acumin - salary index - 2016-2017
TRANSCRIPT
Information Security Salary Index
2016Author
Ryan Farmer
Candidate Development Manager
Introduction
For those of you familiar with previous iterations of Acumin’s annual
Security Salary Index, you may notice things look a little di�erent. This time we have
decided to show only the data that relates directly to the most recent year. The reason
for this is twofold, firstly it’s the most relevant to you (you want to know what you should
be earning now), and secondly role titles and definitions, just like everything else in our
industry, change and develop. The descriptions for the roles we covered when we
began the index back in 2008 are not all valid today, and then of course over the last
18-24 months we have seen the emergence to prominence of several new disciplines
for which there is little or no historical data.
So then we have taken the opportunity to use this year as a fresh start
for a new format and more analytical approach, detailing the context of the changes
we’ve seen. We hope that it may be of some help to you not just in ascertaining what
you should be paid, but also guide you on what is required to attract the right people to
your organisation amidst a competitive market. With that in mind we have taken the
decision to align the release of this report with the new financial year for 2016/2017.
Salary Index 2016
01
Salary Index 2016
02
2015 – Looking Back
It seemed like no one was safe. They weren’t. Figures published for the
percentage of UK companies to su�er a security breach last year range disparately. A
government study conducted by PwC, found that 90% of enterprises recorded a breach
while only 74% of SMEs did likewise . Are smaller companies less attractive as a target,
or more likely organisations aren’t detecting or they’re not disclosing. Either way the
truth remains that cyber security incidents are mainstream news now. Anyone is
vulnerable to an attack at any time, and boardrooms across the country have finally
accepted they need to do something about it. As such we have experienced
unprecedented levels of demand for security professionals over the last 12 months.
Greenfield & SMEs
One of the main growth areas has been within SMEs. This is good news
for the industry, not just because these are typically immature or greenfield sites o�ering
up interesting improvement work, but rather because it’s an indicator of broader and
better awareness of an organisation’s need to manage security risks. It’s not always the
large, obvious targets that are the most lucrative. Cybercriminals much like your average
user will always gravitate towards the path of least resistance.
Development of the SME market is good news for the industry all-round,
growing its surface area and increasing its value. There is far greater market maturity to
be had in more organisations allocating security spend than driving up budgets within
established functions. As a consequence, we have seen substantial demand for security
professionals, particularly contractors, to either transform greenfield sites or move
previously outsourced services back in-house.
1
1HM Government: 2015 Information Security Breaches Survey. Available online at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/432413/bis-15-303_information_security_breaches_survey_2015-executive-eummary.pdf
Salary Index 2016
03
Security Start Ups
Then there are the solutions themselves. Key technologies we’ve seen
capture the market’s attention last year include privileged access management, threat
intelligence, and security analytics. This only tells half the story though of 2015 in the
world of security vendors. There has been a real buzz around cyber security start-ups
with VC funds investing heavily, and even the emergence of funds that are only
concerned with technology in our industry. In fact, entire events have arisen which
showcase the latest cyber innovations and bleeding edge products.
There is an air of inevitability that the pace will slow around this investment,
but over the last 12 months it has served to fill the vacuum caused by the extensive
merger and acquisition action we saw in 2014, as the household names bought up the
missing pieces to provide end-to-end solutions and services. Again we see a
marketplace that is bristling with innovation, and a number of disruptive technologies
have emerged, particularly around security analytics, threat intelligence, and the move
away from traditional signature-based anti-malware. This has led to some very
interesting opportunities within high-growth and start-up organisations, but this has also
led to the development of new opportunities within consultancies (developing the
internal service around the solution) and end users (implementation, operational, and
improvement work).
Your Bottom Line
So what does this mean for your earning potential?
There have been no actual decreases at the top end of security salary
ranges. There has been some widening of the goalposts if anything, in that the bottom
ends have been decreased to represent relaxed requirements brought about by skills
shortages; companies are saying you don’t have to be the finished article, we’re willing
to invest in you. This can only be a good thing and if we are to tackle the issue of the
great cyber security skills gap, then more approaches like this are going to be needed.
There has always been a reluctance to overspend on training sta� for fear of loss of
investment, or there has been a general requirement for someone to ‘hit the ground
running’. This is not a sustainable model for a high growth industry, or such a close-knit
one, as organisations will simply cannibalise each other’s sta� until salaries and demand
are driven up to unsustainable levels; we saw this starting to occur across 2013-2014.
This is not a responsible way to solve our collective problems as an industry. Fingers
crossed we have now turned the corner.
De-regionalisation
On the subject of new approaches, we finally seem to be moving away
from “London” and “not-London” packages, with discrepancies between regions
closing; in fact many employers we work with are now operating a flat track that is
una�ected by location. This is particularly true with systems integrators where business
rates are not a�ected by regionalisation, and increasingly within end users where we are
seeing greater flexibility for home-working.
2016/2017 - Predictions
Investment
Being at the end of the 2015/2016 payroll year, allows us to make more
insightful observations and predictions about what we will see over the remainder of the
calendar year, as well as the upcoming 12 months for the fiscal year 2016/2017. The
growth of the industry will continue, somewhat unabated. We can certainly expect to
see something of a downturn in VC investment by this point, the major players have
gone through some fairly ambitious investment rounds in to start-up vendors over the
last 12 months or so, and there has to be a natural break point to this. Those who have
received funding will look to execute on strategy and while we expect to see some
further investment in to additional vendors, this year will probably be more about
consolidation of established vendors and market entry of those newer ones.
Security Start Ups
Then there are the solutions themselves. Key technologies we’ve seen
capture the market’s attention last year include privileged access management, threat
intelligence, and security analytics. This only tells half the story though of 2015 in the
world of security vendors. There has been a real buzz around cyber security start-ups
with VC funds investing heavily, and even the emergence of funds that are only
concerned with technology in our industry. In fact, entire events have arisen which
showcase the latest cyber innovations and bleeding edge products.
There is an air of inevitability that the pace will slow around this investment,
but over the last 12 months it has served to fill the vacuum caused by the extensive
merger and acquisition action we saw in 2014, as the household names bought up the
missing pieces to provide end-to-end solutions and services. Again we see a
marketplace that is bristling with innovation, and a number of disruptive technologies
have emerged, particularly around security analytics, threat intelligence, and the move
away from traditional signature-based anti-malware. This has led to some very
interesting opportunities within high-growth and start-up organisations, but this has also
led to the development of new opportunities within consultancies (developing the
internal service around the solution) and end users (implementation, operational, and
improvement work).
Your Bottom Line
So what does this mean for your earning potential?
There have been no actual decreases at the top end of security salary
ranges. There has been some widening of the goalposts if anything, in that the bottom
ends have been decreased to represent relaxed requirements brought about by skills
shortages; companies are saying you don’t have to be the finished article, we’re willing
to invest in you. This can only be a good thing and if we are to tackle the issue of the
great cyber security skills gap, then more approaches like this are going to be needed.
There has always been a reluctance to overspend on training sta� for fear of loss of
investment, or there has been a general requirement for someone to ‘hit the ground
Salary Index 2016
04
running’. This is not a sustainable model for a high growth industry, or such a close-knit
one, as organisations will simply cannibalise each other’s sta� until salaries and demand
are driven up to unsustainable levels; we saw this starting to occur across 2013-2014.
This is not a responsible way to solve our collective problems as an industry. Fingers
crossed we have now turned the corner.
De-regionalisation
On the subject of new approaches, we finally seem to be moving away
from “London” and “not-London” packages, with discrepancies between regions
closing; in fact many employers we work with are now operating a flat track that is
una�ected by location. This is particularly true with systems integrators where business
rates are not a�ected by regionalisation, and increasingly within end users where we are
seeing greater flexibility for home-working.
2016/2017 - Predictions
Investment
Being at the end of the 2015/2016 payroll year, allows us to make more
insightful observations and predictions about what we will see over the remainder of the
calendar year, as well as the upcoming 12 months for the fiscal year 2016/2017. The
growth of the industry will continue, somewhat unabated. We can certainly expect to
see something of a downturn in VC investment by this point, the major players have
gone through some fairly ambitious investment rounds in to start-up vendors over the
last 12 months or so, and there has to be a natural break point to this. Those who have
received funding will look to execute on strategy and while we expect to see some
further investment in to additional vendors, this year will probably be more about
consolidation of established vendors and market entry of those newer ones.
Salary Index 2016
Privacy Concerns
The issue of user and customer privacy will continue to dominate when
it comes to media coverage of our industry. This is due in part to the Snowden
revelations which opened the eyes of the public to the fact that much of what is done
and said online is recorded by someone somewhere… even if it’s only at a metadata
level. Then of course, in the majority of instances where a breach has occurred, those
impacted most are the customers whose data it is that is ultimately the target of many
malicious attacks. Post-incident many organisations o�er free access to credit
monitoring services, and while this is a decent gesture and a responsible move, the
delays around discovery and disclosure often leaves a window of opportunity for
cybercriminals.
Legislating Incident Disclosure
So then at an organisational level, three of the more impactful changes
we might expect to see are likely to be around legislating for post-incident disclosure (or
perhaps a standardised response process), the cyber insurance market will either go big
or crumble like castles made of sand (there’s still a lack of definition, air of mysticism,
and general immaturity of o�erings), and board-level buy-in and investment in security
will steadily continue to increase.
Law Enforcement & Cyber Crime
Law enforcement will finally start to catch up with the commercial sector,
hopefully. Cybercrimes need to be reported to specialists, not local constabularies or
Action Fraud. Due to the complexities and subtleties of such attacks, and the increased
movement of crime from the physical to digital world, the Police need to act to address
these knowledge and capability gaps. The police frequently report on falling crime
levels across the UK , yet in reality they simply haven’t been factoring cybercrime in to
these numbers; when they eventually did, crime levels “increased” 107% . Their call to
arms for volunteer cyber security specialists should and probably will go largely
05
2http://www.theguardian.com/uk-news/2015/apr/23/crime-rate-ons-lowest-level-england-wales-police http://www.telegraph.co.uk/news/uknews/crime/11932670/Cyber-crime-fuels-70-jump-in-crime-levels.html
3
2
3
unanswered. Professionals in our industry are already under strain with the day job,
maintaining certifications, attending industry events, and current voluntary gigs. There
are a limited number therefore for whom this would even be possible, let alone
desirable, to o�er their expertise for free.
Of course one of the greater challenges presented to the police around
cybercrime is that it is not a geographically fixed industry, perpetrators will often not be
in the same location as victims. If a British citizen is defrauded online by someone in
Asia, is it a matter for the UK’s law enforcement agencies? If so, how can they investigate
a crime that has occurred outside their jurisdiction? Is one nation more responsible for
handling the crime than the other or should we encourage collaboration. The latter
would seem the most logical yet presents an issue around case management will
quickly arise as there will inevitably be multiple and disparate active relationships to
enable lines of investigation. One further obstacle comes around di�erences in
international laws, (perhaps not relevant to most cases) whereby if a crime committed
in the victim’s location is not illegal in the perpetrators, or even vice versa. Do we
establish an international set of cyber laws and enforcement agency to execute on
them, or do we rely on ad hoc international collaborations?
Government Support
Government has set something of a mandate for the country when it
comes to security, despite misgivings around the Draft Investigatory Powers Bill and its
general disdain for encryption. There was of course the very public exercise of
former-PR man David Cameron taking some of the UK’s top cyber start-ups on
somewhat of a showcase. On top of this Chancellor George Osborne assigned a
significant amount of investment for cyber security, £1.9bn, which would include 1900
new hires across its various agencies. What will this mean at the coalface, assuming you
aren’t going to be directly working for central government that is?
There are a number of challenges to that industry (to be discussed in the
next section), which require government support and investment to overcome. The
measures implemented by Messrs Cameron and Osborne are a step in the right direct
(in the most part), but perhaps typically are diluted versions of the true doctrine change
that is required if we are to overcome skills shortages any time soon.
Privacy Concerns
The issue of user and customer privacy will continue to dominate when
it comes to media coverage of our industry. This is due in part to the Snowden
revelations which opened the eyes of the public to the fact that much of what is done
and said online is recorded by someone somewhere… even if it’s only at a metadata
level. Then of course, in the majority of instances where a breach has occurred, those
impacted most are the customers whose data it is that is ultimately the target of many
malicious attacks. Post-incident many organisations o�er free access to credit
monitoring services, and while this is a decent gesture and a responsible move, the
delays around discovery and disclosure often leaves a window of opportunity for
cybercriminals.
Legislating Incident Disclosure
So then at an organisational level, three of the more impactful changes
we might expect to see are likely to be around legislating for post-incident disclosure (or
perhaps a standardised response process), the cyber insurance market will either go big
or crumble like castles made of sand (there’s still a lack of definition, air of mysticism,
and general immaturity of o�erings), and board-level buy-in and investment in security
will steadily continue to increase.
Law Enforcement & Cyber Crime
Law enforcement will finally start to catch up with the commercial sector,
hopefully. Cybercrimes need to be reported to specialists, not local constabularies or
Action Fraud. Due to the complexities and subtleties of such attacks, and the increased
movement of crime from the physical to digital world, the Police need to act to address
these knowledge and capability gaps. The police frequently report on falling crime
levels across the UK , yet in reality they simply haven’t been factoring cybercrime in to
these numbers; when they eventually did, crime levels “increased” 107% . Their call to
arms for volunteer cyber security specialists should and probably will go largely
unanswered. Professionals in our industry are already under strain with the day job,
maintaining certifications, attending industry events, and current voluntary gigs. There
are a limited number therefore for whom this would even be possible, let alone
desirable, to o�er their expertise for free.
Of course one of the greater challenges presented to the police around
cybercrime is that it is not a geographically fixed industry, perpetrators will often not be
in the same location as victims. If a British citizen is defrauded online by someone in
Asia, is it a matter for the UK’s law enforcement agencies? If so, how can they investigate
a crime that has occurred outside their jurisdiction? Is one nation more responsible for
handling the crime than the other or should we encourage collaboration. The latter
would seem the most logical yet presents an issue around case management will
quickly arise as there will inevitably be multiple and disparate active relationships to
enable lines of investigation. One further obstacle comes around di�erences in
international laws, (perhaps not relevant to most cases) whereby if a crime committed
in the victim’s location is not illegal in the perpetrators, or even vice versa. Do we
establish an international set of cyber laws and enforcement agency to execute on
them, or do we rely on ad hoc international collaborations?
Government Support
Government has set something of a mandate for the country when it
comes to security, despite misgivings around the Draft Investigatory Powers Bill and its
general disdain for encryption. There was of course the very public exercise of
former-PR man David Cameron taking some of the UK’s top cyber start-ups on
somewhat of a showcase. On top of this Chancellor George Osborne assigned a
significant amount of investment for cyber security, £1.9bn, which would include 1900
new hires across its various agencies. What will this mean at the coalface, assuming you
aren’t going to be directly working for central government that is?
There are a number of challenges to that industry (to be discussed in the
next section), which require government support and investment to overcome. The
measures implemented by Messrs Cameron and Osborne are a step in the right direct
(in the most part), but perhaps typically are diluted versions of the true doctrine change
that is required if we are to overcome skills shortages any time soon.
Salary Index 2016
06
General Industry Challenges
Skills Shortage
This won’t come as a surprise to those of you who read the trade press or
are connected to a recruiter on LinkedIn, there is a skills shortage in our industry. A
number of figures have been banded around in the press but (isc)2 in their Global
Information Security Workforce Study are forecasting global shortages of over one
million professionals in the very near future . It’s probably my job to reinforce this point,
for it is certainly valid, but let’s not concern ourselves with sensationalism.
Regardless of the exact number, the point is that there is a significant gap
between what is required to secure industry and where we are currently at. We must
simply acknowledge that it is there, it is considerable, and things will only get worse if
demand continues to out-strip uptake. In the short-term the limited candidate pool has
led to increased competition to attract new personnel to an organisation, driven up
salaries and day rates, and has meant delays to projects and programmes as appropriate
skills are sought. The e�ects aren’t just insular, almost half of security professionals
believed their organisation had been breached as a result of the skills shortage .
Quite simply, this can’t be allowed to become a long-term issue. It’s
understandable for ours is a market that is experiencing rapid growth whilst still being
relatively immature, but we have to draw on all the disparate backgrounds that security
professionals can come from to overcome the hurdle. Those who are already working
within security are growing wise to the lack of depth in their peer groups, and as such
we have seen a significant shift to contract working among mid and senior manager
levels. This has led to di�culties hiring certain roles, particularly around enterprise and
security solutions architecture, information security managers, and technical-risk
hybrids to provide assurance alongside multiple projects.
Salary Index 2016
07
4https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-%28ISC%29%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf http://www.scmagazineuk.com/cyber-security-pros-blame-breaches-on-skills-gap/article/409393/ 5
4
5
Salary Index 2016
08
Salary Auctions
One initial consequence of the skills shortage was an increase not
necessarily in the packages available for roles, but in the o�ers made to candidates. This
was particularly true around application security where there is a further microclimate
of scarcity, resulting in unsustainable bidding wars. So determined was one client to
deter competition around a secure development specialist that they doubled the
candidate’s salary from £45k to £90k (N.B. We would not advise this approach;
incentivise professionals rather than hire mercenaries). It is this mentality that led to CSO
Online claiming software security architects are earning more than CISOs . In isolation
this may be true but broadly speaking most certainly is not; and so it brings us on to
something else we’ve been seeing for some time…
CISO or “CISO”?
What is a CISO? It must surely mean a ‘Head of’ security function who
sits at board level and is considered part of an organisation’s executive management
team. Someone with a clear mandate for security and who is positioned to e�ect the
change required to achieve this. It is practically implausible to operate e�ectively as a
CISO without such an arrangement. Yet there remains within the market some
elements of confusion about what constitutes a CISO. The worst o�ences of these
include “CISOs” within organisations of c.200 employees, who report in to IT,
specifically the CIO (who themselves sit on the board); or then there is the Network
Security Engineer who has spent the entirety of their 5 years in industry working for a
reseller and is now convinced they’re ready to lead a global enterprise security function.
Many of the conversations we have around career aspirations seem to come around to
the position of CISO as the ultimate end goal. This in itself is problematic for several
reasons. There simply do not exist enough CISO roles, or organisations with suitably
sized functions to require one, compared to the level of aspiration in the market. It is
admirable to aim for the top of the food chain, but this demonstrates some naivety
around understandings of what a CISO is – a politician, evangelist, and a PR guru first
and foremost Fundamentally CISOs are not security practitioners, through the very
nature and demands of their role, they are removed from the coal face.
http://www.csoonline.com/article/2953258/it-careers/cybersecurity-job-market-figures-2015-to-2019-indicate-severe-workforce-shortage.html
6
6
This isn’t to take away from the experience or skills required of and acquired by a CISO,
there is a reason some American firms are willing to pay packages of $0.5-1 million after
all . Merely it is a suggestion that if you wish to drive change and build secure functions
at ground level, you are better to specialise somewhat and lead a function within the
security department. A metaphor we can draw around the ‘CISO vs security leader’
career tracks is of Apple founders Steve Wozniak and Jobs. Both technical pioneers who
drove product innovation, yet one would go on to act as a strategist and spokesman,
whereas the other became an evangelist and continued to work on and develop new
products.
Location, Location, Location
One way to minimise the impact of the skills shortage is to ensure that
your business is located within geographies that have su�ciently sized talent pools.
When we think of these, areas such as London, the Thames Valley, Gloucester, the East
Midlands, and Manchester come to mind; these are areas with a good number of
businesses, are well represented through a variety of organisations (vendors, end users,
integrators, and consultancies), have active industry communities, and as such are
mature markets from which to hire information security professionals. Yes, some
organisations have seemed undeterred by the common challenges we see in the
market at present, and will select isolated locales to set up new o�ces or security
operations centres. One client we were engaged with asked us to help them source
some 20+ individuals for a new security operations centre, at first look an exciting
opportunity. However, after briefing by the hiring manager and recruitment team, we
quickly learned of the proposed new SOC’s location, an obstacle su�ciently large as to
render the mandate untenable. In the search for preferential business rates, this
US-based company had selected an area that found only one other SOC within a
100-mile radius, and so in the absence of a full team move from their nearest neighbour,
they had created for themselves insurmountable scarcity (or a small fortune in
relocation payments).
Contractors
One candidate pool that has seen some substantial growth over the last 12 months has
been contractors.
Salary Index 2016
09 http://blogs.wsj.com/cio/2015/01/23/as-cyber-threats-soar-so-do-ciso-salaries/ 7
7
Upon reaching a certain point in one’s security career, the opportunity to exponentially
increase earning potential through contracting becomes apparent. There is a mentality
that many of the services provided by consultancies can be performed by an individual
for a significant cost reduction, and as such we see contractors undercutting
consultancies by 50% or even more. Not only does this present an attractive
commercial proposition through cost saving, but also the consultant delivering the
work is earning substantially more for themselves than if they were on a permanent
payroll.
Contracting is not for everyone, you have to operate and market yourself
as a business, but the benefits can be very appealing; typically o�ering a better work-life
balance, increased earning, greater flexibility, and the opportunity to work on interesting
projects of work.
Bleeding Edge Deployments
For a business, contractors represent an excellent flexible resource,
particularly around implementations or improvement projects. While hiring a contractor
will be substantially more expensive than a permanent full-time employee on a pro rata
basis, it o�ers speed-of-execution and enables the security function to align its sta� to
its current workload. Often end users opt to go-to-market to hire contractors to deliver
their implementation rather than pay for what can be expensive professional services.
This is perfectly logical in most instances, but there have been a number of occasions
recently where an over-reliance on this model has created delays to projects. Some
clients have approached us to provide them with implementation leads and architects
with experience of particular products, so far all reasonable, but the issue comes when
these requests are for bleeding edge products. The chances of hiring a contractor to
deploy a solution when that technology is currently in situ in only a handful of UK-based
organisations is a significant challenge, especially when you consider these would most
likely have been delivered by the vendor or through their partner network. Alongside this
we often find that more than one end user requires such expertise simultaneously. Pilot
projects and proof of concepts will be detailed during the due diligence process
involved in purchasing a solution, consider not only the success and technical validity of
these but also what challenges there may be in terms of finding a professional to deliver
a similar deployment.
Salary Index 2016
10
Market Specific Challenges
Within the vendor space the drive of new solutions was of course
accompanied by increased demand for senior sales leaders and enterprise sales
professionals to bring the technology to market. Acumin have been helping vendors
enter European markets for a number of years now but the space is more competitive
than ever. And it’s not just the West coast of the US that’s driving the innovation, we’re
seeing the emergence of some very exciting UK technology firms. Indeed, Prime
Minister David Cameron took a dozen of the UK’s emerging security vendors to the US
with him as part of the UKTI Cyber Security Trade Mission; historically we would have
considered this to be the other way round.
Acumin’s vendor specialist, Matthew Smith has met and engaged with
some very disruptive security vendors over the last couple of years. Despite this he
believes the UK security technology scene is blooming and o�ers some great long term
incentives to sales leaders;
Typically the UK start-up scene isn’t able to pay the same cash component as
their US counterparts, but therefore o�er greater wealth creation and equity
opportunities instead.
Undoubtedly this opens the door to some very exciting roles within
high growth and well-funded firms, not just for sales professionals but also technical
personnel. Increasingly we are seeing end user security professionals making the jump
on to the other side of the fence, bringing their expertise to bear on solving the
solutions that troubled them most. Bringing a new solution to market is about building
credibility, traditionally through those hard-to-come-by early PoCs; we’re seeing a shift
from FUD and ‘Feel, Felt, Found’ to a model built on the concept of empathy and a
sense of addressing the issues they had themselves once sought to overcome. While
the adage of trying to sell silver bullet solutions can be levelled at some, we must also
remember equally to pour scorn on those who seek to buy them.
Salary Index 2016
11
4
V
“ “
It’s not just the challenge of jumping the first sales hurdle, vendors entering
the market must hire tech-savvy presales and implementation sta�, often a challenge in
bleeding edge technology markets. Of course no one can go it alone and perhaps the
most important aspect of getting a market entry right is about selecting and growing the
right partner network to help position and deliver solutions, and add value with services.
For those looking to live and work at the security technology frontier,
significant due diligence is required before joining a start-up, no matter how compelling
it may be on paper; Matt Smith suggests speaking with technical peers about the
solution, researching comparable products and their USPs, and understanding what the
organisation wants to achieve and where it is in that cycle;
Whilst its fantastic when vendors receive funding, as this is normally used for
expansion, significant/further rounds of funding often mean that the stock is diluted
which will reduce the opportunity for wealth creation.
One of the dominant factors at play in the end user market in 2015 has
been the rise of security as a priority in SMEs. This is not only generally good news but
also represents some very interesting pieces of work. We have seen some great
opportunities for Information/IT Security Managers, particularly with overview of
technical controls alongside security management, to join an organisation and a�ect
real cultural change. Not only have these roles provided increased control and
executive buy-in (generally reporting in to C level with a dotted line to IT), but they also
have elevated packages to represent the increased responsibility and value of the role.
Perhaps conversely to what has gone before then, we find Security Managers within
SMEs now earning more than their enterprise counterparts.
Due to the increased awareness of cyber security risks and cybercrime in the broader
market, we have seen an increase in demand from SMEs either looking to develop
their cyber security capabilities from scratch, or to significantly enhance their existing
capabilities. These opportunities are particularly attractive due to their broad nature
and level of autonomy they a�ord to candidates leading these functions as
compared to roles within larger organisations, which can be narrower in their scope.
Matthew Smith, Principal Consultant
Vendor
Market Specific Challenges
Within the vendor space the drive of new solutions was of course
accompanied by increased demand for senior sales leaders and enterprise sales
professionals to bring the technology to market. Acumin have been helping vendors
enter European markets for a number of years now but the space is more competitive
than ever. And it’s not just the West coast of the US that’s driving the innovation, we’re
seeing the emergence of some very exciting UK technology firms. Indeed, Prime
Minister David Cameron took a dozen of the UK’s emerging security vendors to the US
with him as part of the UKTI Cyber Security Trade Mission; historically we would have
considered this to be the other way round.
Acumin’s vendor specialist, Matthew Smith has met and engaged with
some very disruptive security vendors over the last couple of years. Despite this he
believes the UK security technology scene is blooming and o�ers some great long term
incentives to sales leaders;
Typically the UK start-up scene isn’t able to pay the same cash component as
their US counterparts, but therefore o�er greater wealth creation and equity
opportunities instead.
Undoubtedly this opens the door to some very exciting roles within
high growth and well-funded firms, not just for sales professionals but also technical
personnel. Increasingly we are seeing end user security professionals making the jump
on to the other side of the fence, bringing their expertise to bear on solving the
solutions that troubled them most. Bringing a new solution to market is about building
credibility, traditionally through those hard-to-come-by early PoCs; we’re seeing a shift
from FUD and ‘Feel, Felt, Found’ to a model built on the concept of empathy and a
sense of addressing the issues they had themselves once sought to overcome. While
the adage of trying to sell silver bullet solutions can be levelled at some, we must also
remember equally to pour scorn on those who seek to buy them.
It’s not just the challenge of jumping the first sales hurdle, vendors entering
the market must hire tech-savvy presales and implementation sta�, often a challenge in
bleeding edge technology markets. Of course no one can go it alone and perhaps the
most important aspect of getting a market entry right is about selecting and growing the
right partner network to help position and deliver solutions, and add value with services.
For those looking to live and work at the security technology frontier,
significant due diligence is required before joining a start-up, no matter how compelling
it may be on paper; Matt Smith suggests speaking with technical peers about the
solution, researching comparable products and their USPs, and understanding what the
organisation wants to achieve and where it is in that cycle;
Whilst its fantastic when vendors receive funding, as this is normally used for
expansion, significant/further rounds of funding often mean that the stock is diluted
which will reduce the opportunity for wealth creation.
One of the dominant factors at play in the end user market in 2015 has
been the rise of security as a priority in SMEs. This is not only generally good news but
also represents some very interesting pieces of work. We have seen some great
opportunities for Information/IT Security Managers, particularly with overview of
technical controls alongside security management, to join an organisation and a�ect
real cultural change. Not only have these roles provided increased control and
executive buy-in (generally reporting in to C level with a dotted line to IT), but they also
have elevated packages to represent the increased responsibility and value of the role.
Perhaps conversely to what has gone before then, we find Security Managers within
SMEs now earning more than their enterprise counterparts.
Due to the increased awareness of cyber security risks and cybercrime in the broader
market, we have seen an increase in demand from SMEs either looking to develop
their cyber security capabilities from scratch, or to significantly enhance their existing
capabilities. These opportunities are particularly attractive due to their broad nature
and level of autonomy they a�ord to candidates leading these functions as
compared to roles within larger organisations, which can be narrower in their scope.
Salary Index 2016
12
“ “EU
Matthew Smith, Principal Consultant
“
“
Scott West, Managing Consultant
End User
Salary Index 2016
13
This is reflective of what we have seen broadly across the business landscape;
investment in security, driving real transformation to mature existing functions or
significantly develop greenfield sites. Of course greater awareness is a factor in this, but
so is a desire to move from reactive to more proactive security models, to achieve some
sense of ownership of information risk. There has been a real interest in utilising security
analytics and threat intelligence more e�ectively, creating some really interesting
‘security scientist’ roles around research and analysis. This rapid rise has been met
predictably with a shortage for what is a very niche skillset and traditionally more likely
seen within central government and MoD. Financial services were there first, around a
year or two ago, pillaging the public sector for some of its brightest analysts and
tempting them away with the comparable riches they can o�er.
Intelligence-led cyber security is definitely a hot topic right now, this has led to a
rethinking from organisations as to how they develop their cyber security capabilities
and in turn the backgrounds of people they may not have traditionally looked at in
the past to fulfil these roles.
This pattern of niche roles with limited talent pools is not something that’s going
to go away any time soon; our industry is too immature and the pace of change too
fast. There is a general shortage of security professionals, but within this we find silos of
even greater obscurity that compound the problems experienced by our industry at
large. Likewise, security operations has been an area of significant focus across industry,
We have seen various organisations continue to develop their in-house SOC and
cyber security functions.
One of the primary challenges we have seen end user organisations experience
in recent times, and still fairly broadly in the last 12 months has come round pushing
appropriate salaries through the business to attract applicants. There has been a
long-fought battle in educating recruitment/HR about the nuanced di�erences
between specialist security roles and more generalist technical positions. In some
organisations this has unfortunately not happened and so hiring managers in security
functions are not being enabled to achieve success. Such unnecessary obstacles often
coincide with di�cult locales or specific role requirements, that leave the positions
unfilled for long periods and frustrate all involved. Much of the reason we produce the
salary index is to empower those in such situations to be able to challenge the
restrictions placed upon them through organisational ignorance, it is a tool through
which to a�ect tangible cultural change.
“
“Scott West, Managing Consultant
Scott West, Managing Consultant
“ “
SI&C
Systems Integrators & Consultancies
One e�ect of increased awareness and buy-in at board level is the
increased maturity within the industry. Companies have finally started to accept their
responsibilities for information risk and customer data, have taken ownership of their
function, and invested heavily to develop their capability. While this will have pushed
some new customers towards managed security services, particularly around security
operations, analytics, and threat intelligence; there has also been a move away from this
model by more mature organisations, who have been insourcing such elements of their
security.
Services around security analytics (behavioural and monitoring) and
intelligence have emerged as highly sought o�erings and have really added value to end
user organisations. These aspects of security can be quite resource heavy to operate
and must be performed by deep specialists in what is a fairly limited talent pool. As such
there has been some real material increases in the number of these roles as well as the
packages available for them.
So then there comes a point of maturity where an end user will want
to take ownership of an outsourced service, but conversely they have reached that
juncture through the development that their MSSP has provided.
There has finally been a reassignment of security consultancy practices
to represent greater regional focus. We have moved away from a model of
pan-European teams in to much more geographically focused o�ces and client bases.
This has overcome the main challenges consultancies and systems integrators
experience in attracting the best professionals, o�ering a far better work-life balance
and reducing the travel aspects of roles. There is of course also the added bonus that
keeping people within their local areas as much as possible also reduces consultancy
overheads around travel and accommodation costs.
We are seeing increasing competition for cyber security professionals, particularly
among small- and medium-sized consultancies, largely due to the shortfall of
professionally accredited practitioners and sustained inflation in both contract rates
and permanent salaries. As a result, some companies are starting to de-regionalise
their operations by investing in strategic locations like the South East, North West and
the Midlands rather than UK or Europe as a whole.
Salary Index 2016
14Daniel Beresford, Senior Consultant
“
“
Salary Index 2016
15
A particular issue that has arisen over the last few years when reaching o�er
stage with consultancy recruitment processes, has been the flat structure of salary
bandings. This is of course understandable, it’s di�cult to justify to larger teams and
workforces than your security consultancy arm, that their work is not worth as much as
their colleagues’ at some level. Ultimately though there has been a shift, brought about
in part by the significant commercial opportunity around security, as well as the
di�culty in attracting top level professionals with proven track records of delivering
appropriate programmes of work.
Consultancies have made invaluable contributions to the industry at large as
they are often the most willing to take on inexperienced or entry level consultants, and
bring them through internal and third party training and education. Although there is
some impact in terms of initial utilisation, there is much to be said for saving costs
through hiring at lower level salaries and then investing in the person to develop them
in to a more capable security practitioner. If these organisations can couple this
approach with good levels of sta� retention they are not only able to save costs, but
scale up the size of their security workforce more e�ciently.
Security Recruitment Market
Due diligence
There has been much written on social media in recent months about the
conduct of those in the recruitment industry, particularly those supplying information
security personnel. Much of what’s been said, though negative in nature, is sadly true.
The barriers to entry in recruitment are typically low, requiring at most a
degree of some form, and conversely the pressures on individuals to succeed is high.
The majority of agencies expect completed deals in the first 3 months, for someone
who knows their trade and market this is reasonable, but not so for someone new to the
job. Inevitably then corners are cut by many in not only the training provided to new
starters but also in the processes they are encouraged to follow.
Salary Index 2016
16
One of the biggest o�ences those in recruitment can commit is submitting
an application to a client without first seeking the candidate’s permission, i.e. being
provided the right to represent. This is not just against data privacy laws, it is in direct
violation of the REC’s code of conduct, and it damages the brand of the candidate who
has been potentially submitted against roles or organisations to which they are not
suited, have no interest, or have previously dealt with.
We would hope only to see this behaviour conducted by a few ‘bad apples’,
but from the one-person information security team within a larger generalist agency, to
specialists, it is a far more common occurrence that it should be. Whether you are the
candidate or the client, the recruitment agency is your supplier and as such should be
help up to the same levels of due diligence that any other service provider would be.
Not only do you want to ensure your team and company is represented properly in the
market, but ultimately whoever you decide to hire will be working on your security
systems.
If you aren’t sure who should be engaged as a trusted advisor, canvas your
network, question your peers, and seek recommendations from those who have had
good experiences.
The LinkedIn Sting
Without delving in to unnecessary detail, we saw a concerted social engineering
campaign on LinkedIn in the summer, as phishers posing as security recruiters
(“____Talent Scout”) connected indiscriminately to as many in the industry as possible.
There was clearly something not right about these profiles who mostly all appeared
under the same unknown employer. The photos were borrowed from legitimate
sources and flipped so as to try and avoid reverse image searches, and all of them had
come from jobs with fast food chains or retailers, to suddenly becoming specialist
security recruiters or indeed self-starting recruitment entrepreneurs. This occurred not
too long after a series of social engineering attacks launched via job site Career Builder.
In general, there is much to be said for using LinkedIn to reinforce and validate
genuine real-world connections. Ultimately it comes down to a question of purpose; do
you wish to use the site as a network of trusted peers, or a loosely connected list of
those who probably (or at least claim to) work in your industry?
Salary Index 2016
17
So why target security professionals? Access. If you’re going to try and storm
the gate, you want to know as much as possible not just about those guarding it, but
what tools they might have at their disposal.
This is something we will see far more of over the coming year. Typically, CVs
can hold a lot of semi-sensitive information, this coupled with some carefully selected
social engineering e�orts, allows cybercriminals to start developing a fuller picture.
Consider some of the details the average CV holds and then there is the practice of
over-sharing, we soon start to acquire addresses (including second home), email
addresses, phone numbers, dates of birth, spouse and children’s names (and often
ages), hobbies, schools, National Insurance numbers, and employer’s technology
toolsets. Just like you would in your day job, consider what data needs to be shared;
perhaps even have a minimalistic CV for first contact or job boards, and a more detailed
one for trusted partners and direct applications.
Who Should Screen?
Having a member of the internal recruitment team conduct first stage screening
seems perfectly logical. It is also entirely unnecessary if you’re working with a proper
recruitment consultancy, i.e. one that considers it their job to screen unsuitable
applicants on your behalf. Of course this may be easier said than done, particularly if
having to work through various tiers of PSL suppliers. The problem here though is that
niche applicants being screened by a layperson e�ectively amounts to keyword
matching; for an industry that can’t even agree its own name, semantics are very
important. As such, specialists are able to read beyond the words on the page,
understand the context or comparable terms which may be present. If you have a
strong relationship with your recruiter and have briefed them e�ectively, you should be
able to trust them to present to you pre-screened candidates that is representative of a
short- rather than long-list.
Retaining Sta�
There’s a skills shortage in the market and although you may be concerned
about your team being headhunted in to new roles through some promise of greener
pastures, you must invest in them. The only way to maintain a fully stocked and highly
skilled team is to incentivise and develop those within it. The worst o�ence a security
department can make is to not provide opportunities for ongoing training of its
personnel; it’s not just essential for keeping them abreast of the latest developments in
the industry, but also for ensuring loyalty and retaining their services. Turnover of sta� is
inevitable in the current climate, but the ability to limit that attrition rate is well within the
control of every team leader and department head.
O�ering opportunities to progress internally is of course always desirable,
but not always possible in smaller or limited functions. In such instances it is about
ensuring the individual can see a clear path of personal professional development, and
working closely with them as a mentor to put together a training plan with a clear set of
end goals.
Paint the ‘Big Picture’
The attraction of new sta� to a security team can’t just come down to being
all about the package on o�er. With so many companies hiring across a multitude of
roles at present, it is about ensuring the attractiveness of the overall proposition. One of
the key elements in any decision-making process for candidates around job o�ers is
how well defined the role is. There are some clients who either have such restricted
resources they are unable, or simply feel they don’t need, to put together a job
specification. While there is little merit in generic specifications filled with the same
copied-pasted corporate spiel, if a jobseeker finds themselves in a competitive situation
between propositions, then a clearly outlined mandate can be the most compelling
motivator; it helps the applicant to visualise the daily ins and outs of the role and thus
themselves within it. Too often information security job specs are used as a wishlist for
departmental capability and so depending on which aspects of this the applicant
matches, the role itself is subject to change. While there is merit in defining a role
around an individual and really putting them at the focus of the process, an ill-defined
opening suggests a bit-part role or an immature function.
Company culture is important but also remember how niche and close-knit
our industry can be. As such the security department should be sold to the candidate as
its own brand under the umbrella of the organisation at large. Other useful information
to provide will come around levels of management buy-in and investment in the
function, as well as outlining the broad roadmap for the next few years. Ideally a
candidate should not just have a feel for what week one in the role might look like, but
also some sense of what day 101 might be.
So why target security professionals? Access. If you’re going to try and storm
the gate, you want to know as much as possible not just about those guarding it, but
what tools they might have at their disposal.
This is something we will see far more of over the coming year. Typically, CVs
can hold a lot of semi-sensitive information, this coupled with some carefully selected
social engineering e�orts, allows cybercriminals to start developing a fuller picture.
Consider some of the details the average CV holds and then there is the practice of
over-sharing, we soon start to acquire addresses (including second home), email
addresses, phone numbers, dates of birth, spouse and children’s names (and often
ages), hobbies, schools, National Insurance numbers, and employer’s technology
toolsets. Just like you would in your day job, consider what data needs to be shared;
perhaps even have a minimalistic CV for first contact or job boards, and a more detailed
one for trusted partners and direct applications.
Who Should Screen?
Having a member of the internal recruitment team conduct first stage screening
seems perfectly logical. It is also entirely unnecessary if you’re working with a proper
recruitment consultancy, i.e. one that considers it their job to screen unsuitable
applicants on your behalf. Of course this may be easier said than done, particularly if
having to work through various tiers of PSL suppliers. The problem here though is that
niche applicants being screened by a layperson e�ectively amounts to keyword
matching; for an industry that can’t even agree its own name, semantics are very
important. As such, specialists are able to read beyond the words on the page,
understand the context or comparable terms which may be present. If you have a
strong relationship with your recruiter and have briefed them e�ectively, you should be
able to trust them to present to you pre-screened candidates that is representative of a
short- rather than long-list.
Retaining Sta�
There’s a skills shortage in the market and although you may be concerned
about your team being headhunted in to new roles through some promise of greener
pastures, you must invest in them. The only way to maintain a fully stocked and highly
skilled team is to incentivise and develop those within it. The worst o�ence a security
department can make is to not provide opportunities for ongoing training of its
Salary Index 2016
18
personnel; it’s not just essential for keeping them abreast of the latest developments in
the industry, but also for ensuring loyalty and retaining their services. Turnover of sta� is
inevitable in the current climate, but the ability to limit that attrition rate is well within the
control of every team leader and department head.
O�ering opportunities to progress internally is of course always desirable,
but not always possible in smaller or limited functions. In such instances it is about
ensuring the individual can see a clear path of personal professional development, and
working closely with them as a mentor to put together a training plan with a clear set of
end goals.
Paint the ‘Big Picture’
The attraction of new sta� to a security team can’t just come down to being
all about the package on o�er. With so many companies hiring across a multitude of
roles at present, it is about ensuring the attractiveness of the overall proposition. One of
the key elements in any decision-making process for candidates around job o�ers is
how well defined the role is. There are some clients who either have such restricted
resources they are unable, or simply feel they don’t need, to put together a job
specification. While there is little merit in generic specifications filled with the same
copied-pasted corporate spiel, if a jobseeker finds themselves in a competitive situation
between propositions, then a clearly outlined mandate can be the most compelling
motivator; it helps the applicant to visualise the daily ins and outs of the role and thus
themselves within it. Too often information security job specs are used as a wishlist for
departmental capability and so depending on which aspects of this the applicant
matches, the role itself is subject to change. While there is merit in defining a role
around an individual and really putting them at the focus of the process, an ill-defined
opening suggests a bit-part role or an immature function.
Company culture is important but also remember how niche and close-knit
our industry can be. As such the security department should be sold to the candidate as
its own brand under the umbrella of the organisation at large. Other useful information
to provide will come around levels of management buy-in and investment in the
function, as well as outlining the broad roadmap for the next few years. Ideally a
candidate should not just have a feel for what week one in the role might look like, but
also some sense of what day 101 might be.
Salary Index 2016
19
Conclusions
In a market driven by scarcity, a proactive and measured approach should
be taken to recruitment. This extends to all facets of the process as ultimately it should
be seen as a sales cycle. From the moment of inception and definition of the role and
job specification, it is important to understand how this will be viewed by potential
applicants and what can be done to ensure the best and most suitable talent is engaged
by the opportunity.
Ultimately, you want to be able to decide from the most suitable candidate
pool and so any obstacles which may deter those applicants from reaching the final
stages of the process should be removed. The challenge of hiring information security
professionals in the current market is already substantial enough, without organisations
creating additional obstacles for themselves which may put them at a competitive
disadvantage.
Once an employee has joined the team, the process of engagement and
career development should never stop. The industry moves at too fast a pace for
education not to be an ongoing process. Failing to incentivise, engage with, and invest
in your security team will see them attracted to organisations which will.
For those working in the industry, it’s certainly a positive time from a financial
perspective, as we have seen incremental increases across all areas, and some more
substantial ones around particularly niche skills. That’s not all though, given the pace of
change there are some great opportunities for professionals to deepen their skills and
knowledge, and really be at the fore in driving their own career forwards. Understand
what your career end game might look like, and then work with peers and mentors to
define the steps that will take you on that path. This should always be incremental,
looking at stages in your development and ascertaining where you would like to be one,
five, and ten years’ time. Understand you own strengths, where the market might be
going, and remember not everyone can or should aspire to be a CISO.
Salary Index 2016
Risk Managment
Regulatory
Intelligence
Technical Security
Detection/Investigation
Sales Engineering
Sales & Marketing
Executive Management
21
22
23
24
25
26
27
28
salary/£1k
SI
EUcontractday rate
Vvendor
end user
systems integrator
£46-£62k
Contributes towards and implements information security and risk management systems, including standards, policies, procedures, and controls guidelines.
Information Security O�cer
£70-£90k
Coordinates project teams, manages budget, and allocates resources across all security initiatives and any projects throughout the business where security is a concern.
Security Project Management
£55-£85k
A broad, business-facing role with internal stakeholder engagement. Conducts assessments around security and risk to identify gaps and makes recommendations for remediation.
£42-£66k
Focused around the operational use of information and/or technical security controls that support the execution of the ISMS.
Security Analyst
£65-£85k
Within a small organisation often the leader for security, setting strategy and implementing it. As part of an enterprise team, owns the ISMS and often security risk register.
Information Security & Risk Manager
SI
EU
SI
EU
EU
EU
SI
EU
Ris
k M
anag
men
t
£325-£400/day
£500-£650/day
£500-£625/day
£350-£500/day
£500-£700/day
£50-£65k
Separated as a role in organisations with large user bases only. Responsible for designing and rolling out a security education/user awareness programme and materials.
Awareness Manager
EU£325-£550/day
21
Security & Risk Consultant
£46-£63k
Typically focused around conducting audits and gap analysis to ensure the as-is state aligns with frameworks, standards, policies, and procedures.
Accreditor/Auditor
£60-£78k
Responsible for ensuring the ongoing compliance and e�ectiveness of the business in regards to information security and risk management.
Governance & Compliance Manager
£60-£82k
Provides consultancy to internal projects and stakeholders across the business to identity, mitigate, and accept information security risks, and embed security controls as appropriate.
Security & Policy Assurance
£55-£78k
Accredited by the Payments Security Council to assess and advise an organisation on the e�ectiveness of their handling of credit card data against 12 key control requirements.
PCI-QSA
SI
EU
EU
EU
Reg
ula
tory £450-
£510/day
£500-£625/day
£450-£625/day
SI
£60-£72k
Conducts audits of an ISMS against the requirements for compliance or certification towards ISO 27001. Coverage will include risk assessments, business continuity, and e�ectiveness of continuous improvement plans.
ISO27001 Lead Auditor
SI
EU£420-£575/day
£55-£70
Ensures compliance to data protection and data privacy regulations.
Data Protection Manager
EU£420-£520/day
22
£60-£90k
SC or DV cleared individual who assesses public sector bodies against the requirements of government accreditations. Work can range from RMADS to ISMS to high level security architecture.
CLAS Advisor/CESG Certified Professional
SI
EU£400-£650/day
£35-£80k
Conducts ethical hacking against an organisation in order to identify weaknesses in network security infrastructure and will often put forward recommendations for improvement.
Infrastructure Penetration Tester
£40-£85k
Performs ethical hacks against applications and associated architecture (e.g. web app servers) to identify gaps in security measures. Also concerned with secure coding practices.
Application Penetration Tester
SI
EU
EU
Inte
llig
ence £400-
£650/day
£450-£700/day
V
SI
£50-£65k
Security-cleared and certified hands-on penetration and vulnerability tester within a CHECK Scheme organisation.
CHECK Team Member
£65-£82k
Senior-level penetration tester who will act as a manager and mentor of CHECK Team Members. Employment of a CTM is essential to maintain CHECK Scheme Green Light status.
CHECK Team Leader
SI
SI
£47-£80k
Sits within a SOC focusing on monitoring systems for intrusion detection and prevention; will often act as the first line of incident response/escalation.
Security Operations Analyst
SI
EU£325-£800/day
23
£50-£75k
Expert incident handler who will manage the technical response to a security breach. Some input in to intrusion response procedures.
Incident Response Analyst
£75-£110k
Oversight of a technical intrusion monitoring and response team. Technical background with some risk/assurance oversight and will input in to strategy and solutions, as well as mentoring colleagues within security operations.
SOC / Security Operations Manager
SI
EU
EU
Tech
nic
al
Sec
uri
ty
£425-£550/day
SI
£65-£95k
Technical and analytical management role responsible for overseeing the company’s threat research and intelligence, inputting in to service design, and ensuring timely vulnerability detection and mitigation.
Threat & Vulnerability Manager
SI
EU£450-£625/day
£65-£90k
Close analysis of data generated by analytics technology such as SIEM and IDS solutions. Will apply multiple principles such as packet capture, behavioural analysis, and threat research to identify trends and technical risks.
Security Analytics / Data Scientist
£30-£45k
Broad role o�ering operational support to the security function performing duties like user access management, change requests, and patching.
Security Administrator
SI
EU
EU£230-£350/day
SI
£55-£82k
Some involvement in developing technical standards and solution, with the focus of the role being to implement the technical controls required to enforce the ISMS.
Security Engineer
SI
EU£400-£550/day
V
24
£75-£115k
Technical role with something of a management overview, will focus predominantly on High Level Design looking at the workflow and broad controls. Will translate security policy into technical specifications.
Security Architect
£75-£110k
Senior yet hands-on role which encompasses developing technical solutions, identifying security controls, and creating design documentation. Will help embed security in to projects throughout the business.
Security Solutions Architect
SI
EU
EU
Det
ecti
on
/In
vest
igat
ion
£500-£750/day
SI
£85-£125k
Proven track record of developing security architectures and acting as technical design authority across enterprise-scale infrastructures. Ability to understand deep technical topics from a top-down and management perspective.
Enterprise Security Architect
SI
EU£550-£800/day
£65-£125k
Responsible for architecting security controls around all aspects of the application environment, from secure development, server stacks, and web app firewalls.
Application Security Specialist
£60-£75k
Some overlap with forensics professionals but more likely to take ownership of the investigation and evidence collection. Concerned with the extent and cost of the breach as opposed to the who and how.
Security Investigator
SI
EU
EU£500-£650/day
SI
£500-£725/day
V
£450-£625/day
V
£38-£65k
Technical role focused on identifying exactly what has occurred during a breach. This will include identifying the point of entry, any vulnerabilities, and the potential identity of the attacker.
Digital Forensics
SI
EU£350-£625/day
25
£75-£105k
Supports the sales function through the delivery of technical presentations, responses to bid/tenders, and developing proof of concept installations. Works closely between the client, and product management and support teams. OTE shown (typically 80:20 split).
Pre-Sales Consultant / Sales Engineer
£105-£140k
Supports the sales function through the delivery of technical presentations, responses to bid/tenders, and developing proof of concept installations. Works closely between the client, and product management and support teams. OTE shown (typically 80:20 split).
Senior Pre-Sales Consultant/Sales Engineer
SI
Sal
es E
ng
inee
rin
g
SI
£65-£95k
Review of technologies to input in to their ongoing development as a stand-alone products and as part of broader solutions. Works closely with sales and marketing, responsible for channel communications, and acts as an escalation on large-scale deployments.
Product Manager
SI
£95-£120k
Responsible for architecting security controls around all aspects of the application environment, from secure development, server stacks, and web app firewalls.
Product Director
£75-£150k
A champion for all things security, driving cultural improvement. The face of an organisation’s security posture, focused on best practice above all else.
Security Evangelist
SI
SI
V
V
V
V
V
26
£110-£150
Responsible for winning new clients within the SME market. OTE shown.
New Business Sales – SME
SI
£140-£200k
Direct sales role focused around mid-corporate and enterprise level organisations. OTE shown.
New Business Sales – Enterprise
£120-£170k
Generate leads and prospects, support the production of collateral and marketing literature, and input into product/service development. OTE shown.
Business Development Manager
SISal
es &
Mar
ket
ing
SI
£150-£200k
Responsible for working closely with several large existing high-value customers to deliver a consultative and focused client experience. OTE shown.
Major Account Manager
SI
£120-£190k
Selecting, recruiting, managing, and supporting a partner network consisting of VARs, systems integrators, and MSSPs. OTE shown.
Channel & Alliance Sales
£35-£55k
Responsible for the operational execution of the market strategy through the use of digital and print media, events, and enabling the sales function.
Marketing Executive
SI
SI
V
V
V
V
V
V
27
£55-£80
Will work closely with senior sales colleagues to set regional direct and channel marketing strategies, and lead implementation activities.
Marketing Manager
SI
£125-£200k
Responsible for overseeing process, compliance, corporate governance, international operations, and support divisions for the entirety of the business.
Operations Director / General Manager
£100-£175k
A broad-reaching senior role which has operational management oversight as well as overall commercial P & L responsibility. Base only shown.
Regional Lead
SI
Exe
cuti
ve M
anag
emen
t
SI
£220-£275k
Commercial business leader with management responsibility across sales, marketing, and operations. Base salary shown. OTE shown.
Sales Director / EVP
SI
£250-£350k
Regional business lead with responsibility for strategy and execution of sales, marketing, and operations. Will have some input in to product / service development. OTE shown.
VP EMEA
£120-£160k
Develops international marketing strategies whilst overseeing the marketing activities across the organisation.
Marketing Director / CMO
SI
SI
V
V
V
V
V
V
28
£130-£210k
Board-level technical role concerned with the ongoing development of soft- and hardware based products, services, and solutions. Will be familiar with aspects of IP law.
Chief Technology O�cer
SI
£80-£125k
Overarching responsibility for all information security and risk concerns in a mid-level corporate.
Security Director / Head of Information Security
£125-£400k
Global leader for information security and risk. Board-level role.
CISO
SI
SI
V
EU
EU
EU£800-£1000/day
Information Security Salary Index 2016
Contactacumin.co.uk
T +44 (0)203 119 3333 E [email protected]
Octavia House50 Banner Street
LondonEC1Y 8ST