Information security salaries flattening out

Salaries for most information security professionals are growing more slowly as pressure on corporate spending continues

Salaries for most information security professionals are still trending upwards, but have flattened out slightly in the past six months as pressure on corporate spending continues.

While salary expectations are largely being met, spending controls mean few additional incentives are on offer, according to recruitment specialist Acumin.

Technical skills remain in high demand, particularly those related to security architecture and web application security.

Security architects and project managers in demand

Demand for security architects is particularly high, with yet another increase in salaries in the past six months to £78,000-£90,000 a year, up from £75,000-£90,000 in 2012, according to Acumin’s latest salary index.

Similarly, demand is high for security project and security programme managers, as all three are related to transformational IT security projects.

“We are seeing many organisations undertaking such transformation programmes, particularly in regulated industries such as oil and gas,” said Chris Batten, joint managing director of Acumin.

Security is getting additional attention in these programmes due to an emphasis on competitive risk management and greater awareness around cyber-related risks, he told Computer Weekly.

Batten said these transformation programmes can be any large-scale security project, such as insourcing or outsourcing IT security.

Web application security skills in short supply 

The high demand for security skills related to web applications is mainly due to the fact that most organisations are moving to web-based apps.

“But there is a huge lack of supply of people with web application security skills, such as web application security architects and penetration testers, where demand outstrips supply,” said Batten.

According to the latest Acumin salary index, CHECK team member or CREST registered tester salaries have increased in the past six months to £38,000-£48,000 a year, up from £35,000-£45,000 in 2012 and £32,000-£42,000 in 2011.

Increasing focus on security management

There has also been an increase in demand for less technical roles, such as security managers, as companies focus on security controls and policies.

There is increased demand, for example, for information security and risk managers, who are responsible for non-technical risk disciplines with some team management responsibility.

“This increased demand is likely to be linked to changes in policy and legislation,” said Batten.

There is also an increased focus on IT governance and control in the wake of the recent rate-fixing scandals in the banking industry, he said.

“Greater control is usually policy orientated; companies are looking to change the corporate culture and the way they operate, which is about management, not technology,” he said.

However, this increased demand has not automatically translated into increased salaries for information security and risk managers.

These positions are attracting permanent salaries of £60,000-£75,000 a year, which is unchanged from the past two years, but up from the 2010 average of £53,000-£72,000.

According to Batten, this is probably due to the fact that there is not such a critical shortage of less technical information security skills.

“It is only when supply gets short that demand starts pushing up salaries, but we could see that happening in the next six months,” he said.

Investment in junior staff and graduates

The demand for middle-range candidates commanding salaries of £30,000-£55,000 has also increased in the past six months, as organisations seek to keep salary costs as low as possible.

“In this range, we have seen increased demand across the board for candidates with two to five years’ experience in both technical and non-technical disciplines,” said Batten.

While competition for the limited number of candidates in this category continues, salaries will not necessarily go up, but employers are likely to change their focus.

“They will start to recruit more junior staff and graduates, and put them on training schemes, which is what needs to happen in the industry because of the skills shortage,” said Batten.

“We need more investment at grass-roots level and in graduate schemes, otherwise we are going to fail to scale for the future,” he said.

PCI skills lose specialist status

Six months ago, there was an increase in demand for PCI-DSS skills after it had been in the doldrums for the preceding 12 months, and this trend has continued in the past six months.

“The demand for these skills is still there, but not as a specific skill set; we are seeing this increasingly rolled into team skills as an additional competence to other skills,” said Batten.

The lack of demand for pure-play PCI skills, he said, is probably an indication of the maturity of that market, which is no longer in a high-growth phase.

Contract work expected to rise in 2013

Six months ago, contract rates were down across the board, because contract work is usually associated with project work and most projects were still on hold.

In the past six months, however, Batten said Acumin has seen a slow rise in demand. 

Although many organisations are still trying to use internal team resources to do whatever projects are necessary, he expects demand for contract work in security to rise significantly in the next 12 months as internal teams reach breaking point and/or projects are released.

Image: Thinkstock

Read more on Privacy and data protection