Information security recruitment freezes as security staffs sit tight

Senior staff members are hanging on to their jobs and lowering their salary expectations. A recent survey revealed that the economic downturn has brought security recruitment to a virtual standstill.

The economic downturn has brought information security recruitment and staff hires to a virtual standstill, according to new figures. People are hanging on to their jobs, and senior staff members especially are having to lower their salary expectations.

A global survey by (ISC)2 Inc., the training and certification body, found that when managers have vacancies to fill, they struggle to find candidates with the right skills at a rate they are prepared to pay.

Many senior people, including CISOs and senior consultants have been made redundant, and they are the ones who are struggling to find an equivalent post elsewhere
Chris Batten
managing director Acumin
(ISC) 2 polled more than 2,800 professionals worldwide, of whom 775 had hiring responsibilities. The survey found that more than 80% of them were experiencing difficulties in finding the right applicants. Respondents cited a lack of desired skills or available professionals within a local area, poor cultural fit, and salary demands that were too high for available budgets, particularly from people who had previously worked in financial services.

The view was backed up by U.K. recruiters. "Vacancies are down 70% from what they were 18 months ago," said Mark Ampleford, associate director at information security recruitment company Barclay Simpson. "Those people that are not facing redundancy are tending not to enter the job market because they don't think they'll get a big pay rise. They prefer to stick with the devil they know."

He added that where companies have vacancies, they are struggling to find applicants because they are offering lower salaries. "Employers want a lot for their money. The jobs get filled eventually, but it takes a while," he said.

Chris Batten, managing director at recruitment firm Acumin Consulting Ltd., said many companies are trying to save money by avoiding agency commissions. "Line managers are trying to find these skills on their own or through networking, or referral. That takes longer, if they can find the skills at all," he said.

While security departments have been less severely hit by job losses than other parts of business, Batten said senior staff has been affected. "Many senior people, including CISOs and senior consultants have been made redundant, and they are the ones who are struggling to find an equivalent post elsewhere," he said. "Others lower down the scale tend to be OK."

But permanent staff members have to pay a high price for job security, with many of them being made to work harder. "We are getting calls from people asking us to find them other work because they are being pushed too hard. They are under a lot of pressure to achieve by themselves what two people should be doing," said Batten. "Three or four months ago, we didn't get those calls because people were hanging on to their jobs for fear of redundancy. That has changed, and now we hear they are working so hard, they want to find somewhere else to move to that doesn't push them quite as hard."

Higher up the scale, he said, companies are trying to force down pay. "There is downward pressure on salaries at the middle and top end of the range," he said. "Senior people are now prepared to settle for less money to get a job. That will be their unique selling point that will get them a job over the competition."

Has the economic downturn increased insider risk?

An Infosecurity Europe survey of 600 London commuters revealed that many employees would give up their precious company's data for the right price.
Professionals with penetration testing skills are still in strong demand, Batten said, as are applications security architects and application security testers.

Both Batten and Ampleford agreed that the main driving force for new business is in government and public sector work. "In the consultancies, anyone with good business development skills who can talk to clients at a high level will be in demand. But that will be focused on the government sector," said Batten. "I can't remember the last time we were asked for a commercially-focused consultant. Almost all the effort of the consultancies is going into chasing government business."

Consultants with the CESG Listed Adviser Scheme (CLAS) certification, a combination of information assurance knowledge of CESG and expertise of the private sector, are also doing well, said Ampleford, although he warned that "every man and his dog" is trying to get CLAS certification at the moment, which may eventually increase supply and drive down rates.

While times are tough now, though, the clear-out of top staff could be good news for those waiting to fill their shoes once the economy recovers. "There is a new raft of CISOs on the way. When the market picks up again, we're going to find some new names at the head of departments," said Ampleford.

Read more on Security policy and user awareness