stott & may - report

Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey

Vendor

| 3

Stott and MayImagine Agile Expansion

Cyber Security Market Intelligence

and Salary Survey2016

Stott and May LondonEleventh Floor5 Aldermanbury SquareLondon, EC2V 7HR

+44 (0) 207 496 [email protected]

us trust and unparalleled loyalty from candidates and clients alike. This is the foundation that will make us an immovable force in this market for many years to come.

The purpose of this market report is to give context to the wider security market. We aim to raise awareness of key hinge points, highlight significant trends and be a trusted guide by which to make informed decisions for you business and career.

The survey has been comprehensively deduced from information gathered by our team of expert consultants in 2015. We have also carried out external research, visited many of the international conferences. We have consolidated our findings to reinforce our commentary through-out.

Introduction

ContentsLeadersIt is people that determine the future of business. Our industry experts help unearth the leaders of today.

TimeOur targeted and meticulous approach ensures that we safeguard your most precious commodity – Time.

ConfidenceUnparalleled market insight is at the heart of everything that we do. We help you make well informed decisions.

Global Leaders In Cyber Security Over the years we have been privileged to partner up with the most ambitious and innovative cyber teams in the world. We have a thirst for offering the most compelling opportunities to the industry elite.

Our results are a consequence of a unique mindset which enables more collaborative and strategic out- comes. Whether you are a candidate or a client our approach is uniform. We start by considering your objectives. What is it you are trying to achieve and why. Once we have fathomed your motivations we empower you to plan and execute your journey.

The advice that we offer is often not in our best interest. We operate at a level of transparency which has differentiated us from our competition. It has bought

6.Vendors Europe

10.The Numbers

8.Tech Focus

12.The Market

14.Q&A With Charlie Timblin

“If we always look for the same, we are never going to reap the value that diversity offers. Look for difference – you’ll be amazed at what you find.”Charlie TimblinWSS

Cyber Security Market Intelligence and Salary Survey | 5


Vendor

| 7

The security vendor space is gathering momentum at a staggering pace. New and established vendors are all competing for market share and we are seeing some aggressive expansion campaigns. It seems that significant budget is still available to ensure a multi-layered and robust perimeter is at the heart of every security strategy. Many industry experts are coining the phrase “good hygiene” which epitomises this notion.

PREDICTIONS FOR 2016-2017

•The skills gaps will be subsidized by the relocation of candidates from other parts of Europe.

•We may see that investment into the UK will pause suddenly in anticipation of the results of the referendum in June.

•With vendor portfolios increasing we will see greater convergence of skills. This could lead to a more versatile workforce.

• Increased sourcing into vendors from resellers.

Comparison By Region

Salary SurveyCountry Comparison

Vendor Presales Basic Salary

Typical Vendor Territory Account Manager Sales Basic

GBP £1000s

EURO €1000s

GBP £1000s

EURO €1000s

Eastern Europe 28 35 31 39

South Africa 30 37 33 41

Israel 38 48 34 43

Spain 44 56 47 60

Italy 49 62 47 60

France 50 63 50 63

Netherlands 56 71 52 66

Sweden 60 76 53 67

Germany 66 83 56 71

UK 71 90 67 85

UAE 85 107 69 88

Switzerland 99 125 73 92

Survey taken from 50 employees in each region from Gartner magic quadrant vendors.

fig. 1

CEUR is a very steady market. The Netherlands are developing a reputation for versatile talent. The available talent pool has maintained salaries in this region and makes it an attractive option for a regional office. Belgium offers good language options but a limited candidate pool.

The DACH region maintains a signifiant appetite for security despite some tricky privacy laws. Germany remains the hub of this region, however, salaries in Switzerland are significantly higher. DACH has a strong hold in the IAM skills market with many boutique consultancies branching out internationally.

SEUR is seeing the least growth due to economic crisis. Language, cultural barriers and tricky employment contracts have an effect.

The UK remains the gateway into the EMEA market with most vendors choosing this as their strategic base. Basic economics dictate inflated salaries higher than the rest of Europe.

NORDICS & BENELUX

EASTERN EUROPE

MIDDLE EAST

SOUTHERNEUROPE

DACH

ISRAEL

UK & IRELAND

Eastern Europe and parts of Africa have seen an injection in investment with many enterprise organisations outsourcing large parts of their infrastructure into these regions. Despite this, salaries remain the lowest in all of EMEA.

The Israel government is offering subsidies and has developed into hot bed for cyber security start-ups. We are seeing a number of these flourishing on a global scale. Israel has many talented security professionals and are very good value for money.

The Middle East has the largest variation in salaries. Experts from other parts are inflating salaries. We are likely to see a significant decrease in salaries in this region once the reliance on imported talent diminishes.


Vendor

| 9

As the threat surfaces swells and sophistication of attacks evolves, innovation is essential. This is our pick of trending technologies based on market intelligence gathered within our network.

Technology Focus

CASB The emergence of Cloud Access Security Brokering (CASB) is of no surprise as this helps to resolve a prominent problem within most enterprise environments. Enabling organisation to administer policies and protect and cloud based applications and shadow IT. We have seen the birth of many start-ups helping to address this and it is likely that most of these will be swallowed up by established vendors whilst some of them have already began developing their own capability.

Threat Intelligence & Analytics Enhanced maturity levels are normally very labor expensive. We are seeing a lot of innovation in automation and streamlined processes. Threat Intelligence, machine learning and UEAB are all integral cogs to this evolution. The military and law enforcement seem to be a hot bed for talent and we are seeing adaptation of tools, techniques and skills integrating into the private sector.

Deception based technologies We have started to see different ways of identifying attacks such as deception-based technologies. Whilst they are by no means a silver bullet they boast a zero false-positive alert capability which is compelling in its own right. Watch this space.

PAM PKI and IAM are still a key component. PAM is the evolution of these technologies with integration and has applications which are relevant to restricting an attackers mobility. Whilst Privilege Access Management is not new to the market, it is reaching a level of momentum which needs to be acknowledged.

Emerging Trends

100

80

60

40

20

09.82640.542 102232.532.94184110

VC

In

vest

men

t in

Mill

ion

$

Security / Cyber IT Company

Zsca

ler

Cyb

erea

son

Cyl

ance

Team

8

Dar

ktra

ce

Cou

nte

rtac

k

Iron

net

C

yber

secu

rity

Arg

us

Cyb

er

Secu

rity

Dig

ital

Sh

adow

s

Mor

phic

k C

yber

Sec

uri

ty

E8 S

ecu

rity

Rising Venture Capital InterestIn Cybersecurity Startups

2010 2012 20142011 2013 2015

$0.8

108

$1.2

156

$2.5

240

$0.8

120

$1.7

201

$3.3

255

Investments, in billions of dollars

Number of deals

$228m $210m

1 2 3 4 5

$149m$202m $110m

Notable VC’s

The numbers quoted in Fig. 4 refer to the value of deals that the quoted VC’s have been involved in as opposed to their individual contribution. Source Crunchbase.com

Top 5 VC Investors 2015

fig. 2

fig. 3

fig. 4


Vendor

| 11

Qualification Analysis

We have taken a sample of 100 job descriptions, chosen from 4 companies within 5 magic quadrants. The purpose of the analysis is demonstrate the type of skills which are most in demand. We have highlighted the difference between skills required and desirable.

Fig. 5 highlight the variations in salary relative to technologies. Numbers quoted taken from a sample 720 professionals from security vendors based in the UK. We have focused on 4 main areas and taken equal samples for each permutation. The salary sample was taken with consideration to a candidates skills as opposed to the technology vendor for whom they work for. We have cleaned the data and adjusted it for ease of viewing. The numbers quoted refer to the fixed basic salary.

The table is an extension of the table above. We have taken a sample of 720 professionals from 5 countries including France, Germany, Sweden, Spain and the Netherlands.

Figure … shows the variation in salaries relative to role. Numbers quoted are OTE based on a 50/50 split.

SCADA

IAM

GRC

MALWARE ANALYSIS

HIPS

ENDPOINT

FORENSICS

DLP

PENTEST / CEH

WAF

SCRIPTING

SIEM

VULNERABILITY

DDOS

O/S

IPS

CORE NETWORKING

PROXY

FIREWALLS

Required

40

45

42

38

37

32

30

32

31

23

11

19

13

17

16

21

14

126

7

7

8

9

5

14

10

11

17

18

26

25

30

34

38

3

3

2

1

APT SIEM NETWORK SECURITY IAM SI & MSSP Typical Basic/

Variable Split

Pre Sales Manager £110-120k £90-120k £90-120k £90-120k 70/30 | 80/20

Principal Security Engineer £85-110k £65-95k £85-110k £85-120k 70/30 | 80/20

Product Manager £90-110k £75/90k £90-110k - 90/10

Solution Architect £80-100k £65-85k £90-120k £65-100k 70/30

Principal Architect £95-130k £65-95k £90-140k £90-120k 80/20

Enterprise Architect - - - £90-125k 90/10

Security Engineer (delivery) £40-65k £40-65k £50-75k £50-75k 90/10

Support £30-50k £30-50k £30-50k £30-50k 95/5

Sales Specialist £60-80k £60-80k £70-90k £70-90k 50/50 | 60/40

APT SIEM NETWORK SECURITY IAM SI & MSSP

Pre Sales Manager €120-140 €100-130 €120-140 €100-130

Principal Security Engineer €100-130 €90-110 €100-130 €100-130

Product Manager €120-140 €90-110€ €120-140 -

Solution Architect €100-140 €90-130 €100-140 €90-130

Principal Architect €70-100 €60-90 €70-100 €60-90

Enterprise Architect - - - €100-150

Security Engineer (delivery) €50-80 €40-65 €60-90 €50-80

Support €30-60 €30-60 €30-60 €30-60

Sales Specialist €80-100 €70-90 €80-100 €75-100

Salary DataCyber Security Pre Sales UK

Cyber Security SalesUK & Europe

Cyber Security Pre Sales Central Europe

UK Salary (OTE 50/50)

Europe Salary (OTE 50/50)

Enterprise Account Manager £140-£160k €140-£160k

Global Account Manager £180-£200k €180-£200k

Territory Account Manager / Regional Sales Manager £120-£140k €120-£140k

Channel Account Manager Tier 1, 2, 3 Reseller £140-£150k €140-£150k

Channel Account Manager MSP/SP £150-£160k €150-£160k

Sales Manager £200-£220k €200-£220k

Sales Director / Country Manager £220-£240k €220-£240k

EMEA Sales Director £220-£280k €220-£280k

VP Sales £300-£350k €300-£350k

Desirable

fig. 5 fig. 7

fig. 8

fig. 6

Cyber Security Market Intelligence and Salary Survey

Information Security

| 13Stott and May Imagine Agile Expansion

Global Security A Spotlight

The Top Five By RevenuesAccording To Gartner 2015

Symantec with $3.69 billion in revenues, 17.2% market share, and a (- 1.3%) decline in growthIntel Security with $1.825 billion in revenues,

8.5% market share, and 4.5% growthIBM Security with $1.486 billion in revenues,

6.9% market share, and 17% growthTrend Micro with $1.052 billion in revenues, 4.9%

market share, and a (-5.9%) decline in growthEMC (includes its RSA business) with $798 million

in revenues, 3.7% market share, and 5% growth

1.

2.

3.

4.

5.

Sources: MicroMarketMonitor, Gartner, Markets and Market, Visiongain

$35.53 billionEstimated value of Europe Cyber Market by 2019

Europe Makes Up

26.95% Of The Global Market Value

$101billion

The World Spend on information

security by 2018

$170 billion

Estimated Cyber security market

by 2020

9.8% Global Compound

Annual Growth Rate 2015-2020

Next Generation Cyber Security

Market Will Generate Revenues Of $35.7 Billion

In 2016

The chart below shows the breakdown of the top 5 sectors by incidents which accounted for approximately 75% of all sector- specific incidents. Financial services and govt/wider public sector remain the two highest sectors while we had no reported incidents occur this quarter in the civil nuclear and legal sectors. Once again, we do not assess these to be a representation of UK cyber health, but rather a reflection of the good communication and information sharing that we see in each sector.

Countries by percentage of users targeted.

Good communications with the top 5 sectors means they account for 75% of all incidents reported

% o

f Sec

tor

Dis

trib

uti

on

100

90

80

70

60

50

40

30

20

10

0

Fin

anci

al

Serv

ices

Gov

t/W

ider

Pu

bic

Sect

or

Com

mun

icat

ion

s

Man

aged

Se

rvic

es

Prof

essi

onal

Se

rvic

es

Top 5 Sectors By Incident Type

Cert UK Attacks By SectorJune 2015

Banking Malware Attacks

Singapore

Switzerland

Australia

Brazil

Hong Kong

South Africa

Spain

UK

Italy

Germany

US

France

Japan

Russia

11.6

10.6

10.1

9.8

9.0

8.2

5.4

5.1

5.0

3.8

3.2

2.9

2.5

2.0

Website - Defacement (Passive) Website - DoS / DDoSWebsite - Defacement (Active) Vulnerability - Un-patchedNetwork - Compromise of infrastructure Malware - Unknown/Unidentified Malware - Known/Identified

Email - Suspicious/SPAM/Phishing Email - Spear-PhishingData - ExfiltrationAbuse - Unsecured infrastructure Abuse - CredentialsAbuse - Attacker infrastructure

fig. 7

fig. 8

Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 15

What can be done to combat the inequality that still exists in security?I suppose my answer covers not only the gender equality issue, but also the lack of diversity as a whole within the profession. We need to translate words to action. Security leaders who are recruiting should not be fearful of mixing things up a little! Diversity is needed not only from a gender perspective but from a background, competency and skillset perspective and that means looking for different talent pipelines and wording job specifications differently – avoid ‘techno-babble’ and a proliferation of sometimes unpronounceable certs for entry level positions! Apprentice schemes are out there, but they are few and far between and often written in a way that either discounts individuals without a degree in computer science or encourages individuals to discount themselves. I’d like to see more apprenticeship schemes which provide entry level opportunities that consider alternates to the traditional graduate pipeline. If there aren’t enough graduates (irrespective of gender) we need to recognise skill sets and competencies that can be developed and find a way to advertise entry level roles to target individuals that possess key competencies, transferrable skills, drive, passion, a willingness to commit to be trained, mentored, developed, evolved. Lift up the stones and see what’s beneath, invest time in approaching things differently, don’t simply define talent as a standard package at entry level. If we always look for the same, we are never going to reap the value that diversity offers. Look for difference – you’ll be amazed at what you find.

Q&A 60 SEC’sCHARLIE TIMBLINWSS (Womens Security Society) Co-Founder

Q&A With Charlie Timblin

Is this an issue that needs to be addressed at Graduate level?I’m inclined to suggest focusing purely on the graduate pipeline could limit diversity. We know from data available that representation at UK Universities by individuals from low income families and minority backgrounds is low, too low. Hence, recruiting only from a grad talent pipeline potentially limits diversity and fails to recognise untapped talent that just hasn’t had an opportunity to realise their potential yet! I’d suggest a common set of agreed upon job titles, with an overview of tasks and responsibilities is developed by a global professional body and organisations commit to use this as a common body of knowledge (CBOK). This should be supported with guidance on access via the graduate and non-graduate routes. Grads should be provided careers advice together with advice as to how they can embrace current approaches to networking and job hunting. They should be mentored on how to craft a LinkedIn profile, on LinkedIn ‘protocols’, how to leverage LinkedIn groups, how to search for roles, find events/ forums to attend and how to network (virtually and physically), with confidence. I’d like to see universities actively marketing their grads.

“recruiting only from a grad talent pipeline potentially limits diversity & fails to recognise untapped talent that just hasn’t had an opportunity to realise their potential”Is enough being done to entice women pursuing a career in security?No, I don’t believe enough is being done to entice women (or individuals from diverse backgrounds) into security. Returning to work mothers, for example, a wealth of untapped talent. Many have transferrable skill sets or past technology experience – most, if not all, are unaware of the new ‘cyber world’ and how they could potentially add value. We all see the stats regarding the low volumes of females opting for STEM subjects. So, if you want to entice women into security and there aren’t sufficient numbers available from the grad route, actively consider and search for different potential from other professions. I don’t have a degree in computer science (yet... the future - maybe). I read voraciously, I’m analytical, I apply critical thinking, I learn, I collaborate, ask questions and seek answers (constantly), engage

with SMEs and learn from them. I have sought professional certs after understanding which ones are right for my role. I’m not from the ‘traditional’ IT risk background and I like that. I work in IT Risk because someone [a leader] saw passion and competencies in me that he knew could be enhanced and built upon. He gave me an opportunity.

What is the WSS doing to break the mould? What I believe sets the WSS apart is we recognise the word ‘security’ has many facets and that individuals operating within security really need to be multi-dimensional hence, we try to make our events attractive to individuals from multiple professions. Despite our name, the drive for diversity isn’t solely focused on gender. All our events are free, we don’t charge at all for attendance. Solely due to the generosity of our sponsors. We ask our speakers to remain at events and to actively network with individuals, to be available, to connect. The WSS board has full time jobs, and families – delivering events for the WSS sometimes has an adverse impact on our spare time (and stress levels!) But we don’t mind about that, because we want to make a difference, we want to help make the security profession a great place to be or to interact with.

Are there particular certifications you would encourage graduates / women to pursue? Certifications are role specific. Often you see people being guided by marketing material. I’d encourage individuals to research roles. Then, once they have an idea on the type of role they wish to perform, to research certifications, not with training providers but by networking with individuals who are performing those roles.

What topics are being neglected/missed at board level?I think board discussions on talent should be encouraged (wherever practicable). I’m a great believer in talking positively to others about talent. When you see someone with potential, speak out. The sharing of a name, does wonders for the exposure of that individual. It’s a low effort, high return way of sponsoring an individual that has potential.

Your views on the subject of equality in security – Are there challenges/opportunities or is it a genuine skills gap? The topic is out there and that introduces great opportunity. There are some fab bloggers and advocates (Jane Frankland being a fantastic front runner here). Discussion and debate eventually prompts action and change. When hiring managers recruiting entry level or junior positions opt for the pre-packaged candidate as opposed to an individual they can develop, the skills and gender gap situation is propagated.



| 17

UKFS /

BANKING

CONSULTING / PROFESSIONAL

SERVICESTELCO LEGAL

PUBLIC SECTOR

CISO £140 - 180k £120 - 140k £130 - 150k £130 - 150k £130 - 150k

CIO £150 - 200k £130 - 150k £150 - 180k £140 - 160k £140 - 150k

IT Security Manager £65 - 75k £55 - 65k £65 - 75k £60 - 70k £65 - 75k

Information Security Manager £60 - 80k £60 - 70k £60 - 80k £65 - 75k £50 - 80k

PCI DSS Specialist £50-65k £45 - 55k £50 - 65k £50 - 55k £50 - 65k

QSA £70 - 80k £60 - 70k £70 - 80k £60 - 80k £50 - 80k

CLAS Consultant (CCP) n/a n/a £70 - 90k n/a £70 - 90k

Information Security Consultant £50-60k £45-50k £50 - 60k £50 - 60k £50 - 60k

IT Security Analyst £45-50k £40-50k £40-50k £45-50k £45-50k

Security Architect £75-90k £65-80k £70 - 90k £70 - 80k £70 - 80k

Application Security Specialist £80 - 100k £70 - 90k £75 - 85k £70 - 90k £85 - 95k

Network Security Specialist £45 - 55k £40 - 50k £40 - 55k £40 - 55k £45 - 55k

Cyber Security Director £130 - 170k £110 - 120k £110 - 130k £120 - 130k £120 - 130k

Penetration Tester £70k - 85k £60 - 80k £70 - 90k £50 - 80k £65 - 85k

Data Protection £45 - 55k £40k - 50k £45k - 55k £45k - 50k £45k - 55k

CSO £150 - 200k £130 - 150k £40 - 180k £140 - 150k £140 - 160k

Technology Risk Consultant/Manager £60 - 80k £50 - 65k £65 - 75k £70 - 75k £70 - 75k

Head of IT Risk £90 - 120k £80 - 1000k £80 - 1100k £90 - 100k £90 - 100k

CHECK Team Leader £70 - 90k £60 - 75k £70 - 90k £70 - 80k £70 - 80k

Business Continuity Manager £55 - 70k £50 - 60k £40 - 50k £50 - 60k £55 - 65k

Incident Response Specialist £50 - 65k £45 - 60k £50 - 60k £50 - 50k £50 - 60k

Head of Information Security £90 - 120k £80 - 100k £90 - 110k £90 - 100k £90 - 100k

SOC Tier 1 Analyst £30 - 45k £30 - 45k £30 - 35k £35 - 40k £30 - 35k

SOC Tier 2 Analyst £35 - 50k £35 - 50k £35 - 45k £40 - 50k £35 - 45k

IA Consultant £50 - 65k £50 - 65k £50 - 60k £50 - 65k £40 - 55k

Government Security Consultant N/A N/A N/A N/A £50 - 80k

http://www.forbes.com/sites/susanadams/2015/09/03/the-most-prestigious-consulting-firms-2/#4578a63d7382

Vault.com, the career website, has released a ranking of the most prestigious consulting firms.

A little like the Oscars, which turns to the movie industry to tally its votes, Vault’s list comes from a survey of consultants who are asked to rank their peers and competitors. Vault ran its survey for six weeks in March and April and gathered votes from 9,000 consultants at 65 North American firms.

For the prestige ranking, consultants were not allowed to vote for their own firms, and they were asked only to rate firms with which they were familiar. They rated each firm on a scale of 1 (least prestigious) to 10. Vault has been running the survey for 14 years, and every year McKinsey has come out on top. In fact, the top four are unchanged from last year: McKinsey, Boston Consulting Group, Bain and Deloitte Consulting.

Why is prestige important in the consulting business? For job seekers, having McKinsey or Boston Consulting on a résumé can open up opportunities, as The New York Times or The Wall Street Journal would on a journalist’s CV. Also people simply care about prestige. For many people, their career defines them. They want to work for the most prestigious firms because of that.

The list is dominated by huge firms with workforces in the thousands and multiple worldwide offices. An exception: the Bridgespan Group, located on Boston’s Copley Place. The firm has 158 employees and its focus is the nonprofit sector. It spun off from Bain in 1999 but kept its ties to the firm. Bain consultants can take a leave and work six to 12 months at Bridgespan.

SEP 3, 2015

The information in Fig 9 have been collected by a sample of over 5000 security professionals in the UK. The values stated are basic fixed salary.

InformationSecurity UK Only

Salary Survey Numbers

The Most Prestigious

The Top 10 Most Prestigious Firms According To Vault

The Top 10 1. McKinsey & Company

2. The Boston Consulting Group

3. Bain & Company

4. Deloitte Consulting

5. Booz Allen Hamilton

6. PricewaterhouseCoopers

7. EY LLP Consulting Practice

8. Accenture

9. KPMG LLG (Consulting Practice)

10. IBM Global Business Services

APT hunting / CERT” and point it at SOC Analyst

Tier 2

fig. 9

Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 19

had a huge effect on the organisation. Adversaries seem to always remain one step ahead. There is a lack of good technology to manage and understand the behaviour that takes place on networks. A number of technologies are emerging but this is still in its infancy.

Equality in security – is there a genuine skills gap? I think it’s a genuine skills gap but I also think that the projections of numbers of people in cyber skills mean that we will be short of the number needed. We haven’t really been selling cyber security as a profession or career path for new graduates. On top of that we have a problem with attracting females. We have females in government awareness policy space but not in the technical aspects of cyber security. Hacking, architecture there aren’t enough. It’s not something females have been attracted to. Females bring a new dynamic to the team – any team that has a diverse group of people from all walks of life and a mix of males and females gives a more diverse view on how to tackle problems. We need to make it a more attractive industry to graduates and women and people from diverse backgrounds by showing it’s a really interesting industry to work in.

Any advice on the reporting line? There is no one straight answer as it each organisations needs to be considered objectively. What is clear is that it should be independent of the technology team. Reporting line has to have sufficient impact in the organisation to be able to hold and gain credibility and have a line of communication to management that’s influential to making things happen. The only reason why I’m reluctant to see infosec embedded with technology is because there can be a clash between what the technologist is trying to deliver to make business work, and what the security dimension of that technology might be. The technology team make the ultimate decisions at the top of the tree and security often is given the push to not happen and that’s why you have to operate independent of tech but in a reporting chain that’s meaningful to the organisation and has significant impact and clout to be recognised.

What’s been your key to success? What advice would you give to current CISOs or aspiring ones? My key advice is understanding your business, the dynamics of the strategy of the organisation and align your security strategy to answer and allude to the strategy of the organisation. Be pragmatic about what you are trying to achieve. Don’t be the deliverer of doom and gloom – pick something from the business strategy and hook to it something that aligns to the security approach you are trying to take. Your job isn’t always to say no – it’s about how you can enable the business to do things in a secure way.

What’s the best way to get board level buy in?You can’t go into a board room with scare tactics. Talk to them in the language they are used to – be pragmatic and open about challenges but be honest. They are employing you to make sure that what you say is meaningful and will protect the organisation. You need to speak the business language and understand the real risks and threats and explain them in plain English.

Q&A With Paul Wood

•The Chief Risk and Compliance Officer at Bloomberg.•35 years’ experience in cyber sec risk space – Wide

spectrum of experience at the highest level across a variety of industries – both public and private in government and notably within financial services.

•MBE for services to the government (MoD).•Board of advisors /steering committee for a number of

organisations including, Global Cyber Alliance & SINET.•Member of KPMG’s 1-4 initative.• Industry speaker known for his pragmatic and no non-

sense approach – known to challenge the status quo.

What are common cyber security concerns in the boardroom right now?How effective is their cyber security controlled environment and how can they get a good understanding of the right things to tackle. Is the money being placed in the right areas to gain the right level of assurance? Have they’ve got right cyber security strategy in place, appointed the right people, right resources and made the right investment in tools? How can we get a measure of how successful that is? How do I know my CISO is doing the right thing?

Is there a way of quantifying ROI in cyber security?Difficult to put real metrics generically across all industries. You need to understand the risk to your business and consider 4 main dimensions - Prevention, Detection, Response and Resilience/Recovery when facing a threat – Start to build metrics around how these business process are improved - Has your tech you have invested in resolved a problem without increasing work load? It is often hard to really quantify ROI but look for business process improvements.

Is a risk based approach to cyber security the only way?A risk based approach is the correct way of deciding on your investment. You need to evaluate the threats you face, understand totally what they are and understand the attack vectors you need to defend yourself against. Not all organisations would be susceptible to the same attacks. Then you take a risk based approach across the dimensions of detection, response and recover and decide how you are to align your efforts to address those threats.

It seems like we are seeing a lot more threat intelligence and analytics being introduced?There is a big gap in this technology space. We go through phases where new technologies come to life trying to be the next great answer. Normally they emerge with no business case and there is no surprise that they often can’t deliver what they say “on the box”. Big Data and Analytics have not seen a clear winner. You must be conscious that vendors will try and sell you something but is it really going to achieve what they claim it will? You should consider if it has been a fully embedded and there are implemented solutions to reinforce their claims. One area we need to improve is to understand the threat profile of an organisation. Greater consideration needs to be given to the strategic purpose, nature and capabilities of emerging threats. Some intelligence tools are useful but you need to do your own profiling – then find other intelligence sources to help you establish the threat vectors you face.

Many think that in order to understand threats you need to enquire internally first, do you agree?The organisation needs to decide what it’s concerned about. What are our critical assets and what are the threats to these assets that could cause you to fail. Consideration should be given to who are the people who are likely to come after these assets. It is equally as important to determine the nature of your insider threat. They already have access to your systems, some will really control the keys to all your data. Boards don’t really consider this as much as they should.

What topics are being neglected at board level? The regulated industries seem to have greater awareness but in general there is a basic understanding of what cyber security really means at board level. In fact, many organisations seem to have a false sense of security. Just because there’s a CISO and infrastructure in place they have to rely on their judgement that their investment is being used in the right way. In general board do not understand the real threat and more importantly the real cost of a breach to their business. More needs to be done to understand where the threats are coming from and how they are protecting themselves. They will not succeed if they do not have systems in place to react and respond when things go wrong.

“More needs to be done to understand where the threats are coming from and how they are protecting themselves. ”Is it fair to be accountable if you are restricted by budget restraints?There’s not a never ending pot of gold for these problems, that’s why a risk based approach has to be applied. You have to understand your threats and utilise your resources within your budget constraints. In a lot of cases, education, training, awareness and process improvement don’t need budget. You can control risk by stopping people having access to things they don’t need access to and removing access when they leave the company. Budget is an issue but it shouldn’t be a full constraint. You have to a take a holistic view on security and manage your investment in tech, process and people accordingly.

What’s been the most significant change in the cyber landscape and why?Sophistication and the nature of the evolving threat landscape is the single biggest change. We are seeing more aggressive attacks for things we wouldn’t have expected and many of these are attributable to host nation attacks – Sony and Ashley Maddison are great examples of this. The exposure of embarrassing emails

“Q&A With Paul Wood” MBE



| 21

Meet The TeamCyber Security

Simon KouttisManager, Cyber Security As Manager of Stott and May’s Cyber Security recruitment division, Simon Kouttis is in charge of maintaining the team’s industry-leading reputation. Simon specialises in permanent placements with a global footprint, and senior executive appointments across the IT sector. Simon is currently heading up Stott and May’s Cyber Security Centre of Excellence, a one-of-a-kind training facility designed to produce recruitment specialists with unparalleled industry knowledge. A University of Reading graduate, Simon’s interests include golf, football, gourmet food and travel.

Oliver KuehneManager, Cyber SecurityAn essential member of Stott and May’s world-leading Cyber Security recruitment division, Oliver’s vast network of highly experienced candidates enables him to place the best IT security sales professionals on the market. An expert at working with security vendors and re-sellers, he recruits at all levels of sales: Account Managers, VPs, Channel Specialists, and beyond. In his spare time, Oliver enjoys water sports in Brighton while spending time with his family and friends.

Andrew GeeExecutive Vice President, USAExecutive Vice President and Director Andrew joined the company in April 2011, after seven years working in International Business Development. He currently heads up the company’s New York Office. In his spare time, Andrew is an active sportsman and has won several awards for tennis, football and table tennis. Alongside his aid work in Sri Lanka, post-Tsunami, Andrew rates completing the London Marathon as one of his greatest achievements.

Stephen StottCEO & FounderPrior to founding Stott and May, CEO Stephen Stott co-founded Huntress Search, a technology recruitment company. During this period, he established and took sole responsibility for EMEA and Asia operations, adding £60 million to company revenues, rose to Managing Director, and oversaw a $105 million 1st tier PE MBO by a 1st tier Investment Bank. Seeking a new challenge, Stephen launched Stott and May in December 2009, and in the years since, the company has firmly established itself as a leading executive recruitment business and grown to over £30m in revenue.

stott & may - report

Documents