In this report we share our insight on the recruitment of cyber security professionals including information regarding the key drivers in the cyber security market, permanent and contract recruitment trends, transferable skills, the top job titles, salaries and qualifications analysis, a heat map of skills demands/talent pools across the UK, concluding with recommendations on attracting and retaining cyber security talent.
2. Arguably cyber security is the most talked about topic in
technology due to the increasing number of high profile
hacks on some of the largest organisations in the world.
With the number of cyber hacks set to cost organisations
$2.1 trillion globally by 2019 and with the ever evolving
and widening range of attacks such as ransomware and
Distributed Denial of Service (DDoS) becoming more and
more prominent, the global demand for skilled cyber security
professionals is huge and growing.
In this report, we share our insight on the recruitment of cyber security professionals
including information regarding the key drivers in the cyber security market, permanent
and contract recruitment trends, transferable skills, the top job titles, salaries and
qualifications analysis, a heat map of skills demands/talent pools across the UK,
concluding with recommendations on attracting and retaining cyber security talent.
CYBERSECURITY | MARKET INTELLIGENCE 21
CONTENTS
Cyber security recruitment market drivers
Contract & permanent market insight
Transferable skills
Job title, salary and qualifications analysis
UK cyber security demand/talent pool heat map
Attracting and retaining talent
P. 3-4
P. 5-6
P. 7-8
P. 9-10
P. 11-12
P. 13-14
Cyber security market intelligence
3. Cyber security recruitment market drivers
REGULATORY PRESSURES
Due to come into force on 25 May 2018, the General Data Protection Regulation (GDPR) is fast
approaching and companies are reacting by pushing privacy changes towards IT departments
and specifically, information security teams. This increased workload is driving a need for
increased headcount and is likely to continue doing so.
We have noticed a trend amongst telecommunications companies actively recruiting specialist IT
skills from more heavily regulated sectors such as the financial services sector to plug the skills gap.
These cyber security professionals must have the skills and experience to put the processes in place
which ensure regulatory requests are handled effectively.
CONSTANTLY EVOLVING THREAT LANDSCAPE
Companies are conducting more business digitally. Previously off-line businesses are now facing
the threats that come with operating in the cyber environment and have therefore had to invest
in cyber security professionals to understand and combat these risks.
The Internet of Things (IoT) and cloud computing are two common ways in which businesses
are rapidly developing and are both inspiring corporate investment in prevention measures to
counter the new level of threats businesses face.
WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?
THE LEGISLATION
Replacing the current mixture of national laws with a single set of rules, the GDPR is
designed to give citizens greater control over their own private information in the digital
world. An additional goal is to improve certainty regarding the law for businesses to
provide more confidence to companies who are innovating in the digital world.
BUSINESSES AFFECTED
The GDPR is applicable to all organisations with data stored in or passed through
Europe, including those outside of Europe who supply goods and services to
European citizens.
TIMESCALES
Adopted by the European Parliament on 14 April 2016, the legislation will come into
effect on 25th May 2018.
“With the GDPR legislation set to be enforced in 2018, organisations are running out
of time to either upskill their existing staff in security or recruit new staff who already
possess these hard-to-find skills. If they fail in their preparations they could not only
put customer data at risk but also face huge fines from the regulator”.
Jonathan Martin
Cyber Security and Cloud Department Manager
3 CYBERSECURITY | MARKET INTELLIGENCE 4
4. Contract and permanent market insight
CONTRACT MARKET INSIGHT
Demand for contractors in 2016 was steady and driven by regulatory pressures,
the Internet of Things (IoT) and cloud migration programmes.
Experienced cyber security contractors are generally more interested in greenfield opportunities
that require different skills to longer term business as usual roles. As they move to these new
opportunities a gap is left for those less experienced security professionals to step into.
The huge demand for cyber professionals has given contractors in this field power to demand
higher daily rates. Clearly amongst more marketable security practitioners there is an expectation
that their salary will increase. To support their search for a higher salary practitioners may
approach a recruitment agency.
Many of the new roles released at the end of 2016 were regulatory and, in particular, GDPR driven,
which we expect to continue throughout 2017 as the May 2018 deadline looms. Replicating the
demand for contractors with PCI DSS compliance experience, an uplift of up to 30% is potentially
available for contractors with strong data protection experience. This is encouraging otherwise
permanently employed data protection practitioners to become contractors, which in turn
creates vacancies that are often filled by contractors. We anticipate the demand for contractors to
be buoyant in 2017 and to be led by regulatory demands.
PERMANENT MARKET INSIGHT
Hiring for permanent cyber security positions is particularly challenging as companies try to
keep up with legislation changes and suppliers are increasingly expected to have security
systems in place. The market for permanent cyber professionals is particularly fierce as
companies are also competing against contract positions and the skilled professionals are
coming from the same talent pool.
This has shifted the attention somewhat for firms trying to upskill their current workforce to
face new business challenges. This is an attractive proposition as it is much cheaper than hiring
experienced cyber security professionals. For the same benefit, companies are also seeking
individuals with transferable skill sets as a cheaper option to plug their cyber security skills
shortage. This not only includes those professionals from traditional IT backgrounds but also those
who work in the field of governance.
Companies operating in sectors like finance, legal and retail are investing the most in permanent
cyber security roles. These again are driven by legislative pressures.
Generally in the permanent market the biggest increase in demand has come for Information
Security Analysts to go into organisations and review their systems for any vulnerabilities. This has
also increased the need for Information Security Architects to generate the secure systems off the
back of the findings by Information Security Analysts.
Companies operating in sectors like finance,
legal and retail are investing the most in
permanent cyber security roles.
CYBERSECURITY | MARKET INTELLIGENCE 65
5. Transferable skills
THE RISE IN UP-SKILLING INTERNAL STAFF
The percentage of security practitioners recruited internally has increased over the last few
years. Where skills are in short supply, internal recruits can be a valid solution.
There is a breadth of areas covered in information and IT security departments including: change,
operations, review, policy, strategy, risk assessment and compliance. As such, there is a wide
range of disciplines within companies which fall outside of security, but that could potentially be
utilised in a security role.
Audit and risk departments are often a common source of recruits as many professionals in this
field have transferable skills which are relevant to cyber security. Given the increasing damage
cyber-attacks are having on a company’s reputation, it is not unusual for an operational risk
practitioner to gain knowledge and even qualifications in information security.
Similarly, computer auditors often routinely take an interest in cyber security and their
responsibilities are not that far removed from review-focused information security roles. They too
often see the benefit of gaining an information security qualification. Larger banks have regularly
recruited information security practitioners into their internal audit departments to ensure their
third line of defence has suitable expertise. Some of these auditors are now returning to security
and, having focused on cyber threats, already have a relationship with the Chief Information
Security Officer (CISO).
Indeed, 2nd and 3rd line support are both common routes into cyber security positions. There
are many transferable skills including day-to-day problem solving that make upskilling possible.
Security Operations Centres (SOC) regularly recruit from Network Operations Centres (NOC). This is
because the two Centres work in harmony, while the NOC monitors, reports on and fixes network
issues such as a network port being broken, they will inform the SOC who then reviews to see if
there is or has been a security breach. This knowledge makes NOC IT professionals a good talent
pool for SOC roles.
As one would expect, security functions going through major transformations recruit internally
from programme management or business change functions.
It is also not uncommon for a Chief Information Security Officer (CISO) to be recruited internally
for their leadership experience rather than their subject matter expertise. They are usually
recruited from corporate security, audit, risk and programme management backgrounds due to
the synergies that exist between the two roles.
There has been a trend in many companies choosing to recruit more junior security practitioners
who have the potential to progress into higher positions. From a business perspective, offering
candidates clear progression opportunities can encourage company loyalty and aid staff retention.
Another key observation we have noticed is that many security practitioners looking for new
positions are sensitive about their potential job title and seek titles that reflect the responsibility
of their role. For example, if the same job was advertised for a Lead Information Security Analyst
and an Information Assurance Manager, many IT professionals would prefer the latter job title
because they feel it better reflects the level of responsibility associated with the role.
“There is a great desire from IT professionals from
different backgrounds such as 2nd and 3rd line
support to transfer into IT security and with so many
transferable skills, like problem solving, attention to
detail and crisis management, it is a relevant career
path for these individuals to take.”
Jonathan Martin
Cyber Security and Cloud Department Manager
7 CYBERSECURITY | MARKET INTELLIGENCE 8
6. TOP IN DEMAND ROLES
PERMANENT CONTRACT (PER DAY)
Location/Job Title London Regional London Regional
Head of Security £125-152k £95-110k £700-900 £600+
Penetration Tester £45-85k £40-75k £500-575 £450-550
Security Architect £75-90k £45-70k £650-725 £600-705
Risk Governance Manager £70-95k £45-70k £350-600 £250-550
Network Security Engineer £35-60k £30-50k £300-550 £250-525
SOC Analyst £40-65k £35-50k £400-650 £250-500
QUALIFICATIONSJOB TITLE AND SALARY ANALYSIS
TOP 5 IN DEMAND QUALIFICATIONS AND CERTIFICATIONS
1. CISSP/CISM
2. Cisco certifications
3. CEH (Certified Ethical Hacker)
4. ISO/27001 practitioner
5. Juniper Certifications
Pay for both permanent and contract security positions is high and increasing due to the skills
shortage. For those looking to enter the security market, it is worth being aware of the current
skillsets in demand such as CISSP, CEH and ISO27000/1, and to seek positions or training that
will give you knowledge of these.
Jonathan Martin
Cyber Security and Cloud Department Manager
Job title, salary and qualifications analysis
9 CYBERSECURITY | MARKET INTELLIGENCE 10
7. UK cyber security demand/talent pool heat map
POPULAR UNIVERSITIES FOR FUTURE TALENT POOLS
KEY TO MAP:
TOP 10 UK CYBER SECURITY DEGREE COURSES APPROVED
BY THE GOVERNMENT COMMUNICATIONS HEADQUARTERS
(GCHQ)
1. Edinburgh Napier University MSc in Advanced Security and Digital Forensics
2. Lancaster University MSc in Cyber Security
3. University of Oxford MSc in Software and Systems Security
4. Royal Holloway MSc in Information Security
5. University of York MSc in Cyber Security
6. Cranfield University
Cyber Defence and Information Assurance
MSc/PgCert/PgDip
7. University of Birmingham MSc in Cyber Security
8. University of Southampton MSc Cyber Security
9. University of Surrey MSc in Information Security
10. University of Warwick MSc in Cyber Security and Management
EDINBURGH NAPIER UNIVERSITY
LANCASTER UNIVERSITY
UNIVERSITY OF BIRMINGHAM
UNIVERSITY OF OXFORD
UNIVERSITY OF YORK
DEMAND/TALENT POOL
FOR CYBERSECURITY
PROFESSIONALS BY SIZE
UNIVERSITY WITH APPROVED
GCHQ DEGREE COURSE
CYBERSECURITY | MARKET INTELLIGENCE 1211
ROYAL HOLLOWAY UNIVERSITY
UNIVERSITY OF SURREY
UNIVERSITY OF SOUTHAMPTON
8. ATTRACTING AND RETAINING TALENT
The challenge of attracting a nd retaining skilled cyber security professionals to any
organisation is becoming increasingly difficult due to the demand outstripping the
supply. Through our Voice of the Workforce research, a study of over 1,600 technology
professionals, we have identified four recommendations to help improve attraction and
retention of cyber security talent.
Good pay and benefits
In such a competitive skills-short market, good pay and benefits is essential in both
attracting and retaining cyber security professionals. In our research findings, good pay
and benefits were seen as the most attractive attribute to a new employer by technology
professionals and equally, non-competitive pay and benefits came at the top of the list of
reasons to leave an employer. Therefore we recommend offering pay that’s higher or at least
competitive with other organisations in order to attract the most skilled cyber security talent.
Promote a positive culture
IT professionals place a negative company culture high on the list of reasons for leaving an
organisation. As such, we recommend displaying positive information about
Attracting and retaining talent
“Due to the skills shortage, it’s essential to provide
competitive pay and benefits otherwise cyber security
professionals will seek employment elsewhere”.
Jonathan Martin
Cyber Security and Cloud Department Manager
CYBERSECURITY | MARKET INTELLIGENCE 1413
your organisation in the job description that conveys a positive culture. For example, recent
systems upgrades that show adaptation to technology change, empowerment opportunities, or
even mentioning recent team building activities that show the organisation is a fun and exciting
place to work.
Display your projects
When deciding whether to join an organisation, the second most influential factor in an IT
professional’s thought process is whether they’ll be taking on interesting and meaningful work.
Therefore, we recommend highlighting your key projects clearly in the job descriptions so that
cyber security professionals can see the exciting opportunities they’ll be involved in if they decide
to work for you.
Foster up-skilling and skills transfer internally
Our research identified that the majority of IT professionals would transfer their skillset to IT
Security if given the chance, with the opportunity to learn new skills being the main driver
behind their decision to transfer. As a result, we recommend fostering internal skills transfer and
up-skilling from those positions mentioned in the transferable skills section of this report. This
will not only reduce the cost of hires, but will also increase the motivation and loyalty of your
existing IT workforce, as good career prospects are the third most popular reason to stay with an
organisation, as cited in our research.
Non-competitivepaybenefits
andanegativeculturearethe
mostinfluentialfactorsin
decidingtoleaveanemployer.
negativecultureisthenumberonereasonboomers
(AGED50-59)wouldleaveanemployer.
formilleNnials(AGED22-34),
poorcareer
prospectSismoreofaninfluencingfactor.
ITProfessionals
AREOPENTOCHANGING
skillsetsectors.
whenconsideringtransferringskillset
Theopportunitytolearn
ISSEENASMOREimportant
thanahighersalary.
Over half would consider transferring to a
different skill set, with the skill set of choice for
ITPROFESSIONALSBEINGITSECURITY
believegender
diversity
isimproving
54%
63%ofmenandwomen
receivedapay
increasein
thelastyear
believegender
diversity
isimproving
54%
63% ofmenandwomen
receivedapay
increasein
thelastyear
9. Part of
Part of
Simon Clements
Business Development Director
t: 0207 010 0414
e: simon.clements@gattacaplc.com
www.gattacaplc.com
Jonathan Martin
Cyber security and Cloud Department Manager
t: 01489 898886
e: jonathan.Martin@networkerstechnology.com
www.networkerstechnology.com
Contact us