Information security salaries set to rise in 2014

Salaries for information security professionals are set to rise across the board in 2014 as demand increases

Salaries for information security professionals are set to rise across the board in the coming year as demand for people with skills in this sector increases.

This is in contrast with 2013, when the market saw most salaries flatten out in response to pressure on corporate spending, according to recruitment specialist Acumin.

“My gut instinct, backed up by what we are seeing at the moment, is that salaries are going to go up overall,” Chris Batten, joint managing director of Acumin, told Computer Weekly.

He expects base salaries to increase first as a means of attracting staff and subsequently to see an increase in fringe benefits such as bonuses as a means of retaining those skills.

The high demand for security architects appears set to continue in 2014, while the need for these skills continues to rise as they become increasingly rare.

“Up to 50% of the security architect roles we are placing are contract roles, which command significantly higher levels of remuneration,” said Batten.

More on IT salaries

"Organisations are being forced to opt for contractors because this is the only way to get these skills in, but that means paying up to £700 a day instead of £80,000 or £90,000 a year,” he said.

Top permanent salaries for security architects at end user organisations increased from £90,000 in 2012 and February 2013 to £110,000 by November 2013, according to Acumin’s latest salary index.

Similarly, contract rates for security architects moved up from £500-£700 a day in 2012 and February 2013 to £500-£750 a day by November 2013.

According to Batten, the high demand and higher pay for security architects is due to their being able to reduce security costs.

While it can be costly to buy point products to mitigate specific risks, security architects can look at the whole environment and design a single security system to cover all risks.

“They are typically able to consolidate many of the products and services an enterprise has bought previously or is planning to buy,” said Batten.

Demand for security project managers, however, has declined compared with 2013, when demand for these skills was second only to demand for security architects.

“The area has matured with pure-play security managers no longer as rare as they were last year,” said Batten. Taking its place in 2014, is the field of digital forensics.

“In the past three months the demand for digital forensics skills has accelerated like no other,” said Batten, as businesses seek to bolster their ability to anticipate cyber attackers’ next moves.

“Digital forensics is not just about post-incident investigations, it is also about analysing behaviours to identify anomalies as indicators of possible intrusions,” he said.

Permanent salaries for people with network forensics skills increased from £55,000-£70,000 a year in February 2013 to £60,000-£75,000 by November 2013.

Acumin has also seen a rising demand for any skills related to incident response that is expected to continue in 2014.

This rise in demand is reflected in the salaries for people with intrusion-detection capabilities that rose from £46,000-£62,000 in February 2013 to £45,000-£75,000 by the end of the year.

While demand for chief information security officers (CISOs) appears to be flat, according to Acumin’s latest salary index, Batten said this does not reflect what is happening on the ground.

Salaries for CISOs have remained fairly static from 2011, when the ranged between £120,000 and £200,000 a year.

The top end was still at £200,000 in November 2013, but the bottom end has crept up from £130,000 in 2012 to £135,000 in February 2013. This was unchanged by the end of the year.

“While there is little demand by mature organisations that have established CISOs, there is growing demand at the lower end of the scale by less mature organisations,” said Batten.

In terms of corporates investing in training people in cyber security, Batten said digital forensics is at the top of the list, particularly with defence-related firms such as Lockheed Martin.

Although there is evidence of an uptick in companies training junior staff and graduates in cyber security, this is mainly happening in very small niche security organisations.

“But we are not seeing many non-security organisations recruiting and training graduates and junior staff, they are still hiring experience people rather than investing at grass-roots,” said Batten.

Bank of America Merrill Lynch is one exception, he said, which is training people in the skills it requires, including at the investment bank’s operations in the UK.

Acumin predicts an increase of contract work in the small to medium enterprise (SME) market in 2014 as these organisations buy in the skills to meet their security needs without taking on full-time staff.

“We are doing more business with SMEs as smaller organisations see the need to up their defence capabilities, but do not want to take on full-time information security staff,” said Batten.

However, SME demand for in-house security skills is growing and likely to grow further.

“In 2012 there was no demand by companies of around 300 employees for security-specific skills, but we are starting to see it,” said Batten.

Acumin also expects an increase in demand for people with skill in identity and access management (IAM) as projects in this area become an increasing priority.

While most organisations were cautious in hiring information security professionals in 2013, Batten hopes 2014 will be a year when organisations “get stuff done” and will hire accordingly.

Read more on Hackers and cybercrime prevention