Are public sector cyber security salaries enough to attract best-in-class talent?
Rarely has a job ad generated such an adverse reaction. HM Treasury’s recent move to hire a head of cyber security at a salary of between £50,500 and £57,500 attracted disbelief and ridicule. Whether it attracted a range of top candidates is less clear.
The government was mocked on social media for offering what was perceived as a comparatively low level of remuneration for such an important role and mainstream media also entered the fray. Metro lambasted a “measly salary” and LBC spoke of a “pay storm”.
Neither the Treasury nor the Cabinet Office responded to TechInformed’s request for comment. But many within the cyber security industry were happy to share their opinions on pay and the implications of not properly rewarding professionals occupying key, high stakes roles.
“There is no plausible way that the UK Government would be able to fulfil this requirement effectively with anywhere near that salary,” says Charlee Ryman director of recruitment at cyber security recruitment specialist Trident Search.
“We’re seeing junior-level employees with 1-2 years of experience achieving offers above £60K, so to ask a head of cyber, with all the responsibility that entails, to accept this level is just unrealistic,” he adds.
According to Ryman, the story has generated a lot of traction because – given the pace of industry change and the cyber threat level companies are facing – experienced high performers are needed in senior roles and must have the skills to prevent, mitigate and resolve damaging cyber-attacks.
To put it into perspective, he elaborates, equivalent positions in the private sector are being advertised with salaries of £150K-plus.
Public vs private
There is, though, a disparity between public and private sector pay. Sam Hameed, co-founder and managing director of SPG Resourcing, a technology talent advisory business with offices in Leeds and Newcastle, says that typically, the public sector pays around 30% behind the current market rate for technology roles, and cyber security can come at a premium to the rest of the sector.
“For example, security engineers and architects see salaries range between £68,000 to £72,000 in the public sector, where a similar role with a large private company will easily demand six figures,” says Hameed.
“While it’s true the public sector offers better benefits, these are less likely to appeal to someone at the start of their career with high earnings potential.”
However, public sector organisations must deliver data-rich government services, which means they need to recruit, train and retain IT professionals with the skills and personal qualities to make that happen.
Achieving those ambitious goals means offering pay to match the high skillset required. Without those specialist skills, public sector organisations leave themselves vulnerable to increasingly sophisticated potential attacks and more determined threat actors.
Last year, the cyber-attack on the NHS was another unfortunate reminder of the damage that can be done in the public sector. The attack disabled services used by the NHS 111 medical advice helpline, leaving health workers reliant on pen and paper to coordinate services.
Sascha Giese, head geek at IT security and service management provider SolarWinds says: “While there are a lot of things at play when it comes to such intricate attacks – and I believe that there is more that can be done in terms of public-private sector collaboration when it comes to thwarting attacks – the UK government simply cannot afford to be at risk due to a skills shortage. Paying enough for the right skills is crucial.”
Universal pay gap
The public/private sector pay gap is by no means unique to the UK.
The 2021 Rand Report, Comparison of Public and Private Sector Cybersecurity and IT Workforces indicated a mean salary for information security analysts in the US public sector within the $80K-90K range, compared to the US private sector where the mean salary for the same skill set was in the $110-120K range.
Another report by Axios indicated that in 2022, the average annual private sector cyber salary in the US was $100K – a 14% premium over the average in the public sector.
Overall, Ryman notes, UK salaries tend to be far lower than the US, where companies pay an average of 30% more. Across EMEA there isn’t really a noticeable difference, however.
There has also been a slowdown in cyber security salary growth which Guy Golan, CEO of cybersecurity firm Performanta attributes to pay limits reaching their peak.
“You now have young, entry-level workers earning a base salary of £5,000 a month, for example. To put this into perspective, this is more than a medical doctor earns at the start of their career. I envisage that salaries may stay this way, with a chance that they may even drop slightly.”
Higher pay, higher defences?
While salary information is fairly easy to track down, it’s much harder to unearth data on the link between investment in cyber security staff and the robustness of an organisation’s defences.
“There are a lot of stats published about how much is being spent on cyber security and a lot published about the growth in cyber-attacks and how much they cost organisations that have been attacked, but not so much on the relationship between spending on cyber and its effect on successfully defending organisations,” says Andy Williams, co-founder of Transatlantic Cybersecurity Business Network.
“This is because the organisations that spend most on cyber security also tend to be those that are attacked most, and by the most sophisticated attackers, because they have the most valuable information assets to protect, such as Financial Services or Government.”
The European Network for Cyber Security, a Netherlands-based organisation that develops training and shares cyber threat information, joined an EU-funded initiative in September to train cyber security experts to better protect power grids.
Managing director, Anjos Nijk, says that while investing capital into staff hires may seem the obvious fix, it is not necessarily the silver bullet organisations would like.
Hiring is just one part of closing the skills gap. To get it right, Nijk argues, first you need to know what the skills gap is in your organisation.
It starts with a risk assessment to understand the risks that you need to protect your organisation against and to identify the measures and controls needed for risk mitigation.
From there you can derive what is required in terms of roles, responsibilities and processes and the required security knowledge and skills levels in the various managerial and operational roles.
Comparing this with your actual staffing will provide you the full picture of what needs to happen to fill the gap as a prerequisite towards building resilience.
Actions required may involve, for example, outsourcing skill sets you will be unable to maintain in your own organisation, converting security from staff responsibility into line responsibility, hiring staff for fully newly defined roles in legal/procurement and more.
“If you hire technical staff without providing the right organisational environment and empowerment and if you are unable to bring in the right knowledge and skills, you may introduce new risk and bring down your organisational resilience,” says Nijk.
There is some divergence of views as to whether UK government/public sector contracts (rather than full time salaried positions) are competitively priced.
Ryman says that contrary to popular belief, government contracts are quite competitive and can be lucrative for skilled professionals going down this route. The struggle is finding the right people for these opportunities.
By contrast, Golan takes the view that such contracts are often not competitively priced, the main issues being the limitations on day rates and length of engagements.
“This forces the public sector to engage with long-term projects that incorporate contract work, defeating the purpose of quick, swift engagements. To use an analogy, this is just like someone buying a car, which is a large investment, only to drive once from point A to point B.”
Another concerning emerging trend Golan has observed is entry level technical resources being tasked with dealing with major, high-stakes issues, “with companies taking a view that if the client doesn’t pay well, they’ll be given junior resources. As would be expected, the result can be disastrous.”
Whichever way you slice it, underpayment is a recipe for trouble.
Subscribe to our Editor's weekly newsletter