruitment while they assess the economic landscape, and that may well dampen down the staff turnover that tends to happen in the New Year after employees have picked up their end-of-year bonuses.
The best guess is that companies will still find the money to fund security programmes, despite the credit crunch and a general economic slowdown. Company bosses fear the shame and embarrassment of a serious security breach, and the regulatory authorities are becoming more active in punishing poor security practice.
Several large outsourced government IT projects are also driving the demand for well-qualified information security professionals, according to Mark Ampleford of the London-based recruitment firm Barclay Simpson. "Information security salaries have been creeping up in major government contracts. Anyone with government experience has been doing very, very well."
Many of those contracts – such as the huge Defence Information Infrastructure project - require the professionals to be properly screened for security risks. Those who go through screening become approved under a programme operated by the central government body CESG, which is in charge of information assurance in the public sector. The CESG Listed Advisors (or CLAS) are in particular demand as it means they can be set to work immediately without any lengthy checking process.
Ampleford says that security consultants working for one of the big four management consulting groups might earn around £48,000 a year compared with £42,000 a year ago, while senior managers will have seen their pay rise from the 70-80K range to 80-80K.
The nature of the security professional's job is also changing fast according to Iain Sutherland, a director at Information Security Solutions, a London-based recruitment firm specialising in the finance arena. In line with changing threats, companies are now seeking professionals who understand application security as well as the more traditional area of network security. "The job has evolved very fast, and we have seen this change over the last year," he says.
He adds that companies are also placing higher emphasis on soft skills. "They want people who can communicate risks to the board or to users, and explain things in layman's terms."
Despite the overall recruitment freeze currently operating in many banks, Sutherland says his clients are still managing to find ways of maintaining their numbers in the security function, even if it means reducing number elsewhere. "The data leakages we keep hearing about mean security is still a board issue, and the banks don't want to take risks," says Sutherland.
With the recent development of a new standard for business continuity, BS25999, Mark Ampleford sees this area of security getting more prominence. "The new standard will have a positive effect on the business continuity recruitment market. There will be new positions in the consultancy and services market as demand for advisory and certification services increases," he says. "The end-user market will need to measure their business continuity management practices against the standard for assurance, business protection, brand protection and to demonstrate high standards in risk management and safety."
While demand for information security professionals looks set to grow, supply is being fed through a number of routes. Masters degree courses run by a handful of Universities (Royal Holloway London, and Westminster being among the leaders) are providing many new professionals with an entry into well-paid jobs. But according to Ampleford, the CISSP certification is not as crucial in the UK as it is in the US.
Iain Sutherland says that many application developers are being persuaded to retrain in security, especially now that threats are coming through applications. And well trained personnel from the armed forces are being welcomed by many companies. "We virtually meet them at the gate as they leave the Army," says Sutherland. "We have some clients who can't get enough of ex-Army people, whilst others prefer them to get a bit of commercial experience before they take them on."
The overall feeling is that information security salaries will continue to grow in 2008. Ampleford says the biggest demand will be for those with knowledge of identity management, and also for penetration testing team leaders in the public sector. And with the Olympic Games coming to London in 2012, a whole new swathe of jobs will be created very soon.
Find more resources about information security salaries
- Entering 2010: The economy and the state of information security in the US.
- Information security salary in the US: Determining the value of security skills
- People in the US have spoken: IT security salary survey reveals infosec compensation expectations.
- Information security salaries start to rise, recruitment rebounds.
- Information systems security salary data: Technical skills in demand.