CHECK penetration testing consultants still hard to find, says report

The dearth of government qualified pen testers is likely due to the difficulty of acquiring CHECK certification and infosec pros' view of pen testing as a stepping stone career move, speculates a new report.

The UK is suffering from a shortage of penetration testing consultants with the right qualifications to work on sensitive government IT installations.

Whilst there are always penetration testers available, they are frequently less skilled and not qualified to undertake CHECK work.
Simpson's Market Report 2011

According to recruitment company Barclay Simpson Ltd ., not enough people are training to be pen testers, and even fewer are able to meet the exacting requirements of the CHECK programme, which regulates government IT contracts.

Ruth Jacobs, an information security recruitment consultant with Barclay Simpson, said that consultancies of all sizes -- from the big four management consultancies, right down to specialist pen testing firms -- were struggling to recruit qualified people to handle their central government business. "We have managed to fill some vacancies, but there are far more open than filled at the moment. And the best people tend to get multiple offers," she said.

"Whilst there are always penetration testers available, they are frequently less skilled and not qualified to undertake CHECK work," according to Barclay Simpson's Market Report 2011. "It is specialist penetration testers at mid to senior levels, both qualified for CHECK work and unqualified, who are in demand."

Mark Ampleford, an associate director for the company, said: "There is a shortage of good, qualified, experienced penetration testers. One reason is that many pen testers see the job as a step into other information security work."

He added that few people seem tempted to move into penetration testing after working in another branch of information security, as it would be seen as a retrograde career move.

CHECK penetration testing accreditation used to be done through the CHECK Assault Course operated by CESG, the government's technical authority on information assurance. When that was scrapped in 2008, it was hoped that two other schemes would be able to provide the required number of qualified people.

The first was operated by the Council of Registered Ethical Security Testers (CREST), which offers a Certified Tester exam. The other is the TIGER scheme for more senior testers.

The Barclay Simpson report suggests that these new exams demand a higher level of skill and ability to pass, and that this jump in required proficiency is a contributing factor to the shortage. The situation could become even more dire, it says, when CREST introduces a new two-part exam for CHECK team members in 2011.

"Both multinational and boutique consultancies have struggled to find qualified candidates to undertake CHECK work, as well as unqualified but highly skilled penetration testers to undertake commercial-sector work," the report says. "End users in ecommerce and financial sector companies have also faced candidate shortages."

The shortage has ensured that a CHECK team leader can command up to £95,000 per year in central London, according to Barclay Simpson's figures.

The company said that overall salaries for information security professionals who changed employers rose by 12% in the first half of 2010, and by 11% in the second half, twice the increase of 2009. The company also noted a sharp downturn in the number of defensive registrations, wherein employees register with a recruitment agency in the expectation that their current job is under threat. For instance, in June 2009, at the height of the recession, 53% of registrations were defensive, but by December 2010, that level had fallen to 17%.

Ampleford said that the biggest area of recruitment has been in retail banking, where companies are rebuilding teams after making drastic cuts in 2009. In-demand skills include third-party assurance (as banks especially want to assess the security of their business partners), data leakage prevention and security incident and event management.

Senior jobs in information security, he said, are now being taken by a new generation of people who have often been promoted from within, filling the places left by those taking retirement. "There has been a generation change among CISOs," he said. "We see some slick younger people who have worked their way up in the organisation taking over, often with a different title, such as head of information risk, or head of security and risk. They have often come from other parts of the organisation, too, such as the audit department."

A typical head of information security management working in central London can expect to earn between £118,000 and £135,000, according to the report.

Read more on Security policy and user awareness