In the 2018 BeecherMadden salary survey, obtaining a pay increase was the top reason for moving jobs within cyber security. For the past 5 years, career progression has been listed as the top reason for moving roles.

Cyber security has been growing rapidly as an industry, and in the consciousness of the organisation. It is inevitable that people in the industry saw this as a good opportunity to get ahead, especially after so many years of being under-resourced and underfinanced. During this time, we saw salaries increase year on year, as companies fought to attract talent to their teams and organisations invested heavily in building their security functions. We also saw individuals being promoted ahead of their experience level; there were many who became CISO’s with just a few years security or risk experience. It is highly possible that as the industry reaches a level of maturity, getting ahead is no longer as important as being paid an attractive wage. An increase in inflation and effective wage stagnation country wide, may also be having an effect on this. With Brexit on the horizon there is slightly less certainty in our economic position & financial position, this may be playing higher on people’s minds in general.

79% of those surveyed by BeecherMaddenexpect to move roles within the next year. This is a scary number for organisations who often expect attrition closer to 20%. Recruiters often target “passive candidates”; those who are not specifically looking for a new role but are open to a move. They have long been considered the best candidates to target, however it is considered “easier” for companies to attract talent by targeting those who are actively engaged in a job search. A better work-life balance also scored highly as a reason for moving roles, followed closely by an increase in flexible working. Many companies have recognised that the market demands some flexibility and offer this in roles that traditionally were more office based. Flexible working and working from home is now a more widely offered benefit and candidates are more comfortable asking for this upfront. Over 50% of candidates have flexible working as a current benefit in their role.

Up until 2016, salaries within cyber security had been increasing at a rapid pace, with candidates achieving increases of up to 30% just for moving roles. However, over the past two years, organisations have become wiser to what they are looking for from individuals. Teams are now more mature and hiring the right people, with the right skills, at the right cost has become more important than building a team. Organisations are prepared to wait longer to hire someone, rather than hiring an under-qualified individual. As organisations have built better security leadership capability, they also have knowledgeable individuals in charge of these decisions, as opposed to previous years when they may have been learning as they evolved. We have seen organisations offering much smaller pay increases, and at times no pay increase, as they refuse to fight against market forces and look to achieve fair wage growth across the organisation.

Some roles have bucked that trend, generally roles that are highly specialist. Security architects are now achieving salaries of up to £120,000. 2 years ago, very few were paid above £90,000 with some organisations paying their security architects as low as £65,000. Roles in incident response have also been in line for large increases. If you consider the maturity of cyber security teams this makes sense. More organisations have built SOC’s in-house and require more individuals who are experienced in managing incidents and effectively mitigating risk. As always, individuals who are technically skilled and can communicate these issues to the business, are the most in-demand and the most highly paid.

Unsurprisingly, the other area that has experienced high salary increases, is data protection. With the introduction of GDPR, organisations paid high daily rates to individuals to help them get their processes in place. Many data protection contractors were being paid in excess of £1200 per day. When roles became permanent, organisations have been paying over £100,000 and often closer to £150,000 for individuals with strong experience in data privacy. In turn, the large increases for architects and data protection professionals has spurred an increase in wages for CISO’s. While the CISO salary bracket is large, there are more individuals than ever being paid over £300,000 for taking on this role. The most common salary bracket at a CISO level is £150,000 to £180,000 but it is now rare to find true CISO roles paying less than £130,000. Many individuals do not want to take on the huge responsibility for less than they are paying some of their team. They are also very aware of the value of what they protect, as well as the potential outcomes if organisations under invest. Not paying your CISO enough, is a strong signal that investment for necessary security functions will not be forthcoming.

Candidates should:

  • Have realistic expectations. Make sure that the salary you are looking to achieve is actually likely for the roles you are qualified to do. Having expectations that can not be met, will mean that it takes you far longer to secure a new role.
  • Benchmark their experience. Talk to your recruiter to understand how your experience and salary compares to others in the market.
  • Consider adding to their skills. If getting ahead in your career is the motivator, then try and take on additional projects or training that will help you achieve that sooner.

Companies should:

  • Make sure they are paying a fair salary for the role. Under-paying will mean that you are not able to recruit your role, having the role sit vacant for a long time, and likely cost the organisation more by not recruiting someone.
  • Consider their leadership team. Having a well respected security leader, can help you attract and retain individuals who will be excited to work for, and learn from, someone recognised by the industry.
  • Consider the requirements of the role. Making sure that the role contains requirements that are truly necessary will help you get to the best person quicker. Often we see job descriptions that contain requirements not truly relevant and this can be off-putting to candidates who assume that the company does not know what they want.
  • Move quickly. Taking too long to move through the hiring process guarantees you will lose candidates to competitors who are able to interview and offer candidates sooner.

Author: Karla Reffold


Karla Reffold is the MD and Founder of BeecherMadden. Karla has over 12 years recruitment experience, building teams in cybersecurity up to C-level. Founded in 2010, BeecherMadden are a leading recruitment company for the cybersecurity industry. Leveraging our long-held relationships, industry knowledge and data driven approach, we help companies and candidates make better hiring decisions. BeecherMadden are a leading cyber security recruitment company with offices in London, New York, Singapore and Zurich. Established in 2010, we leverage long held relationships, industry knowledge and data driven approach to help companies and candidates make better hiring decisions.


Other Magazines