INFORMATION SECURITY RECRUITMENT & INDUSTRY INSIGHTS 2014

ContentsThe Biggest Change in 2013 4

The 2014 Approach 5

Permanent Salary Benchmarking 6-7

Contract Pay Benchmarking 8

Exciting Technology & Biggest Challenges 9-10

Interview: Context Information Security 11

Interview: Cisco 12

Interview: Celestix Networks 13

If you had a Magic Wand 14

Skills Shortages 15

What do InfoSec Professionals want? 16

Summary & Conclusions 17

About ARM 18

Foreword

Executive Summary

ARM Information Security & Communications is a niche recruitment consultancy for the information security market and an operating division of ARM Ltd. Our specialist recruitment consultants are in daily contact with leading companies in the information security market, which has enabled us to seek their expert opinions on the future pressure points for the industry, where growth is expected and what this means for the recruitment market. In addition to this qualitative information, our report includes a permanent salary survey, contract rate benchmarking data, plus information on the skills most in demand for 2014.

Following the success of ARM’s inaugural Technology Market Outlook Report in January, we are further honing our research to address the needs of the specialist niche recruitment markets in which we operate. The followingreport for the information security sector is the first in the new series and it is our hope that this report will provide you with insight into where skills will be required and the critical influences driving demand.

2014’s main focus point is candidate attraction and ARM can help shape and successfully deliver your recruitment solutions, as a trusted partner who understands your business and market place.

A warm welcome to ARM’s 2014 Information Security Insights report. Having operated in this market since 1998, I’ve witnessed many changes in the threat landscape and in the people who seek to innovate and mitigate threats.

Companies are only now beginning to consider that cyber attacks are no longer a matter of if, but when. As hackers’ tactics and motivations broaden they become more tenacious, increasingly attacking the vulnerabilities offered by the prevalence of social media, worker mobility, cloud computing uptake and onlineprofiles. Big Data analytics will be of increasing importance in understanding “Was I attacked, who istrying to attack me and what can I do to mitigate future risk?”

Our panel of interviewees cited the disciplines that excite them for the year ahead:

Never has the information security market been so dynamic. Our thanks to everyone who participated and we hope you find our report interesting.

Damian HicklinBusiness Sector DirectorARM Information Security & CommunicationsPenetration testing will continue to probe and discover

new vulnerabilities to mitigate

Compliant regulation topped a number of people’s priorities with the caveat that throwing yourself into the regulatory minefield should only happen once abusiness understands what they have got and how to mitigate the risks

Cloud computing continues to dominate the thoughts and minds of both the press and technology leaders.

3

2013 was the year of the giant slayers as hackers played David and brought some of the biggest household names to their knees. As hackers sought out bigger and better targets to add to their portfolios, companies began to register that threats were a certainty, risk plans were required and that they were already very much on the back foot.

“It became less about using technology to plug holes in a dam and more about effecting real change in culture, behaviour, consultancy and strategic products.”Grant Taylor, VP, Security Matterz

“Compliance requirements such as PCI and SOX drove the security agenda at the executive level. This was compounded by well-publicised cyber security attacks and their associated impacts.”Guy Barratt, Information Security Manager, Galatea Compliance

“The news was full of stories of big names getting compromised and this raised information security higher up the company agenda.”Peter Groom, Managing Consultant, Network Knowledge

DDoS – on the up

• Attack volume increased 32%

• DrDoS emerged as a popular method

• Mobile devices & apps began participating

Source: Prolexic Q4 2013 Global DDoS Attack Report

Security Breaches Affect SMEs

• 87% had a security breach in 2013 – up by 76% YoY

• £35k-£65k – average cost of the worst breaches

• 57% suffered staff-related breaches – up by 45% YoY

Source: PwC 2013 Information Security Breaches Survey

The Biggest Change in 2013“More stories were being published by big news companies, which seem to have opened people’s eyes to what hackers are capable of and what they do with the information that they steal. Companies are nowtaking their security more seriously and that’s a good thing.”Neil Fryer, Technical Security Director, IT Security Geeks

“For companies, the focus shifted from APT to 0-day malware and organisations were being told that AV wasn’t working and that they needed to do something new to protect themselves against more complex threats. From first-hand experience, it was clear that most organisations struggled with basics – such as patching and vulnerability management – so I believe trying to create accurate risk models was a big challenge.”Lawrence Munro, Head of Consulting Services, Nebulas

“Companies started to fall behind in trying to keep up with the ever-changing threat environment. Trying to juggle that with under-pressure budgets and fewer resources/skills resulted in many organisations falling behind the curve.”Ajay Shah, Business Development Director, TDI Security

4

“With companies like FireEye and Bromium creating newer and better sandboxing technology, I can see the market becoming further commoditised and consumers being increasingly confused by advances in technology and how to spend their security budgets. I believe that more companies will start moving towards internal (or outsourced) SOCs to gain better visibility of their attack surfaces.Internal (or outsourced) capability will grow around incident response, as organisations become more comfortablewith the acceptance of a breach (and changes in government legislation).”Lawrence Munro, Head of Consulting Services, Nebulas

“I’d like to believe that more emphasis will be placed on security at the beginning of projects, rather than towards the end. Also, proper security budgets will be allocated within organisations and their respective projects.”Neil Fryer, Technical Security Director, IT Security Geeks

“It is hard to overstate how quickly cyber security has gone from a niche IT issue to aconsumer issue and boardroom priority.”

• Only 33% of victims discovered breaches themselves

• 67% were notified by an external entity

Source: M-Trends Beyond The Breach: 2014 Threat Report

There has been much speculation about what 2014 might hold for the field of information security. With 24% ofcompanies reporting that they’ve been a victim of cybercrime1 and the as yet unknown reach and impact of the Heartbleed bug, it’s no surprise that the issue is racing up the corporate agenda. When hackers attack, it isn’t only data that’s stolen: reputations and relationships suffer, as does a company’s bottom line.

“Constant press reports will drive concerns into businesses ... As the economy and confidence improves, this will enable resources to ensure that the company is not in the “low hanging fruit” group.”Guy Barratt, Information Security Manager, Galatea Compliance

“Information security will continue to rise up the corporate agenda together with renewed focus on PCI compliance following v3.”Peter Groom, Managing Consultant, Network Knowledge

“Pressure on budgets and resource will only get greater, so companies will have to approach information security in a smarter way. That could mean a number of things; from using the right agile partners to looking at SAAS type solutions rather than infrastructure investment orincreasing the exposure of risk higher up the organisation to highlight any gaps. This will require smarter information security practitioners.”Ajay Shah, Business Development Director, TDI Security

The 2014 Approach

49% of CEOs are concerned about cyber threats to their company.

Source: PwC 17th Annual Global CEO Survey

1Source: PwC 2014 Global Economic Crime Survey

5

DLP Consultant £55-£70,000 £50-£65,000

PKI Engineer £50-£65,000 £45-£55,000

PKI Consultant £50-£70,000 £50-£65,000

PKI Architect £65-£85,000 £65-£80,000

Indentity Management Consultant £50-£70,000 £50-£60,000

2FA Consultant £50-£70,000 £50-£65,000

Pre-Sales Consultant £55-£70,000 £50-£60,000

Security Soloution Architect £65-£85,000 £65-£75,000

Application Security Consultant £65-£90,000 £55-£75,000

CHECK Team Member/CREST CRT £38-£50,000 £32-£45,000

CHECK Team Leader/CREST CCT ACE & CCT ICE £65-£85,000 £50-£75,000

Malware Reverse Engineer £40-£60,000 £35-£50,000

Cyber Incident Response Consultant £43-£80,000 £40-£70,000

Security Researcher £55-£70,000 £50-£60,000

SIEM Engineer £45-£65,000 £40-£50,000

SIEM Consultant £55-£75,000 £50-£65,000

Associate £28-£35,000 £25-£35,000

Consultant £35-£45,000 £30-£40,000

Manager £50-£65,000 £45-£65,000

Senior Manager £65-£90,000 £60-£85,000

Director £90,000+ £80,000+

Permanent Benchmarking: Base SalariesC

onsu

ltanc

yTh

reat

and

Vul

nera

bilit

y M

anag

emen

tD

PP,

IAM

& E

ncry

ptio

n

Skill Set/Role Type London Rest of UKSector

Source: ARM internal data, March 2014.6

ISO 27001 Lead Auditor £50-£70,000 £45-£65,000

SOX Auditor £50-£70,000 £50-£60,000

PCI QSA £60-£75,000 £55-£65,000

CLAS Consultant £60-£75,000 £55-£70,000

IDS/IPS Engineer £35-£45,000 £30-£40,000

IDS/IPS Consultant £50-£65,000 £45-£55,000

Lead Network Intrusion Analyst £50-£60,000 £40-£50,000

Network Security Engineer £45-£55,000 £40-£50,000

Network Security Consultant £50-£65,000 £50-£55,000

Network Security Architect £65-£85,000 £65-£75,000

SOC Engineer £40-£50,000 £35-£45,000

Firewall Engineer £40-£50,000 £35-£45,000

Firewall Consultant £55-£65,000 £50-£60,000

Virtualisation Consultant £50-£65,000 £45-£60,000

Virtualisation Architect £65-£80,000 £60-£75,000

Pre Sales Consultant £55-£70,000 £50-£60,000

Data Centre Security Consultant £50-£70,000 £50-£65,000

Cloud Infrastructure Engineer £50-£60,000 £45-£55,000

Cloud Infrastructure Architect £60-£75,000 £55-£70,000

Cloud Solutions Architect £65-£90,000 £60-£80,000

Cloud Pre Sales Consultant £55-£70,000 £50-£65,000

Out

sour

ced

Or M

anag

ed

Ser

vice

sIn

fast

ruct

ure

Gov

erna

nce,

Ris

k &

C

ompl

ianc

e

Skill Set/Role Type London Rest of UKSector

Source: ARM internal data, March 2014. 7

Websense DLP £500 £550 £525

Symantic DLP £400 £450 £425

RSA DLP £450 £500 £475

MS DRM £450 £500 £475

Liquid Machines £500 £550 £525PKI Architect/

Consultant £500 £600 £550

Imperva Consultant £500 £550 £525Indentity Management

Consultant £500 £700 £600

Monitoring Technician £500 £600 £550

CLAS Consultant £500 £650 £575

Accreditation, Defence & Security Consultant £450 £550 £500

Security Consultant - RMADS £450 £550 £500

Risk Manager £425 £550 £488

Auditor £350 £450 £400

Sox Auditor £400 £500 £450

Security Officer £600 £800 £700

CISM £500 £600 £550

SIEM Specialist £500 £700 £600

SIEM Consultant £450 £500 £475

Penetration Tester £400 £600 £500

Ethical Hacker £450 £550 £500Vulnerability & Threat

Manager £450 £550 £500

Patching & Vulnerability Consultant £450 £550 £500

CHECK/CREST accredited Consultant £500 £700 £600

Endpoint Consultant £500 £600 £550

IDS/IPS Consultant £450 £550 £500

Perimeter Security Enginner £500 £575 £538

Perimeter Security Consultant £525 £600 £563

Network Security Engineer £350 £425 £388

Network Security Consultant £450 £550 £500

Network Security Manager £500 £550 £525

Network Security Architect £500 £550 £525

Firewall Engineer £300 £450 £375

Firewall Consultant £425 £475 £450

Firewall Support £300 £350 £325

Virtualisation Engineer £300 £350 £325

Virtualisation Consultant £325 £375 £350

Virtualisation Architect £400 £475 £438

Security Solution Architect £500 £550 £525

Security Architect £500 £550 £525

Infrastructure Project Manager £450 £550 £500

Security Project Manager £500 £600 £550

Security Programme Manager £600 £700 £650

Contract BenchmarkingTh

reat

And

Vul

nera

bilit

y M

anag

emen

tG

over

nanc

e, R

isk

&C

ompl

ianc

eD

PP

/ IA

M /

Enc

rypt

ion

Pro

ject

&

Pro

gram

me

Man

agem

ent

Infra

stru

ctur

e

Skill Set/Role TypeDaily Rate

AreaLow High Average

Skill Set/Role TypeDaily Rate

AreaLow High Average

Source: ARM internal data, March 2014.

8

Which emerging technology holds the most opportunity? Exciting Technology & Biggest Challenges

“Bromium, Dambala, Zimperium.”Lawrence Munro, Head of Consulting Services, Nebulas

“Bromium will change the way that security teams function, giving control back to the operational securityteams. NetClean protects organisations from the risks, brand damage and liabilities if staff, partners orcustomers misuse IT assets to view illegal material.”Ajay Shah, Business Development Director, TDI Security

“The security vendors are starting to share attacker information anonymously across their installation base.”Peter Groom, Managing Consultant, Network Knowledge

“Honeypots installed across internal networks, to attract any insider hacking activity.”Guy Barratt, Information Security Manager, Galatea Compliance

“The increased effectiveness of SIEM and SOC type solutions is both interesting and helpful given the need to monitor environments and detect the unusual.”Mark Raeburn, CEO, Context Information Security

“Behavioural user authentication... we may soon be authenticated based on our everyday behaviour, which means making ourselves the tokens that we once carried on our key chains.”Tim Ager, Managing Director – EMEA & APAC, Celestix Networks

“Big Data analytics are extremely promising. The ability to look into the past, the present and the future is one of the major potential benefits. However, there’s still a very long way to go to make these systems robust and useful.”Richard Gold, Cloud Web Security, CiscoMartin Lee, Threat Research, Analysis & Communication (TRAC), Cisco

When asked to identify the most exciting field of information security, risk management was the clear winner, followed by data protection and penetration testing.

Communicating risk to C/D level executives and Board members is seen as both a challenge and opportunity. Our panel stated that they were increasingly being asked to talk at technical and commercial level about risk management – helping executives to understand how risks can and should be managed.

There is an increasing focus on data protection requirements, which could prove lucrative for those with the appropriate skills in the contract market.

Penetration testing presents lots of challenges, which allow for creative thinking and planning. Our panel was also excited about the opportunities offered by SCADA and Cyber Risk and Industrial Control Systems.

What field of Information Security excites you most?

“I get particularly excited about low-complexity hacks that have a huge impact, such as logicalprogramming errors in operation systems or applications.” Lawrence Munro, Head of Consulting Services, Nebulas

9

What will be your Biggest Security Challenge this year?The biggest security challenges facing our panel revolve around staying abreast of the latest information and best practice, plus communication and influence.

Thanks to a multitude of high profile hacking attacks, senior executives are increasingly aware of cyber security threats and their impacts. However, convincing them of the risks to their particular businesses – and to take action against the threats now – remains a challenge.

“Keeping up with all the activity in the security area... Currently it’s getting PCI compliance for a client.”Guy Barratt, Information Security Manager, Galatea Compliance “Keeping up-to-date with the latest information around threats and countermeasures. It’s about being flexible enough to meet changing demand and maintaining key skill sets within the organisation in order to address increasingly complex issues.”Lawrence Munro, Head of Consulting Services, Nebulas

“Getting Boards to understand the security risks they’re implicitly accepting, so that they can consciously decide which risks to mitigate and how.”Peter Groom, Managing Consultant, Network Knowledge

“We need end users to understand that simply spending money isn’t the answer without a long term plan in place.”Grant Taylor, VP, Security Matterz

“Choosing the right solutions and opportunities from the many available, which customers will want and get value from. Working with customers who value partnership with key defined metrics to measure and drive the success of their security programmes (rather than old-school supplier-customer relationships).”Ajay Shah, Business Development Director, TDI Security

“Companies must realise that just because they haven’t been hacked yet, it doesn’t mean that it isn’t a risk to their organisations.”Neil Fryer, Technical Security Director, IT Security Geeks

78% of CIOs see IT security as a key

concern for the next 3 - 5 years

Source: CSC 2013 CIO Barometer Survey

Top Six Security Threats 2014

1. BYOD trends in the workplace

2. Data privacy in the cloud

3. Reputational damage

4. Privacy and regulation

5. Cyber crime

6. The Internet of Things

Source: Information Security Forum (ISF)

10

Interview

Context Information Security is an independently operated cyber security consultancy, founded in 1998 and with offices in the UK, Germany and Australia. Context provides highly skilled consultants to help organisations with their information security challenges – working with some ofthe world’s most high-profile blue chip companies and government organisations.

The identification of new security issues is what excites me most. They arise from the plethora of new ways of work-ing and I’m excited by the challenge of developing methods to detect and remediate these risks. The increase in the effectiveness of SIEM and SOC type solutions is both interesting and helpful given the need to monitorenvironments and detect the unusual; the more technologies available to do this competently the better.

In my experience the biggest change to the security landscape in 2013 was the improved understanding of the threat posed by foreign intelligence services and high-end organised crime. Although both are now openly discussed, much more debate is needed to identify the most effective mechanism for control.

Following slow acceptance that all organisations have a level of information insecurity (very little is truly secure) more effort should be placed on monitoring, detection and response with less reliance on overhyped products that claim to find and/or fix all problems. If I had a magic wand,

I’d ensure everyone understood the problems and real challenges of information security as well recognising that you may often need more than just a product. Although there wouldn’t be enough security experts to help fix things if suddenly everyone understood the challenges.

In my job, the challenge is the exponential increase in technology. Developments such as the ‘Internet of Things’ bring greater challenges around understanding where your data is – this is getting increasingly harder, which generates more and more challenges for a security consultancy.

There’s always been a shortage in experienced security professionals in this industry. Much work has been done by universities to offer more vocational courses but the number going through such schemes still isn’t enough. More work is needed to encourage smart people into the security indus-try and we actively work with universities and regularly pre-sent at lectures educating students on career options within information security. To provide individual experience, we offer the opportunity to intern at Context. Developing people with good generalist IT backgrounds and overlaying the security expertise is a very valuable approach; we encourage interested IT professionals toconsider this change.

As a technical consultancy we only sell skills, so a skill shortage has a significant effect on our ability to grow. There is some great work being done by the government, universities and trade bodies (such as CREST) but there is still a significant shortfall. If I could use my magic wand to hire people, the skill set is simple: substantial knowledge of all things IT and security with the ability to communicate effectively in both ‘technical speak’ and ‘business speak,’ which is rare. High-end technical security knowledge only comeswith significant experience and there’s no easy way to short circuit that.

Mark Raeburn, CEO

Context Information Security

“More work is needed to encourage smart people into the security industry.”

11

Interview

Cisco, founded in 1984, is the world’s largest vendor of network equipment. It focuses on solving customers’ problems with an intelligent network architecture based on an integrated platform of products, software and services. Cisco plays a critical role in evaluating threats, given the prevalence of its solutions and the breadth of its security intelligence.

Network visibility is really exciting; how we extract actionableintelligence from a sea of data. The increase of network devices means that the number of network events available to security professionals is higher than ever before and making sense of this data is critical. This area has the greatest potential to change how we understand and manage our networks but it also carries the greatest risk. If we don’t make progress, we are in danger of falling behind the attackers.

The biggest change to how companies approached security in 2013 was the move towards integrated SIEM and the rise of Big Data. Hardware to process large amounts of databecame more affordable and the associated software matured, so it become progressively more feasible for organisations to integrate all of their network event data in one platform. It then became natural to run analytics on this pool of data to gain deep insight into the state of the network.

The weakest link in the security chain remains, to date, the human element. From weak passwords, to spear-phishing, to social engineering attacks – all rely on the human element and the manipulation of trust. If we had a magic wand, we’d create a more effectively trained user base, which would help to increase the security posture of an organisation.

A key trend for 2014 is sharing data from disparate sourcesacross a variety of industries. The word “coopetition”perfectly captures the tension between competing entities understanding the need to co-operate to deal effectively with threats. There is more information available than everbefore, so translating data feeds into useful products that drive security-focused efforts remains a significant challenge.

Our biggest challenge for 2014 is the marked increase in the amount and changing types of available data. Geo-political reports and technology outlooks have joined network events to drive risk assessment in organisations. Managing data complexity will be one of the most difficult challenges to overcome. Big data analytics are an extremely promising emerging technology. The ability to look into the past, the present and the future is one of the major potential benefits. However, there is still a very long way to go to make these systems robust and useful for daily use.

It’s concerning that there is a lack of young people joining the profession – mostly because there’s very little awareness of information security as a career option1 and some students study overly-specific options such as digital forensics. We’d like to see more people studying statistics, which would give them a solid theoretical basis for data analytics. In conjunction with that, we’d encourage any prospectiveinformation security practitioners to understand the fundamentals by playing around with free, open sourcesecurity tools to get as much hands-on experience as possible.

Richard Gold, Cloud Web Security

Martin Lee, Threat Research,Analysis and Communication (TRAC)

Cisco

“Coopetition perfectly captures the tension between competing entities understanding the need to co-operate to deal effectively with threats.”

1Cisco 2014 Annual Security Report12

Interview

Celestix Networks Inc. is a trusted brand in the delivery of managed security appliances and security solutions. Founded in 1999, Celestix has delivered over 25,000 security appliances worldwide and currently offers support to over 5,000 customers. Celestix is Microsoft’s largest cloud OS integrator and is on the cutting edge of enabling Anywhere Access from the cloud.

I’m most excited by the erosion of the traditional network, as organisations continue to embrace hybrid cloud models. The flexibility and cost savings offered by the cloud are tangible but it changes the way we perceive our data. The concept of securing data in a cloud environment is a field in which we’ll see huge development.

The continued trend towards cloud computing has driven companies to consider threats that were less prevalent in the on-premise world. Of particular note is the location of corporate data stored in the cloud and companies have had

to review data storage from a legal as well as a security perspective. The impact of state surveillance, as highlighted by numerous stories relating to the NSA, has also been a concern. Closer to home, companies have had to assess the capabilities of their service providers to secure their data in a stable, always on environment.

I think there are two trends that will develop in 2014. First of all there is the rise in demand for cyber insurance. I’m concerned that the ability to insure against IT threats will create complacency towards security. In effect it becomes a victimless crime, which couldn’t be further from reality. In addition, I think companies will continue to focus on the security essentials. Fears over state funded terror, surveillance and targeted attacks will continue but most companies understand that the biggest threat to their business is their corporate users.

Our biggest security challenge is going to be educating the SME community about the risks to their businesses and trying to change the “we’re too small to be at risk” mentality. Initiatives such as the government’s Cyber Streetwise Campaign should help change theperceptions of companies of all sizes.

Behavioural user authentication is a very exciting development. The possibility that we may soon beauthenticated based on our everyday behaviour, making ourselves the token we once used to carry on our keychain.

Given a magic wand, the one thing I’d change about the security business is complexity. Technology that is overly complex will ultimately exclude companies withoutthe skills to use it. As security professionals we aim to secure everyone so we must avoid over-complicating productsand pricing. If I could use the wand to hire staff, I’d hire people with the ability to sell technology in a consultative and technical manner.

Tim Ager, Managing Director, EMEA & APAC

Celestix Networks

“I predict two trends for 2014: the rise in demand for cyber insurance and the continued focus on the security essentials.”

13

If you had a Magic Wand...What would you change about the security business? Which skills would you hire?“I’d get communications staff into the security function and use them to build awareness across the business.”Guy Barratt, Information Security Manager, Galatea Compliance

“I’d change the fact that people look for “certified” professionals (CISSP, CISM). There are so many qualified people out there that could wipe the floor with some of the CISSP types, but they don’t get a chance because they don’t have the certification on their CVs.”Neil Fryer, Technical Security Director, IT Security Geeks

“Getting the various security vendors to work together and share information.”Peter Groom, Managing Consultant, Network Knowledge

“Less focus on tools and tech, more focus on getting the correct people into key roles. Education is a key factor in security and everyone should understand that it’s their responsibility to build in security from the start.”Lawrence Munro, Head of Consulting Services, Nebulas

“Get security baked into the business, whereby every employee, department and project has security and risk management included in every thought process.”Ajay Shah, Business Development Director, TDI Security

The key message that came through from our panel was that commercial and business acumen are both important and seemingly hard to come by in the information security sector. Market forces will drive higher salaries for staff with the most scarce skills but, despite this, if candidates don’t possess commercial acumen, employers have challenging hiring decisions to make. 2014 will be an interesting contest between employers and candidates, as expectations and salary/rate levels are on the move.

“Compliance Across Finance”

“Completer/Finishers”

“Business Acumen”

“Incident Response And Forensics”“Commercial

Acumen”

“Security Forensics”

“Consultative Sales Skills”

14

Skills ShortagesThe panel felt that necessity is the mother of invention, as skills shortages drive them to develop service-led solutions. They are deploying solutions that comprise technology,people and processes, contracting services abroad, playingto their niche strengths and purchasing market-leading products (with a built-in pool of expertise).

According to ESG Research, 25%2 of enterprise and mid-market companies claim they have a problematic shortage of IT security skills and, of thoseplanning to add IT headcount this year, 42% say they’ll hire IT security professionals. With the Ponemon Institute expecting a 40% gap in the IT security jobs market in 2014, competition to secure the top talent will continue to be fierce.

The state of playWhen it comes to hiring new staff, candidates are often under-skilled and employers may lack sufficient budget to successfully on-board upper quartile talent. This is compounded by competitors counter-offering their staff and bringing in special skills and/or retention bonuses to retain their staff.

According to our research, if people are seriously looking to move jobs, it is for a number of reasons beyond pure financial motivations (see page 16 for details).

Counter-offers are counterproductiveAfter accepting counter-offers, many individuals return to the jobs market within 3-6 months. Employers may wish to consider introducing a sign-on bonus for new starters in their organisations – a golden handshake that doesn’taffect basic guaranteed salary and that may result in a quality hire that benefit the organisation’s performance in a reduced time scale.

Encouraging new bloodUniversities and the government have made a strong push for courses and degrees within cyber security. Recently HP announced its offer of $250,000 in scholarships to womenstudying IT security around the world via its SWSIS programme, which more than 60 universities have signed up to. Highly commendable, but it will be years before the industry feels the positive impact, so these initiatives won’t address the immediate skillsshortage.

Currently, if your business requires staff with a rare skill set, there will be a price to pay and many employers are employing contract staff to fix specific problems whilst they continue their search for permanent security specialists.

“While the online world has grown exponentially, cyber security skills and capability are not increasing at a comparable rate. Our ability to defend ourselves in cyberspace depends upon a strong skills andknowledge base and the government has a long term aim to build these and develop a skilledworkforce, starting now.”

Source: 2014 IT Spending Intentions Survey – Enterprise Strategy Group

52% say skills shortages have contributed to the incidence of breaches in their organisations.

Source: The 2013 (ISC)2 Global Information Security Workforce Study – Frost & Sullivan, 2013

Source: Chloe Smith, Minister for Political and Constitutional Reform – Cyber Security Summit, November 2012

“What’s the unemployment rate for a good cybersecurity person? Zero.”Source: Mark Weatherford, Department of Homeland Security deputy undersecretary for cyberse-curity – RSA Conference, February 2013

15

What do InfoSec Professionals want?

What would motivate you to move job? What do you seek from a new employer?

Values & culture

Work/Life balance opportunities

Communication style

Proximity to your home

Career progression

Challenging work

Leading technology

L&D/training

Salary & benefits

We asked candidates in the information security market place to state their number one motivator for moving jobs.

We asked information security candidates what the single most important factor was for their prospective employer company to possess.

Source: based on a telephone survey of ARM candidates

In a market with high demand and low supply, it’s imperative that the recruitment process runs smoothly. Some simple steps to ensure this are as follows:

1. Skills: indentify the exact skills required for the role. If you’re replacing a leaver, they may have up-skilled whilst in the business, so identifying the skills currently needed is crucial.

2. Spend: is budget available to use a specialist consultancy?Establishing your budget and who will ultimately sign it off (and their availability to do so) is key.

3. Speed: with high demand for particular skill sets, it’s often the case that the companies who interview quickest are more successful than those who interview best.

Give feedback on CVs quickly and arrange telephone or face-to-face interviews ASAP to keep applicants engaged.

4. Shell out: a business that haggles over £2,000-£3,000 during salary negotiations can cause a candidate to walk away and accept another offer. Balance their demands with the cost implications of restarting your whole recruitment process.

If you’re looking to recruit information security professionals or are looking for your next career move, talk to the ARM Information Security & Communications team. We place high calibre contract/interim and permanent professionals into a range of businesses – from the vendors that develop and sell products and solutions, to the consultancies that provide integration and value added services, plus the end users that seek protection, assurance and compliance.

During the latter half of 2012, the balance shifted and there were no longer more jobs than available talent; the much hyped war on talent was lost with the talent (arguably) emerging victorious.

ARM’s Simplicity Report supports this notion, with 46% of respondents applying for more than five jobs before making a decision. The same research found that 51% require a new role to offer a pay increase of 5% or more. To this end, ARM canvassed our candidate and contractor base, to ask for their top priorities when moving jobs.

18%

15%

44%

23%

3%

36%

8%

20%

33%

38% of candidates voted recruitment agencies as the best source of finding jobs.

Source: ARM Permanent Hiring Simplicity Report, February 2014

16

Skills ShortagesOne of the key messages that came through from our panel of experts was that commercial and business acumen are both important and seemingly hard to come by; couple this with Chloe Smith’s speech at the Cyber Security Summit6 stating that the numbers of cyber security professionals in the UK has not increased in line with the growth of the internet, it presents a worrying landscape that will fail to meet the government’s number one cyber security objective7 and make the UK one of the most secure places in the world to do business.

Market ForcesSimple economics will create a higher price for the right skills but our panel suggests that despite this, if the talent doesn’t have commercial acumen they have a challenging hiring decision to make. The coming 12 months promises to be an interesting bat-tlefield with expectations and salary/rate levels on the move.

Candidate AttractionAnd what about the talent that’s increasingly in short supply? Employers need to consider their Employee Value Proposition (EVP). What is it that makes them unique, current and compelling to potential staff? Our survey suggests that, above all else, people want to work for a company with strong values and an appealing culture. Three quarters of people want to know where their career is going and that they’ll be working with leading technology and solutions. Pay this scant consideration at your peril.

Threat AwarenessOur experts stated that education and current awareness of the threat landscape is one of the biggest challenges in 2014. Knowing what the risks are and ensuring that users are aware of them is crucial. If a business doesn’t know that it has security challenges, it won’t hire the necessary staff until late in the process, which contributes to the skills shortage. Last year the IET8 surveyed 250 SMEs and only 14% of those questioned said cyber security threats were a priority but believed they already had sufficient skills and resources in place to manage the threat.

CollaborationCollaboration was a common theme with our industry experts. They all agreed that unless people acknowledge, talk and collabo-rate at all levels, the cyber security war will fail. From board to user level, from vendor and partners to the government, everyone is responsible in ensuring that security is at the core of everything they do.

HiringIf your business requires top information security talent, talk to our team today. The ARM Information Security & Communications team are experts in their niche specialisms within the market, placing best of breed professionals into roles with employers in the UK, Europe and beyond. Call us on 02392 228 282 or email isc@arm.co.uk to learn more.

Summary & Conclusions

Key Findings• Education and current awareness of the threat landscape is a huge challenge• Data sharing and collaboration are crucial for proactively fighting threats• Communication skills are key for professionals in influencing board level decision makers• Growth in information security skilled staff continues to lag behind demand• Commercial and business acumen are increasingly important in staff

6Source: www.gov.uk/government/speeches/chloe-smith-speaks-at-cyber-security-summit

7Source: The UK cyber security strategy: Land-scape review - National Audit Office, February 2013

8Source: Cyber Skills Alliance - IET, 2013

17

Advanced Resource Managers (ARM) is a specialist technical recruitment consultancy providing IT, Engineering and Business Solutions jobs for contract and permanent staff in the UK and internationally.

What makes ARM different?

We are committed to matching the right people to theorganisations that need their skills. Our focus on niche specialisms and our commitment to providing a high-quality service sets us apart from other recruiters.

Our operating divisions include:

About ARM Information Security & Communications

ARM Information Security & Communications is an operating division of ARM Ltd. We have a proven track record of delivering best of breed professionals to clients in the UK, Europe and beyond. Our specialist consultants are trained to ensure that they fully understand our clients’ needs, requirements and strategy.

We place high calibre contract, interim and permanent professionals into a range of businesses – from the vendors that develop and sell products and solutions, to the consultancies that provide integration and value added services, plus the end users that seek protection, assur-ance and compliance.

FeedbackWe hope that you have found our report useful. Contact isc@arm.co.uk with your suggestions or follow us on Twitter @ARMofficial (#InfosecOutlook). Let us know if youhave any comments or if you would like to contribute to future editions.

About Advanced Resource Managers

Learn more at www.arm.co.uk

Damian HicklinBusiness Sector Director T. +44 (0) 2392 228 214 M. +44 (0) 7818 592 752E. damian.hicklin@arm.co.ukTw. @ARM_DamianHW. www.arm.co.uk/isc

Ryan KingSenior Contract LeadT. +44 (0) 2392 228 215E. ryan.king@arm.co.uk

Lee Anderson T&VM, Cyber Incident Response, PenTest and GRCT. +44 (0) 2036 978 434E. lee.anderson@arm.co.uk

Jamie DeaneCloud SecurityT. +44 (0) 2036 978 434E. jamie.deane@arm.co.uk

CONTACTS

18

Tom HicklingNetwork and Infrastructure SecurityT. +44 (0) 2392 228 237E. tom.hickling@arm.co.uk

David BennettIAM, DLP, 2FA and EncryptionT. +44 (0) 2392 228 294E. david.bennett@arm.co.uk

ARM London 2nd FloorNorfolk House13 Southampton PlaceLondonWC1A 2AL

ARM Bristol1 FriaryTemple QuayBristolBS1 6EA

ARM CoventryUnit 24, Business Innovation CentreBinley Business ParkHarry Weston RoadCoventryCV3 2TX

ARM Havant (HQ) Langstone Technology ParkLangstone RoadHavantHampshirePO9 1SA

ARM Aberdeen1 Berry StreetAberdeenAB25 1HF

www.arm.co.uk/isc