Information security recruitment freezes as security staffs sit tight

By Ron Condon, U.K. Bureau Chief 05 Jun 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

A global survey by (ISC)² Inc., the training and certification body, found that when managers have vacancies to fill, they struggle to find candidates with the right skills at a rate they are prepared to pay.

Many senior people, including CISOs and senior consultants have been made redundant, and they are the ones who are struggling to find an equivalent post elsewhere Chris Batten managing director,  Acumin

(ISC)² polled more than 2,800 professionals worldwide, of whom 775 had hiring responsibilities. The survey found that more than 80% of them were experiencing difficulties in finding the right applicants. Respondents cited a lack of desired skills or available professionals within a local area, poor cultural fit, and salary demands that were too high for available budgets, particularly from people who had previously worked in financial services.

The view was backed up by U.K. recruiters. "Vacancies are down 70% from what they were 18 months ago," said Mark Ampleford, associate director at information security recruitment company Barclay Simpson. "Those people that are not facing redundancy are tending not to enter the job market because they don't think they'll get a big pay rise. They prefer to stick with the devil they know."

He added that where companies have vacancies, they are struggling to find applicants because they are offering lower salaries. "Employers want a lot for their money. The jobs get filled eventually, but it takes a while," he said.

Chris Batten, managing director at recruitment firm Acumin Consulting Ltd., said many companies are trying to save money by avoiding agency commissions. "Line managers are trying to find these skills on their own or through networking, or referral. That takes longer, if they can find the skills at all," he said.

While security departments have been less severely hit by job losses than other parts of business, Batten said senior staff has been affected. "Many senior people, including CISOs and senior consultants have been made redundant, and they are the ones who are struggling to find an equivalent post elsewhere," he said. "Others lower down the scale tend to be OK."

But permanent staff members have to pay a high price for job security, with many of them being made to work harder. "We are getting calls from people asking us to find them other work because they are being pushed too hard. They are under a lot of pressure to achieve by themselves what two people should be doing," said Batten. "Three or four months ago, we didn't get those calls because people were hanging on to their jobs for fear of redundancy. That has changed, and now we hear they are working so hard, they want to find somewhere else to move to that doesn't push them quite as hard."

Higher up the scale, he said, companies are trying to force down pay. "There is downward pressure on salaries at the middle and top end of the range," he said. "Senior people are now prepared to settle for less money to get a job. That will be their unique selling point that will get them a job over the competition."

Has the economic downturn increased insider risk? An Infosecurity Europe survey of 600 London commuters revealed that many employees would give up their precious company's data for the right price.

Professionals with penetration testing skills are still in strong demand, Batten said, as are applications security architects and application security testers.

Both Batten and Ampleford agreed that the main driving force for new business is in government and public sector work. "In the consultancies, anyone with good business development skills who can talk to clients at a high level will be in demand. But that will be focused on the government sector," said Batten. "I can't remember the last time we were asked for a commercially-focused consultant. Almost all the effort of the consultancies is going into chasing government business."

Consultants with the CESG Listed Adviser Scheme (CLAS) certification, a combination of information assurance knowledge of CESG and expertise of the private sector, are also doing well, said Ampleford, although he warned that "every man and his dog" is trying to get CLAS certification at the moment, which may eventually increase supply and drive down rates.

While times are tough now, though, the clear-out of top staff could be good news for those waiting to fill their shoes once the economy recovers. "There is a new raft of CISOs on the way. When the market picks up again, we're going to find some new names at the head of departments," said Ampleford.

Tags: IT Security Jobs, Careers and Certification Training,  Data Breach Incident Management and Recovery,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT Security Jobs, Careers and Certification Training Information security salaries start to rise, recruitment rebounds Upsurge in infosec jobs for 2010 Salary research shows upturn for those who know how to sell security M86 buys Web security gateway vendor Finjan How to prepare for an information security job interview Some IT security certifications are overvalued, analyst says Information security salaries hit the buffers Information security skills must include communication, says Dorey Poll: Information security salaries remain steady despite recession Social hacking: The easy way to breach network security Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary