Security Trends2014

Compensation and Market Trends

Interim Report 2014Security

Welcome to Barclay SimpSonS 2014 SECURITY CompEnSaTIon and maRkET TREndS InTERIm REpoRTBarclay Simpson has been producing corporate governance market reports since 1990. This year, as we did last year, we are using our Mid-Year 2014 report as an opportunity to focus primarily on compensation. This report seeks to provide insight and guidance into compensation within security. It is supported by a comprehensive survey of security practitioners registered with Barclay Simpson in June 2014. Comparable reports exist for all other areas of corporate governance. They can be accessed in section 6 of this report (About Barclay Simpson) or at www.barclaysimpson.com

We place great value on the professional reaction to our reports and would appreciate your comments and any requests for further clarification or information.

BARCLAY SIMPSONCOMPENSATION AND MARKET TRENDS INTERIM REPORT

2014 SECURITY

01/ ExECUTIvE SUMMARY /102/ MARKET ANALYSIS /203/ MARKET COMMENTARY /304/ SECTOR ANALYSIS /4 05/ SALARY GUIDE & COMPENSATION REPORT /506/ ABOUT BARCLAY SIMPSON /17

OfficesLondonEdinburghNew YorkDubaiHong KongSingapore

DisciplinesInternal AuditRiskComplianceInformation SecurityBusiness ContinuityLegalTreasury

CONTENTS

OfficesLondonEdinburghNew YorkDubaiHong KongSingapore

DisciplinesInternal AuditRiskComplianceInformation SecurityBusiness ContinuityLegalTreasury

ExECUTIvE SUMMARY01

Security recruitment market strengtheningThis time last year, we reported that companies were coming to the recruitment market in increasing numbers and following through recruitment processes with realistic offers. Since then, an additional 800,000 people have been employed in the UK and the economy is forecast to grow by 3% in 2014. In this context, high profile cyber-attacks are provoking both corporate and public fear just as business investment is expanding at its fastest rate in six years. The security recruitment market is unlikely to ever have a more favourable backdrop than it currently enjoys.

Availability of workers fallingReal earnings, having fallen by 10% over the last six years, are finally turning around. Regardless of developments in the security recruitment market, across the economy the availability of workers to fill vacancies is falling at its fastest rate in fifteen years. Recruiting security professionals with the right skills is a significant challenge, particularly experienced practitioners who can make an immediate impact. This is leading CIOs to reshape roles and working arrangements, as well as having to adjust their recruitment expectations.

Salary increases currently under controlWhilst average wages in the UK economy have fallen, we are confident that security practitioners have done better. Although there are still a significant number of security practitioners who report no increase in their salaries, the average

increase reported for the last two years has been 4%. Given the rebound in the economy stretching back to last year, we are surprised that the results of this years Survey did not report a higher average. However this average, like others we have analysed in detail, hides a wide range of experiences. For example, after a number of years when real earnings grew faster in the public sector, it now seems to be the private sectors turn to play catch up.

Other benefits, that are not included in an assessment of average salaries, such as bonuses and pension contributions, are also used to reward security practitioners. At approximately 30% of total earnings, these other benefits have seemingly increased more readily than base salaries. They potentially represent a less public way of rewarding high value staff.

Salary is far from everything Whilst the focus of this report is on compensation, we should not forget that it remains only one factor, albeit an important one, in the employment equation. Less than 30% of security practitioners cite salary as the primary reason they have sought another job. any company employing, and wishing to retain, security practitioners should reflect how important career development prospects and work/life balance are to security practitioners. It is something we believe many employers increasingly appreciate.

Strong demand anticipated to continue Given a strengthening economy, rising investment and the constantly evolving threat from cyber-attacks, we currently anticipate strong demand for security practitioners for the remainder of 2014.

High profile cyber-attacks are provoking both corporate and public fear, just as business investment is expanding at its fastest rate in six years

1

MARKET ANALYSIS02

VaCanCIES

vacancies still increasing at the start of 2014, our employer survey identified pent up pressure to expand security teams and recruit. In that survey, 77% of security managers reported they had insufficient resources to carry out their responsibilities. As a consequence, the number of vacancies generated in the security recruitment market (having seemingly peaked in 2013) has further increased in 2014.The increasing frequency and high profile nature of cyber-attacks in 2014 is helping provide security departments with higher budgets and many vacancies are for new positions. Sectors where recruitment is currently high include telecoms, manufacturing, retail and retail banking. Whilst in the past the manufacturing sector has not contributed greatly to the aggregate demand for security practitioners, intellectual property theft has become a concern and is driving recruitment. Companies are particularly seeking candidates who can quickly deliver improvements and make an immediate impact. As a result, vacancies are more likely to be at the mid to senior level and there is less interest in training and developing more junior practitioners. It begs the question, where will more experienced practitioners come from? Rising demand and a finite number of experienced practitioners will require solutions to be found.

RaTE of plaCEmEnTS

Slowed by the availability of candidates The graph demonstrates the willingness of companies to recruit during the period rather than simply registering vacancies and arranging interviews. it reflects the rate at which candidates are being offered and are accepting jobs. The rate of placements marginally declined in the second half of 2013 and in 2014 has yet to recover. Given the improved economic backdrop and current level of demand, this might be surprising. The explanation is the lack of availability of, and competition for, the type of security practitioners companies wish to recruit. Companies have become more sensitive about retaining staff and are more likely to address their concerns. Many security practitioners are benefiting from enhanced career prospects and a better work/life balance with their existing employer, which are two of the key reasons many enter the recruitment market. In spite of the very real prospect of increasing their salary through a job move, many security practitioners are choosing to stay with their existing employer. Where companies are prepared to move aggressively to fill vacancies, for example by offering a benchmark beating salary, they are more likely to be successful. In recognition, the salary budgets that companies are coming to the recruitment market with are regularly being upwardly adjusted. However, the results from our Survey are yet to indicate any across the board increases in salaries. Salary increases achieved in the recruitment market so far in 2014 remain consistent with 2013.

2

- Placement rate

- New vacancies- Outstanding vacancies

3MARKET COMMENTARY03

Experienced practitioners in demand Whilst the security recruitment market has clearly swung in favour of candidates and away from employers, our Survey found that 5% of respondents were redundant and 9% of those who had changed job did so for defensive reasons. Both these results are low for the security recruitment market when compared to any recent period. However, they are high when compared to other areas of corporate governance.

Evidently, no matter how strong the recruitment market, employers remain selective and security skills and experiences that were once in demand can become out of date. Equally, particularly amongst consultancies and systems integrators, corporate fortunes can be uncertain and job security less dependable. It is also a reminder that security has changed to the extent that what was once characterised as simply a technical discipline has developed into a mainstream corporate function. As a matter of course, practitioners are required to communicate and, more importantly, influence. In the face of resurgent demand, this need for strong communication skills is restricting the number of candidates who can realistically expect to navigate corporate recruitment processes.

Demand no longer led by financial servicesDemand is currently broadly based and is no longer being led by the financial services sector. It encompasses industry and commerce and the consultancy sector, where utilisation rates are high

and most consultancies and systems integrators are recruiting. This year, unlike last year when the financial services sector dominated demand, each vacancy is more likely to have its own specific requirements. This is providing a much wider range of potential opportunities.

However, demand remains focused on experienced practitioners. this again questions where the necessary expertise will be nurtured to support the expanding number of security practitioners that are required now and almost certainly in the future. Clearly companies (and this is an area for which the government is showing support) will have to increase their commitment to training. Links between universities, training institutions and commerce are strengthening. As the cost of successful cyber-attacks becomes easier to quantify, investing in defense for the longer term becomes easier to justify.

Growth in second line functionsWithin financial services, demand from group or second line functions has grown in 2014 and has been a feature of the recruitment market. Their historic purpose, usually on tiny budgets, has been to keep divisional information security functions talking to each other. maybe they offered a few group-wide initiatives or possibly a unified approach to awareness and training. Regulation is changing this. Banks are putting group functions in place to complete a wide range of risk assessments. The three lines of defense structure is being put in place. This expansion, at the 2nd line, is having an impact on the recruitment market. Despite responding to the same regulation, second line functions vary. Some have a generalist non-technical focus providing

a governance focused risk assessment service. Others have groups of subject matter experts delving deep into the work of the first line and supporting it with consultancy services.

What is uniform throughout the financial services sector is that the division between 1st and 2nd line information security functions is much more defined and 2nd line functions are growing. Some are achieving this through external recruitment and others by restructuring existing departments.

The joined up security model?We have yet to see evidence in the recruitment market of the emergence of a converged security model where physical and IT/cyber security practitioners are integrated. This model is rare, even where there is a shared functional lead. Challenges ranging from cyber-attacks to the basic physical threat of unauthorised personnel fitting keyloggers to IT systems would be more efficiently addressed with a joined up approach.

Why do so few companies operate a joined up security model when executive management is becoming increasingly aware and concerned about security? There would seem to be a lack of practitioners at all levels with a good understanding and appreciation of both areas. Whilst there is an increase in the take up of industry standard qualifications, such as the CISSP amongst physical security practitioners, it remains rare for IT/cyber security practitioners to take physical security qualifications, such as the globally recognised CPPl. As threats continue to evolve, security functions will develop and practitioners at more senior levels who take a holistic view of security are likely to emerge. We await developments.

4SECTOR ANALYSIS04

fInanCIal SERVICES

Given the potentially catastrophic nature of security failures in financial services earlier this year, the Bank of England, the Treasury and the Financial Conduct Authority were keen to assess the results of Waking Shark 2, an exercise designed to assess the ability of the UKs core financial services providers to withstand cyber-attacks. Amongst the findings was the need for better co-ordination in response to attacks and a need to quickly inform law enforcement agencies and the appropriate regulator(s) with their response. It was suggested that the British Bankers Association (BBA) take a central co-ordinating role to manage communication across the sector.

In response, there has been strong demand. notably, most of the major retail banks continue to have multiple vacancies. a common theme is the seniority of the vacancies, which are consistently at the 50-80,000 experienced practitioner level. Practitioners at this level are regularly receiving multiple offers. Demand is particularly high from group 2nd line functions, for IT risk and information risk focused roles. The cross-over with operational risk has never been so strong. Logical access management has also been a priority with several roles requiring expertise either at 2nd line review or first line implementation.

CommERCE

Security within commerce has already made the headlines this year with high profile breaches occurring at eBay and Target in the USA, the latter resulting in the resignation of the CEO. These events simply increase the pressure

on executive management to ensure that security is adequately addressed and has contributed to the increased demand from the commercial sector. Energy companies in particular, have seen an increase in their security needs as their lack of defence has, in some instances, resulted in their being unable to obtain insurance against a cyber-attack.

Whilst the relatively small size of commercial company security departments usually results in broad skill sets being required, they are becoming more technical. vacancies remain top heavy, with high numbers of senior positions in an already competitive market. As a result, companies have frequently needed to review their original budgets. This is likely to feed through to higher salaries.

ConSUlTanCIES and SYSTEmS InTEGRaToRS

At the start of the year, as corporate security budgets grew and the pressure to adopt new standards increased, we anticipated that demand from consultancies and systems integrators was likely to be strong in 2014. We envisaged competition for staff within the sector to be a feature of the recruitment market in 2014. This has proven to be the case.

Many consultancies and SIs have multiple vacancies and security practitioners with the required skills will invariably have more than one offer to select from. Whilst demand is biased towards security consultants with a mix of delivery and business development experience, there has been a notable increase in demand for specialists in the areas of SIEm, pCI dSS and Identity and access management. Additionally, there

is a surge in boutique consultancies expanding their services and aggressively recruiting. This is most likely the result of the drive by Government departments and businesses in the private sector to use more SMEs. The consulting sector is responding to both the demand for their services and candidate shortages by streamlining their recruitment processes and competing more aggressively to attract talent.

ConTRaCT

Information and cyber security is now high on the corporate agenda. CIOs and CISOs are better able to demonstrate the value of bringing in specialist resources to put the necessary controls in place at the start of projects. our Survey indicates a broadly confident market, with contractors reporting increasing demand for their skills and rising contract rates.

As a result of ongoing high profile intellectual property theft, contractors with experience of advising against Advanced Persistent Threats (APT) are currently in high demand. The demand for this skill set was further validated by the FBIs high profile fight against suspected Chinese military hackers.

a clear trend is the increase in permanent security practitioners expressing an interest in developing their career in the contract market. Common reasons are a better work life balance, less stress, better rates of pay and the opportunity to focus on areas of interest. The contract market will always be an attractive proposition for candidates in the security market. However, it should be approached with caution, particularly before resigning from a permanent position.

our mid-Year Report provides an in depth section on salaries and compensation, designed to provide a much fuller picture of overall remuneration packages.

Most security practitioners are keen to know their market worth. This is not always easy to address. Two otherwise similar security practitioners may enter the recruitment market and accept materially different salaries. We provide this caveat because we are aware that the security recruitment market is sufficiently diverse that it defies simple categorisation. However, security practitioners and their employers want guidance and this is what we attempt to provide.

As recruitment consultants, we are involved in the negotiations that take place between employers and prospective employees. We are aware that whilst salary is usually the most important consideration, a number of other factors go to make up total remuneration. In addition to the data we gather from the placements we make and the recruitment work we do, including contact with security and human resources departments about salaries and other benefits, we have also conducted a Compensation Survey to provide specific detail on all different types of remuneration within security.

The Survey was of security practitioners registered with Barclay Simpson and was conducted in June 2014. It generated several hundred responses.

Covers both permanent and contract marketsWe also conducted an Interim Compensation Survey covering the contract market. We have incorporated the key findings into this report to make it as easy as possible to understand the full picture for security.

We hope that you find the results interesting. This report provides the key highlights of the Survey. If you would like more detail about your specific sector or role, please call Mark Ampleford on 020 7936 2601 ([email protected]).

This section is broken down into 4 parts:

1. Key conclusions Key conclusions from Security Compensation Survey

2. overview Commentary on the major trends in salaries and other benefits paid to security practitioners

3. compensation Survey Results of Compensation Survey completed by security practitioners

4. Salary Guide Guide to salaries for specific security roles and positions

SALARY GUIDE AND COMPENSATION SURvEY 2014

05Security

5

1 key Conclusions

The results from Barclay Simpsons Security Compensation Survey are encouraging and confirm an active and confident security recruitment market where demand is rising but costs and salaries remain broadly under control.

Mature recruitment marketp 90% of security practitioners surveyed have worked in

security for over 5 years

p 62% have worked in security for over 10 years

p Security practitioners are more likely to be men 95% than women 5%

More security practitioners moving jobs p 38% of security practitioners surveyed have changed job in

the last 12 months, against 34% in 2013

p 38% of security practitioners moved primarily for career development reasons, 29% primarily to increase their salary and 24% for a better work/life balance

p 5% of security practitioners surveyed reported they were not working (more than any other area of corporate governance)

Salary increases up on 2013 p Average salary increase of 17% achieved by security

practitioners who changed job in the last year, against 14% in 2013

p 4% salary increase for security practitioners who stayed with their existing employer

Value of other benefits increasing Bonuses

p 72% of companies paid bonuses in the last year

p Average bonus equivalent to 23% of basic salary

pensions

p 80% of security practitioners benefit from employer pension contributions

p Average employer pension contributions remain at equivalent to 9% of basic salary

long term incentive plans

p 17% of security practitioners benefit from long term incentive plans

other allowances

p 60% of security practitioners benefit from other allowances

p Average value of other benefits equivalent to 4,100

Satisfaction with remuneration rises when moving jobp Overall, 57% of security practitioners satisfied

with current remuneration

p Rises to 75% for security practitioners who have moved in the last year against 45% for those who have not moved

p 81% benefit from flexible working. Percentage rises to 85% for those who have moved in the past year

p Average holiday entitlement remains at 26 days

Satisfaction amongst contractors who are workingp 69% of contractors content with current contract

p 61% believe they are adequately compensated

6

2 overview

The UK economy is currently experiencing a robust recovery and benefiting from increased investment. Whilst security practitioners are in high demand, the results of our Survey indicate that companies have continued to control costs. Salary increases available to security practitioners staying with their employer remain consistent with 2013.

managers and compliance professionals. Whilst the headline rate is perhaps unsurprising, averages can be misleading. For example, a number of the people who stayed with their employer will have benefited from promotions.

What best describes your salary increase in the last year?

Analysing the average increase tells a different story, particularly when compared to 2013. last year, 36% of security practitioners reported that they received no increase in their base salary against only 22% this year. Given the rebound in the economy, it is surprising that so many security practitioners continue to report that they received no salary increase. We can only assume that the question is backward rather than forward looking and will produce a more positive result next year. Also, last year, 16% of respondents reported a salary increase in excess of 10% against only 13% in 2014.

Salary increases achieved by changing employer The Survey indicates that the average salary increase achieved by security practitioners moving job is 17%, up from 14% in 2013. Security practitioners have been in a stronger bargaining position since 2013 when companies found it was becoming more difficult to recruit.

There is a significant difference between the 17% increase in salary achieved by changing job and the 4% average achieved by staying with an existing employer. However, breaking down the average, as we did last year, reveals a wide range of outcomes. It is particularly instructive that whilst 17% may be taken as the average, only 24% of security practitioners accepted a salary increase between 10% and 20%.

Motivation for entering the recruitment market This analysis looks at what motivated security practitioners to change employer in the last 12 months. In spite of 22% of security practitioners reporting they did not receive a salary increase, salary was the primary motivation for only 29% of security practitioners entering the recruitment market, down from 36% in 2013. Whilst career development was the most common reason, security practitioners answers to this question differed from our Surveys across other areas of corporate governance. The 9% who gave job security as a reason was higher, possibly indicating a more endemic uncertainty that pervades the wider technology sector. 24% of security practitioners are also seeking a better work / life balance, again higher than other areas of corporate governance. This is surprising, as it is more usually a key driver for women. However, women made up only 5% of respondents to the Survey. The number of women employed in security is significantly lower than in other areas of corporate governance. For example, the comparable percentage in internal auditing is 23%.

motivation for entering the recruitment market

Whilst salary is not the primary motive for information security practitioners seeking another job, they will almost invariably use the opportunity to better their salary and our Survey indicated that 75% of security practitioners who had changed employer in the last 12 months were now content with their salary, against only 45% who had not changed employer.

Salary increases achieved by security practitioners who stayed with their employerAccording to our Survey, the average increase for security practitioners who stayed with their existing employer is unchanged at 4%, the same increase as internal auditors but lower than other areas of corporate governance such as risk

The same

0 - 2.5%

2.5 - 5%

5 - 10%

10 - 15%

Over 15%

2014 22% 23% 33% 9% 5% 8%2013 36% 14% 23% 11% 9% 7%

Career development 38%Salary 29%Better work / life balance 24%Job security 9%

7

June 2011

June 2012

June2013

June2014

14% 11% 14% 17%

The average salary increase achieved by security practitioners moving job is 17%, up from 14% in 2013.

in 2012, when the eurozone crisis was badly affecting confidence, many companies made opportunistic offers. Since then the percentage has steadily fallen. Companies recognise the shortage of the security practitioners they wish to employ and candidates have become more confident and assertive. Most candidates are going to move only if they expect it to be financially beneficial. Companies are currently more likely to make realistic offers in response to their need to recruit.

Salary v Remuneration Whilst base salaries always catch the headlines, offers of employment invariably include other benefits. On average, these additional benefits make up over 30% of total remuneration. Here is an overview of the other benefits that security practitioners might expect to receive.

BonusesBonus payments marginally increased from 22% in 2013 to 23% of base salaries in 2014. However, the percentage of security practitioners reporting that their employer paid a bonus rose from 61% to 72%. this percentage is still lower than in other areas of corporate governance, but is a result of the higher percentage of security practitioners working in the public and consultancy sectors where traditionally bonuses are less likely to be paid.

Of those who received a bonus, 34% reported an increase, with only 9% reporting a reduction. Bonuses, whilst potentially a good way of retaining and motivating staff, are rarely an efficient way of attracting them. Bonuses are often non contractual, often discretionary and may be paid on the basis of corporate or personal performance or a combination of the two. There can also be a qualifying period.

an issue with bonuses is that whilst a security practitioner entering the recruitment market who has benefited from a bonus may add it to their base salary, they are more inclined to discount bonuses when discussing expected salary. This goes some way to explaining what can otherwise be relatively high increases in the base salaries achieved by security practitioners moving between employers. Bonuses can vary considerably. However, 68% of security practitioners received a bonus less than 20% of their base salary and only 11% benefited from bonuses in excess of 30%.

What best describes your salary increase in the last year?

compared to 2013, the breakdown in 2014, unlike other areas of corporate governance, is similar. It is perhaps a little surprising that 28% of the moves involved either a reduction or similar salary. Equally, in spite of an economy now growing more strongly, the percentage of candidates achieving salary gains of over 20% was only 34% in 2014, against 30% in 2013.

It might seem curious that even 28% of security practitioners would move for the same or less salary. For some, however, they accept a similar salary as the result of relocation, for example a move away from London (and in the case of increases a move to London) or perhaps the opportunity to work in a new sector. Others are prepared to accept a better work life balance which is clearly a key driver in the security market. Further, the number of moves prompted by the threat of redundancy is higher in security than other areas of corporate governance. Whilst base salary is the most compelling element of any offer, there are other benefits such as pensions, bonuses and holiday entitlement.

The security recruitment market is a diverse place in terms of the salary increases practitioners command by changing employer, There is clearly a huge difference in what companies are prepared to pay for security practitioners with in demand skill sets, particularly for those who combine them with commercial savvy and effective communication skills.

Offers rejected as deemed too low An insightful statistic is the number of offers that are rejected for being too low. That is the percentage of security practitioners who have rejected an offer they would have otherwise accepted simply on the basis of salary. It represents the propensity of prospective employers to make realistic offers rather than simply opportunistic ones. It also provides some insight into how security professionals view their bargaining power.

offers rejected as deemed too low

Less or the same

0 - 5%

5 - 10%

10 - 15%

15 - 20%

20- 30%

Over 30%

2014 28% 6% 8% 13% 11% 13% 21%2013 25% 8% 14% 10% 13% 11% 19%

8

2011 2012 2013 2014

31% 42% 34% 28%

81% of security practitioners report that they benefit from some form of flexible working.

subscription. Other benefits may include season ticket loans in London, gym membership, subsidised dental care, personal and accident insurance and staff discounts. These are generally low value benefits.

Flexible benefits This refers to schemes where employees are offered limited core benefits in addition to their base salary. This addition can either be taken as salary or employees can choose to buy from a menu of additional benefits. These schemes became popular 10 years ago, particularly in the accounting profession, but have not been universally adopted.

Holiday entitlement 48% of security practitioners surveyed receive 25 days holiday, with 60% reporting between 25 to 28 days holiday. The average number of days holiday survey-wide is 26 days. Holiday entitlement, regardless of sector, is more likely to be enhanced by the number of years worked rather than seniority. As a strategy, it represents a good way of rewarding loyalty and retaining staff but a poor way of attracting new employees. An increasingly popular benefit is to provide employees with the opportunity to buy additional holidays. This is usually limited to an additional 5 days that would be purchased through salary sacrifice.

Flexible working Flexible working is popular. 81% of security practitioners report that they benefit from flexible working. it is most common in consultancy and least common in banking and financial services. Given that 24% of security practitioners cite achieving a better work / life balance as their prime motivation for changing jobs, flexible working appears to be something they are prepared to negotiate on when moving jobs. Our Survey indicates that security practitioners who have changed job in the last 12 months are more likely to benefit from flexible working than those who have not, with 95% of women reporting that they benefit from flexible working, against 77% of men.

Employers are ultimately more concerned with output rather than simply attendance. Flexible working is an effective means of retaining staff and few employees once they have benefited from it would be prepared to give it up. We anticipate that this will ultimately become a universal benefit.

Pensions For new recruits, final salary pensions no longer exist in the private sector. For those who still benefit from such schemes there is a full appreciation of their value and that the cost of giving it up to join a new employer would be prohibitively expensive.

80% of security practitioners benefit from employer pension contributions, low by the standards of other areas of corporate governance. It is probably the result of consultancies being less likely to make pension contributions. The typical employer pension contribution is in the range of 5-10% and, at 9%, the average pension contribution remained the same as in 2013.

Pension schemes in the private sector are invariably money purchase where the company commits to making a contribution based on a percentage of salary. Whilst there is often a short qualifying period before contributions commence, a period in excess of six months would be considered unusual.

Most arrangements require the employer to make a contribution based upon a fixed percentage of base salary. The employee may or may not be required to match it. Frequently, employers will be prepared to match additional contributions made by the employee up to a fixed percentage. The percentage may increase with the age of the employee, their years of service and their level of seniority.

Other benefits60% of security practitioners reported they received other benefits in 2014. the average value of those benefits rose from 3,700 in 2013 to 4,100 in 2014. Cars or car allowances have become a less common benefit. They can still be expected where a role requires significant travel and also for senior hires. In terms of overall remuneration, a car allowance is frequently offered in lieu of a car and is often considered as non pensionable salary when evaluating overall remuneration. A more common benefit for those working in London is a location allowance. This is a supplement for those working in London to cover the increased cost of either living in or commuting to London. The most valuable other benefit is Critical Illness Cover which is expensive to provide and is usually restricted to senior roles. However, Private Health Insurance is common and is often extended to all immediate family members.

Life Assurance, usually linked to a pension scheme, is normal, as is payment of at least one professional

9

3 General Results

General results Market made up of highly experienced practitioners p 90% of security practitioners

surveyed have worked in security for over 5 years (89% in 2013)

p 62% have worked in security for over 10 years (61% in 2013)

p 57% of security practitioners report they have management responsibility

How long have you worked in security?

do you have management responsibilty?

Security practitioners becoming more active

Bonuses Bonuses up on 2013

p 38% of the security practitioners surveyed reported they had changed job in the last 12 months (34% in 2013)

p Security practitioners at senior consultant / aVp level most active

p 72% of employers paid a bonus in 2014 (61% in 2013)

p average bonus equivalent to 23% of basic salary (22% in 2013)

p 34% reporting a higher bonus in 2014

p 68% of security practitioners received a bonus of less than 20%

Have you changed job in the last 12 months?

How does your bonus compare to last year?

p Security practitioners working in the public sector and consultancy were most likely to have moved whilst those working in financial services were least likely

p IT security managers were most likely to have moved, against business continuity managers who were least likely

p Security practitioners on lower salaries more likely to have moved, although no difference between managers and non managers

Which of these as a percentage of your salary best describes your last bonus?

Please note that the figures in this report cannot be extrapolated across everyone who works in security, as the sample consists of people registered with Barclay Simpson. However, the figures do substantiate our experience of the market and the year on year comparisons are clearly representative.

10

Bonus payments mainly paid in cash

p 82% of bonuses paid in cash (72% in 2013)

p 5% of bonus was deferred (9% in 2013)

p 17% of security practitioners benefit from long term incentive plans (31% of managers against 10% of non managers)

do you benefit from any long term incentive plan?

What percentage of your bonus was paid in cash?

pensions Pensions an important part of remuneration

p 80% of security practitioners surveyed benefit from employer pension contributions (71% in 2013)

p average value of pension contributions remains at 9%

p Typical pension contribution in the 5-10% range

does your employer provide you with any pension benefits?

Salary % contribution to pension from your employer

other benefitsValue of other benefits significant and continuing to rise

p 60% of security practitioners surveyed received other benefits (57% in 2013)

p average value of other benefits to those who received them up to 4,100 (3,700 in 2013)

What is the approximate monetary value of other benefits?

p Managers more likely to receive other benefits and for them to be of higher value than for non managers

p Value of other benefits increases with years of service

p Other benefits more common and valuable in banking and financial services than in other sectors

Holiday entitlementAverage holiday entitlement remains at 26 daysp For 48% of respondents 25

days remains the most common entitlement

p 60% of respondents have between 25-28 days

p only 15% of respondents have less than 25 days holiday

p average holiday entitlement remains at 26 days

What is your holiday entitlement in days?

p Most generous holiday entitlement given to security practitioners in public sector with 36% getting at least 30 days, least generous in consultancy sector

p Number of days holiday is consistent between size of company and management, although rises with number of years of experience

11

Flexible workingMajority of security practitioners benefit from flexible working

p overall, flexible working is up from 67% in 2013 to 81% in 2014

p Flexible work most likely in medium sized companies

p Flexible working more prevalent amongst managers and the higher paid

Does your employer provide you with the opportunity to work flexibly?

p 95% of women report they work flexibly against 77% of men

p 85% of security practitioners who have changed employer in the last year allowed to work flexibly, against 71% who have not

p Flexible working most common in consulting and least common in banking and financial services

Content with compensation?Majority content with compensationp overall, 57% believe they are

adequately compensated (55% in 2013)

p Higher levels of contentment from those working in smaller companies

p Contentment improves as salary level increases

overall do you think you are adequately compensated?

p 75% of security practitioners who have changed job in the last 12 months are content, against only 45% who have not

p 71% of security practitioners working in the public sector are content, significantly higher than any other sectors. At 45%, lowest in banking and financial services

p Managers more content than non managers and men are more content than women

Contractors in workClear majority believe demand for their skills improving

Interim Compensation Survey

p 74% of contractors in work believe market for their skills is improving (58% in 2013)

p Clear difference with contractors who are in work and those who are not

do you think the market for your skills is improving or deteriorating?

p 58% of contractors started a new contract within one month (82% in 2013)

p no contractors have taken over 12 months to find a contract (2% in 2013)

How quickly were you able to secure your current contract?

12

Rates firm and generally rising

p more security contractors reporting an increase than in 2013 (45%)

p fewer contractors reporting a decrease than in 2013 (36%)

p majority believe they are adequately compensated

p 61% satisfaction for contractors is comparable to 57% for permanent

do you believe you are adequately compensated?

Which best describes how your current rate compares with your previous?

p Type of work remains most important factor

p length of contract more important than rates of pay

p High level of satisfaction with existing roles

p However, experienced contractors who are not will have already moved

are you satisfied with your current contract?

When considering a new contract what is the most important consideration?

Rate of pay surprisingly low priority

Contracts seemingly shorter than in 2013

p only 26% of contracts have lasted at least 12 months (56% in 2013)

p Contracts run for longer in financial services than other sectors

p only 21% of contracts less than 3 months

p Contracts generally run for longer than anticipated

What is the anticipated length of your current contract?

How long have you been in your existing contract?

Contractors looking for workPicture less positive than for contractors currently working

p 23% of contractors looking for longer than 3 months (16% in 2013)

p 46% finding it more difficult (50% in 2013)

are you finding securing a contract more or less difficult than anticipated?

How long have you been seeking a contract?

do you think the market for your skills is improving or deteriorating?

13

SalaRY GUIdanCE

4 Salary Guide

The figures below are what we believe to be the most likely salary ranges available to a cross section of security practitioners. We also provide a more generic end user guide. This is split between banking, financial services non banking and commercial end users which have been divided between larger FTSE 100 or equivalent groups and smaller FTSE 250 or equivalent groups. We then go on to provide a generic guide for

those in consultancies and SIs. This is split into Big 4, SIs, large consultancies and boutique consultancies.

The salary ranges quoted are for good rather than exceptional individuals and take no account of other benefits in addition to salary, such as bonuses, profit sharing arrangements and pension benefits.

SElECTEd pRofIlES - pERmanEnT london REST of Uk

Senior Data Protection Analyst Team member in a small DP department for a large mobile telecommunications group. Proven experience in a similar role and ISEB qualified.

46 - 53,000 38 45,000

Security AnalystGeneric information and IT security consulting and project delivery in a large retail financial services group. 4 years experience.

48 60,000 40 50,000

Senior Business Continuity Consultant Working for a large consultancy firm, delivering and managing consulting engagements and in some cases managing junior staff. Some sales and business development responsibility.

63 69,000 56 62,000

Security and Compliance ManagerSecurity Manager responsible for the business meeting compliance standards such as ISO27001 and PCI.

65 75,000 55 - 65,000

Security Presales EngineerSecurity Presales Engineer within a security vendor. Technology focus on network security.

65 80,000 55 70,000

PCI QSAPracticing QSA working with external clients and managing their entire PCI compliance programme.

67 78,000 57 67,000

Security ManagerSecurity background in a small financial services company. 3 years management experience. No permanent reports. Will utilise consulting firms and contractors on an ad-hoc basis.

78 86,000 65 71,000

Network Security Team LeaderWorking in a FTSE 100 group leading a team of 6-8 network security specialists, reporting directly to the Head of Security. 10 years experience.

84 89,000 70 76,000

Head of Business Continuity Major financial services group, a large team to manage/supervise. Established career history within BCM.

112 125,000 96 105,000

Head of SecurityManaging a team of 8 security practitioners in a financial services company, assisted by 2 more junior managers. 10 years management experience and 17 years security experience.

118 132,000 90 98,000

14

SElECTEd pRofIlES - pERmanEnT london REST of Uk

SIEM ConsultantTechnical specialist with strong skills with a leading SIEM solution such as ArcSight or RSA envision. Design, implementation and integration experience. Client facing consultative role.

65 80,000 55 70,000

Identity & Access Management ConsultantSolid skills in identity and access management design and architecture. Background of working in consultancy, with good client-facing skills and bid work experience.

65 75,000 57 67,000

Senior Security Consultant Working for an SI, undertaking security consultancy and delivering on security projects for a large-scale client. Senior person also involved in bid / proposal work and mentoring team members.

67 84,000 59 70,000

CLAS Consultant/CCP Senior level in a security practice of a large consultancy or SI. Skills in security architecture, security policy formulation and review, and risk assessment. Also undertakes business development activities.

67 85,000 62 70,000

CHECK Team Leader Working in a penetration testing practice within a consultancy. Responsibility for some client management and mentoring less experienced penetration testers.

71 82,000 67 73,000

EMEA Manager of Data ProtectionMedium to large insurance group. No direct reports. EU Data Privacy legislation experience.

79 89,000 67 73,000

SElECTEd pRofIlES - ConTRaCT london REST of Uk

Data Privacy Analyst Experience of DPA 98 and EU Privacy Directive 95/46/EC, required to provide specialist privacy knowledge and support.

400 500 per day

350 450 per day

Security Monitoring AnalystAnalyst using various security solutions deployed within the IT environment, providing active monitoring, identification, notification and response to internal and external threats and recommendation for the mitigation of risks.

450 per day

400 per day

Security Consultant Providing security advice across the business, ranging from policy review and development, to information risk reviews. Holds CISSP or CISM.

450 550 per day

400 500 per day

Business Continuity ConsultantManaging a team of 8 security practitioners in a financial services company, assisted by 2 more junior.

500 per day

400 per day

Penetration Tester SME in application security, code reviews and vulnerabilities, attacks and countermeasures with a deep knowledge of hacking and penetration testing techniques, methodologies and tools across web application and infrastructure.

500 600 per day

450 550 per day

SIEM ConsultantTechnical Specialist with strong skills with leading SIEM solution such as ArcSight or RSA envision. Design, implementation and integration experience.

550 per day

500 per day

Technology Risk Consultant Good technical understanding with the ability to identify, assess, manage and report risk. Working with different projects within the organisation on varying technologies.

550 600 per day

500 550 per day

Application Security ConsultantConsultant will need to identify appropriate security controls, as well as carry out code reviews of J2EE enterprise applications, penetration tests, tracking new requirements and recommending improvements.

570 per day

525 per day

PCI ConsultantPCI consultant who can work with the client to ensure compliance to the PCI-DSS standards.

625 per day

575 per day

15

SalaRY CHaRT - End USERS Banking non Banking FS

CommERCIal FtSe 100

EqUIValEnT

CommERCIal FtSe 250 or

SmallER

Info Security Analyst 2 yrs 32 39,000 31 36,000 30 32,000 27 30,000Data Protection Analyst 2 yrs+ 36 42,000 36 42,000 36 42,000 35 40,000Business Continuity Analyst2 yrs +

37 46,000 37 46,000 36 42,000 31 40,000

Info Security Analyst 3 yrs 39 48,000 38 46,000 36 42,000 30 34,000Business Continuity Manager (4 yrs + no team)

45 80,000 50 85,000 50 75,000 45 68,000

Info Security Analyst 4 yrs + 55 65,000 50 56,000 43 52,000 38 44,000Data Protection Manager (5 yrs + no team)

65 90,000 58 80,000 55 85,000 55 80,000

Info Security Manager (team under 5) 80 105,000 73 95,000 70 90,000 68 90,000Info Security Manager (team 5+) 90 125,000 88 120,000 85 110,000 77 100,000Head of Info Security (dept under 10) 118 140,000 115 135,000 100 126,000 90 126,000Head of Info Security (dept 10+) 160,000+ 140,000+ 150,000+ N/A

SalaRY CHaRT - ConSUlTanCIES and SIS Big 4 SyStemS integrator

laRGE ConSUlTanCY

BoUTIqUE ConSUlTanCY

Penetration Tester (under 4 years exp) 28 46,000 30 48,000 30 48,000 32 50,000Consultant 32 46,000 35 49,000 35 49,000 37 52,000CHECK Team Member 40 50,000 40 55,000 40 60,000 40 60,000Senior Consultant 43 52,000 45 60,000 45 60,000 47 64,000Manager (Principal Consultant) 56 75,000 62 78,000 62 78,000 62 80,000CHECK Team Leader 58 90,000 60 85,000 60 85,000 65 90,000Senior Manager (Managing Consultant) 72 105,000 70 87,000 70 87,000 70 90,000Director (Practice Lead) 100 148,000 90 110,000 95 120,000 95 120,000

16

ABOUT BARCLAY SIMPSON06Barclay SimpsonBridewell Gate, 9 Bridewell PlaceLondon EC4V 6AWTel: 44 (0)20 7936 2601Email: [email protected]

If you would like to discuss any aspect of the reports please contact the following divisional heads:

Corporate Governance Adrian Simpson [email protected] & IT Audit Daniel Flynn [email protected] Matt Brown [email protected] Tom Boulderstone [email protected] Mark Ampleford [email protected] Jane Fry [email protected]

To discuss our regional and international services please contact:

Scotland Liam Hughes [email protected] Tim Sandwell [email protected] East Matt Crocombe [email protected] Pacific Russell Bunker [email protected]

North America Daniel Close [email protected]

Barclay Simpson is an international corporate governance recruitment consultancy specialising in internal audit, risk, compliance, security, business continuity, legal and treasury appointments. established in 1989, Barclay Simpson works with clients in all sectors throughout the Uk, Europe, middle East, north america and asia-pacific from our offices in london, Edinburgh, new York, dubai, Hong kong and Singapore.

We add value by using our unique focus on corporate governance, our highly experienced specialist consultants and access to both the local and international pools of corporate governance talent. our strength lies in our ability to understand client and candidate needs and then to use this insight to ensure our candidates are introduced to positions they want and our clients to the candidates they wish to recruit.

for more in-depth coverage, comprehensive reports and compensation guides exist for the Internal audit, Risk, Compliance, Security and legal recruitment markets. These can be assessed from the links below.

We also produce other specialist reports, each of which can be accessed for free on our website: www.barclaysimpson.com

www.barclaysimpson.com/2014interimreport/auditwww.barclaysimpson.com/2014interimreport/riskwww.barclaysimpson.com/2014interimreport/compliancewww.barclaysimpson.com/2014interimreport/securitywww.barclaysimpson.com/2014interimreport/legal

17