Demand for security specialists has skyrocketed in recent years as organisations react to a steady stream of high-profile security incidents. Not to mention, new legislation such as the GDPR combined with on-going digital transformation projects, companies have started to rethink their approach to security.
As such we’ve observed a steady increase in the volume of security job postings over the last few years, particularly when it comes to professionals who can improve and manage awareness of security risks. It seems that organisations are learning from large company breaches like TalkTalk, where we have recently seen the hackers bought to justice, that there is a keen need to invest more in security personnel and improve processes and wider organisational user awareness levels.
However, it has quickly become apparent that there are not nearly enough experienced practitioners available to meet this unprecedented demand. There is increasingly fierce competition among companies seeking cyber experts, particularly senior professionals and specialists. Inevitably one of the biggest impacts has been a sharp increase in salaries across the field.
This was made very apparent in our most recent annual survey, which analysed 56 different key cyber security positions in the UK to determine typical salaries. We found that average salaries in the security sector have risen 6.3 per cent compared to 2017 levels, more than double the average UK wage growth of 2.9 per cent.
How demand for awareness is dwarfing other security roles
Even within the impressive salary growth across the security industry, Security Awareness Managers saw a truly exceptional increase. This role, responsible for overseeing security awareness and managing user awareness programmes within an organisation, saw the average salary increase by 20 per cent in just 12 months. Annual salaries for Awareness Managers now sit between £60-90k on average.
By comparison, the salary for Security Analysts, a role which encompasses much of the daily frontline security activity essential for protecting an organisation, saw an increase of 13 per cent. While these industry stalwarts still received an impressive increase, it is clear many organisations are willing to pay much more to improve their user awareness levels.
Looking at the threats arrayed against organisations both externally and internally, it’s easy to see why awareness-related roles have seen such a spike in value. The vast majority of cybercriminals will target staff in the first instance, counting on a lack of security savvy employees to bypass other technology and processes the organisation has put in place.
For example, malicious emails using social engineering techniques such as Business Email Compromise is the favourite approach for criminals tricking targets into sharing sensitive data, transfer funds or download malware. A single click by an employee can easily result in critical systems being compromised, so the level of cyber awareness within an organisation can make all the difference in its ability to defend against these attacks. Having a workforce that has been educated about various threats and trained in the proper policies and procedures is increasingly seen as just as important as having the right tools and security personnel in place.
Why are awareness managers valued so highly?
A high level of user awareness in identifying and responding to cyber threats can go a long way in mitigating the damage of most cyber-attacks. While companies have commonly added awareness activity to the duties of relevant roles such as risk officers, an increasing number are now establishing a standalone awareness role as they realise the difference a well-informed workforce can make.
While the huge jump in salary may seem unusually high compared to more technically orientated roles, it’s important to remember that awareness managers require a very particularly set of skills and experience. Just because an individual is an expert on security issues, doesn’t necessarily mean that they are particularly good at relating them to others.
An Awareness Manager must not only have in-depth security knowledge but will need to be able to create campaigns that effectively explain issues to users who will often be laymen with minimal technical experience. They will also be charged with overseeing awareness efforts across the organisation, including planning training sessions and other internal communications campaigns.
This combination of technical know-how and good communication and people management skills is a rare one, and as a result there are relatively few qualified individuals in the market. With the sharp increase in demand, experienced awareness managers can command very lucrative salaries for their expertise.
The rise of the DPO
Alongside the Awareness Manager, another of the fastest growing roles in the industry is the Data Protection Officer (DPO). These individuals are responsible for ensuring the company meets its regulatory obligations around protecting personal data belonging to customers and employees.
While the role is an increasingly important one in its own right, the GDPR established the DPO as a mandatory requirement for many organisations, for which most will remember a laborious discovery and transformation phase in order to ensure the business met standards in line with the May 2018 deadline. All public authorities or bodies (with the exception of courts) are required to appoint a DPO, as are any businesses whose activities involve the large scale and systematic monitoring of individuals, or large-scale processing of certain categories of sensitive data.
A DPO is required to be an expert in both the legal and technical aspects of data protection and must also be able to operate independently from the company and carry out their role impartially. The level of proficiency required, combined with the need for an independent expert, means that qualified individuals are in short supply. As such, we saw average DPO salaries increase by 15 per cent in both the public and private sector to command between £75-95k per year.
Here the role of education as an important element of a cyber security strategy makes the awareness programme ever more significant. The Security Awareness Manager fulfils a component of the DPO’s remit concerning GDPR through the managing of awareness programmes as a strategy to mitigate personal data breaches amongst employees.
Going beyond salaries
With the salaries for Awareness Managers and other coveted experts increasing at an unsustainable rate, we would advise organisations to look past trying to attract security professionals with money alone. Public sector organisations for example, while historically struggling to compete in terms of salary alone, have increasingly developed successful approaches based on upskilling graduates and apprentices from internally rather than hiring more experienced professionals directly. Likewise, we have seen some strong examples of creating loyalty among personnel with benefits such as flexible working and a high-level career mobility.
The public sector approach also often has an advantage by looking at overall departmental capability – focusing on available skills rather than specific roles. Being able to call on several multi-skilled individuals within a department can be a major advantage when it comes to budgeting and dealing with staff departures.
With intense competition likely to push security salaries ever higher, private sector organisations should take note of these strategies and look to take on similar approaches. Rather than trying to outbid the competition with increasingly higher pay, companies can create more attractive opportunities to draw in professionals from the fiercely competitive market. This approach will become more important as we wait for current efforts in education and training to produce much needed security practitioners in the future.
Simon Hember, Group Business Development Director, Acumin Consulting
Image Credit: Wright Studio / Shutterstock