Home
Jobs
Upload CV
Find Talent
Careers
The 2024 Barclay Simpson Salary Survey & Recruitment Trends Guide: Cyber Security & Data Privacy
Compensation challenges
Insufficient technical / regulatory knowledge
Remote working policies
Poor cultural fit
Remuneration: 45%
Work/life balance: 19%
Career development: 18%
Remote working: 12%
Remuneration: 45%
Better benefits: 1%
Contract recruitment trends in Cyber Security & Data Privacy
The cyber security and data privacy contract jobs market was relatively subdued in 2023. Widespread cost-cutting has resulted in more employers looking to offshore security activities rather than hire contractors or other temporary resource for additional support.
Some senior roles are resistant to this trend, especially those that require a high level of technical proficiency or stakeholder management skills. There is also ongoing demand for contractors with strong DevSecOps, Application Security and/or cloud migration experience.
Indeed, more than half (54%) of employers sought contract recruitment services for specific projects last year, while 15% sought to leverage subject matter expertise. These figures significantly increased year on year from 37% and 9%, respectively.
Overall, however, it has been a difficult year for contractors.
“Employers have quite high expectations at the moment,” says Jeff Mayger, Principal Consultant at Barclay Simpson.
“So while there are a lot of talented contractors available, organisations are often looking for very specific combinations of skillsets that few candidates possess.”
Lower demand for permanent staff is also having a knock-on effect for the interim market. In 2021 and 2022, an inability to source permanent employees was the second most-cited reason for hiring contractors. Last year, it failed to rank in the top five.
As a result of these and other pressures, contract day rates have slipped over the last year. The most commonly reported day rate in 2023 was £600-699, which is down from £700-799 the previous year.
Primary reasons for using interim, contract and
co-source staff
2023
2022
2021
The long-term effects of IR35
It has been nearly three years since reforms to IR35 legislation were introduced in the UK. Through our annual Cyber Security and Data Privacy Salary Guides, we have tracked how these new off-payroll rules have impacted the interim market, and it is clear that some organisations and candidates are still trying to navigate the changes effectively.
For example, nearly half of employers (46%) claim the IR35 reforms have hampered their ability to engage skilled contractors, with 23% of these saying the impact is ‘significant’.
Our data also shows that 54% of organisations are now using fixed-term contracts (FTCs) to access flexible resource. However, these arrangements are often unpopular among candidates – only 3% say accepting an FTC role was their preferred response to IR35 changes.
Instead, most interim workers tell us they are choosing to either consider only ‘outside IR35’ vacancies (39%) or have increased their rates for ‘inside’ roles (31%). Approximately one in 10 contractors have also sought or accepted permanent positions.
“Traditionally, a lot of interim workers wouldn’t consider permanent roles, while many salaried employees weren’t interested in contracting,” says Harry Boorman, Senior Consultant at Barclay Simpson.
“However, current market conditions are encouraging more people to be open-minded about the opportunities available to them.”
Key factors affecting cyber recruitment in 2024
Over the next 12 months, we expect various political, economic and social factors to have an impact on cyber security and data privacy hiring trends.
New regulations
Regulatory change is often a key driver of demand within cyber security and data privacy, and we anticipate that several recently implemented and upcoming regulations will affect hiring within these markets.
For example, financial entities have less than one year left to comply with the Digital Operational Resilience Act (DORA), which will come into force from 17 January, 2025. As a result, we are already seeing increased demand for candidates with strong operational resilience and business continuity experience.
This demand is mostly for permanent candidates currently, but as the DORA deadline looms, we expect more organisations to turn to the contract market to acquire the skillsets they need.
However, organisations that delay their hiring too long may struggle to recruit talented senior professionals, many of whom will already be halfway through DORA implementation projects and reluctant to leave their current role.
More broadly, the FCA, PRA and Bank of England made it clear in their recent CBEST annual report that cyber security is a key priority for the UK’s financial regulators in 2024 and beyond.
This also appears to be true for regulators stateside. The US Securities and Exchange Commission adopted new rules last year that mean CISOs at publicly traded companies can now be held personally liable for their response to and disclosure of cyber security incidents.
It is too early to predict exactly how this increased attention from US and UK regulators will affect hiring or salary trends in the immediate future. At the very least, we predict US CISOs will demand higher salaries to compensate them for taking on more liability, which could shake up the market dramatically both domestically and abroad.
Ongoing demand for technical skills
In last year’s Cyber Security and Data Privacy Salary Guide, we noted that strong technical skills are always in-demand and certain roles are becoming more technical than ever before. This continued to be the case throughout 2023, and there seems little evidence this will change over the next 12 months.
GRC candidates, for instance, are typically expected to possess technical security knowledge in areas like cloud security, with increasingly few employers willing to consider professionals with a more traditional governance background alone.
Product security is also receiving considerable focus at the moment. More and more companies want to build security into their products at an earlier stage, shifting left and ensuring they are secure by design.
As such, some organisations have restructured to fully embed security professionals into product areas. There has also been increased demand for candidates from a software engineering background who are now working in product security, application security or software security-focused roles.
56% of employers are struggling to source candidates with sufficient technical or regulatory knowledge
That said, it’s not just technical skills that are important; organisations are keen to find people who also have the soft skills to effectively communicate complex cyber security and data privacy risks to the wider business.
Companies must strike a delicate balance between investing in the security of their systems and mitigating the potential losses associated with a breach or failure. Cyber professionals must therefore not only have the technical expertise to build and maintain robust protections, but also the commercial understanding to respond to risk in a proportionate manner.
Diversity and inclusion
In a 2022 report, the UK Government revealed that diversity within the cyber security profession had steadily improved every year for the last three years.
The figures for ethnic diversity were particularly encouraging, with 25% of all employees and 14% of senior leaders coming from an ethnic minority background. One in 10 cyber staff are also neurodivergent (6% in senior roles).
And while the gender split is overwhelmingly male dominated, the percentage of cyber security professionals who identify as female rose from 15% to 22% between 2020 and 2022.
Sadly, some of this momentum was lost in 2023. According to the government’s latest report, only neurodivergent representation has improved, climbing from 10% to 12%. But the percentage of cyber security roles held by women and people from ethnic minority backgrounds dropped to 17% and 22%, respectively.
Our consultants have reported similar trends. Employers appear to be placing less focus on diversity and inclusion initiatives as they prioritise filling key vacancies in a market with ongoing talent shortages and tighter budgets.
Despite this, nearly three-quarters (73%) of staff agree their organisation has built a diverse and inclusive culture, while 81% of employers believe their recruitment processes are designed to adequately support equal opportunities.
The UK Government’s statistics also show that 40% of businesses that recruit people into cyber roles have taken direct action to either modify their recruitment processes or encourage more people from diverse groups to apply for cyber security jobs.
Post-pandemic attitudes to flexible working
Our annual salary guides and market reports have closely followed flexible working trends over the last 10 years. Suffice to say, both employers and staff have continued to place greater emphasis on the importance of a healthy work-life balance during that time.
More and more professionals have benefited from remote working opportunities with each passing year, but the Covid-19 pandemic was clearly a catalyst that significantly accelerated this trend.
Even industries that were historically slow to adopt flexible working practices, such as financial services and law, moved quickly to create safe and effective remote working conditions for their workforces.
At the peak of the pandemic, many experts predicted that working from home would become the ‘new normal’. Today, nearly four years after the first UK lockdown was announced, is that still the case?
Our data shows that, on the whole, employers remain committed to their post-pandemic flexible working policies, but there are some notable caveats.
99% of employers offer flexible working
(unchanged from last year)
For example, despite 87% of organisations claiming they are confident their current hybrid and remote working policies will stay in place over the long term, we are seeing a rise in the number of firms who want people back in the office more.
In 2022, three-quarters of cyber security and data privacy professionals were allowed to work from home at least four days a week. This figure has since fallen to less than two-thirds (65%).
“More organisations are expecting staff to be in the office two or three days a week now,” says Sophie Jdouri, Principal Consultant at Barclay Simpson.
“This is resulting in some pushback from candidates, many of whom feel they performed effectively working from home during the pandemic and are understandably reluctant to have any added flexibility taken away.”
In fact, 81% of candidates admit they are likely to consider changing jobs if they aren’t able to have their preferred hybrid working set-up, up from 72% who said the same in 2022.
Our consultants are also reporting that more interim workers are turning down offers or leaving their current contract because work-from-home policies are becoming stricter.
Employers seem to be aware their approach to flexible working is causing problems when hiring. Over the last 12 months, the percentage of organisations who believe their current hybrid or remote working models are hindering recruitment and retention efforts has risen to 38% (from 29% in 2022).
In a market with much-publicised talent shortages, employers may struggle to source the high-quality candidates they need if their hybrid working policies become increasingly inflexible. This is particularly true now that flexible working is considered a standard benefit across most industries and professions in the aftermath of the pandemic.
How many days are you allowed to work remotely?
Salary and bonus trends
Cyber security and data privacy starting salaries saw almost unprecedented growth across 2021 and early 2022. Last year, salary increases began to plateau as the market cooled, although they remained above historic averages due to ongoing talent shortages.
Employers intend to increase base salaries for existing employees by 8% in 2024
While organisations are undoubtedly tightening their belts in today’s economic climate, it is rarely budget limitations alone that are holding employers back when it comes to hiring. Some are simply reluctant to pay current salary expectations because they do not believe they are getting value for money.
This is perhaps partly due to how quickly junior salaries have risen in particular. As a result, the pay gap has narrowed considerably between those entering the market now and more experienced mid-level professionals who did not switch roles in 2021 or 2022.
“Organisations are looking for candidates who have both deep expertise in particular skillsets and the breadth of knowledge required to cover a range of bases,” says James Lawrence, Principal Consultant at Barclay Simpson.
“Unfortunately, many firms are struggling to find people who tick all the right boxes unless they can be more flexible on salary or manage their expectations with regards to experience.”
Nevertheless, more employers believe current salary ranges are aligned with what they can offer than in previous years. Just 6% say candidates’ demands are ‘not at all’ in line with their salary bandings, compared with 26% in 2022.
In terms of wider remuneration, the average bonus that candidates are receiving jumped from 15% to 21% in 2023. Some employers are also providing one-off cost-of-living payments, although this is usually to offset lower increases in salary and bonus payouts.
Over the next 12 months, 83% of employers intend to offer bonuses to staff, a figure that is almost unchanged from last year’s salary survey.
45% of cyber security and data privacy professionals cited remuneration as their main reason for seeking a new role in 2023
In other news, the UK’s financial regulators formally scrapped the cap on bankers’ bonuses on 31 October. Prior to this, the cap was 100% of a professional’s base salary, or 200% with shareholder approval.
However, even very senior cyber security and data privacy professionals are unlikely to receive bonuses in excess of 100%. Therefore, the vast majority of candidates weren’t affected by the previous cap and are unlikely to benefit from it being removed.
How likely is your organisation to offer bonuses in the next 12 months?
2024
2023
2022
Flexible working: 87%
Annual bonus: 75%
Private healthcare: 53%
Time off for charity work: 49%
Cycle-to-work scheme: 37%
Company stock options: 36%
Training allowance: 36%
Enhanced pension scheme: 34%
Subsidised gym membership: 34%
Car scheme or allowance: 31%
Enhance maternity / paternity leave: 29%
Enhanced dental coverage: 29%
Childcare vouchers: 19%
Travel allowance: 12%
Unlimited annual leave: 3%
Other: 1%
Cyber security and data privacy salaries
Leadership Salaries
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Ciso (Global / /EMEA) | £180k + | £180k + | £170k + | £900 – £1,200 |
| Cyber Security Director | £130k – £200k | £130k – £200k | £120k – £180k | £800 – £900 |
| Head of IT Risk | £130k – £200k | £130k – £200k | £120k – £180k | £800 – £900 |
| Head of GRC (Cyber Risk) | £120k – £150k | £120k – £150k | £90k – £130k | £750 – £850 |
| Head of Information Security (dept above 10+) | £150k+ | £150k+ | £130k+ | £800 – £900 |
| Head of Information Security (dept under 10+) | £100k – £160k | £100k – £160k | £80k – £140k | £700 – £800 |
| Head of Security Architecture | £130k – £200k | £130k – £200k | £110k – £170k | £900+ |
| Head of Security Operations | £80k – £120k | £80k – £120k | £70k – £110k | £900+ |
| Head of Incident Response | £90k – £140k | £90k – £140k | £80k – £120k | £900+ |
Governance, Risk & Compliance Salaries
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Business Information Security Officer | £90k – £130k | £90k – £130k | £85k – £110k | £600 – £800 |
| Information Security Manager (team above 5+) | £95k – £120k | £95k – £120k | £80k – £110k | £600 – £800 |
| Information Security Manager (team under 5+) | £80k – £95k | £80k – £95k | £70k – £85k | £600 – £800 |
| Information Security Officer | £80k – £120k | £80k – £120k | £70k – £110k | £600 – £800 |
| IT Risk Manager | £85k – £120k | £85k – £120k | £75k – £110k | £600 – £800 |
| Third Party Risk Lead | £75k – £100k | £75k – £100k | £65k – £90k | £550 – £750 |
| Information Security Analyst, GRC | £60k – £75k | £60k – £75k | £45k – £65k | £500 – £600 |
| Information Security Analyst, GRC (exp below 4+ years) | £50k – £60k | £50k – £60k | £50k – £60k | £400 – £550 |
Technical Security / Security Architecture & Engineering Salaries
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Application Security Architect | £100k – £130k | £100k – £130k | £90k – £120k | £700 – £900 |
| Application Security Engineer | £85k – £110k | £85k – £110k | £75k – £100k | £600 – £750 |
| DevSecOps Engineer | £85k – £100k | £85k – £100k | £75k – £100k | £600 – £850 |
| Information Security Engineer | £70k – £90k | £70k – £90k | £55k – £85k | £550 – £800 |
| Cloud Security Architect | £100k – £130k | £100k – £130k | £80k – £100k | £650 – £850 |
| Cloud Security Engineer | £80k – £110k | £80k – £110k | £80k – £110k | £700 – £850 |
| Enterprise Security Architect | £100k – £140k | £100k – £140k | £90k – £120k | £700 – £900 |
Technical Security / Security Operations & Incident Response Salaries
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Deputy Head of Security Operations | £80k – £100k | £75k – £95k | £70k – £90k | £700 – £900 |
| Cyber Defence Analyst | £50k – £65k | £50k – £65k | £40k – £55k | £450 – £650 |
| Cyber Threat Intelligence Analyst | £50k – £85k | £50k – £85k | £45k – £75k | £550 – £650 |
| Incident Response Analyst | £60k – £80k | £55k – £75k | £50k – £75k | £550 – £650 |
| Incident Response Manager | £80k – £110k | £80k – £110k | £75k – £95k | £600 – £800 |
| Security Operations Analyst | £45k – £60k | £45k – £60k | £35k – £50k | £500 – £600 |
| Security Operations Manager | £60k – £85k | £60k – £85k | £50k – £75k | £600 – £800 |
| SOC Analyst | £45k – £60k | £45k – £60k | £30k – £45k | £500 – £650 |
Technical Security / Security Operations & Incident Response Salaries (Overflow)
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Senior SOC Analyst | £60k – £80k | £60k – £80k | £60k – £80k | £550 – £650 |
| SOC Manager | £80k – £100k | £80k – £100k | £75k – £95k | £700 – £800 |
| Cyber Security Director | £135k – £200k | £120k – £190k | £120k – £190k | £700 – £800 |
| Head of Security Operations | £90k – £130k | £90k – £125k | £90k – £125k | £800 – £900+ |
| Head of IR | £95k – £140k | £95k – £140k | £95k – £140k | £700 – £800 |
| SOC Engineer | £75k – £120k | £75k – £100k | £75k – £100k | £550 – £650 |
| Head of SOC Engineering | £100k – £140k | £100k – £140k | £100k – £140k | £750 – £850 |
Business Continuity & Operational Resilience Salaries
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Head of BC | £100k – £150k | £90k – £130k | £100k – £125k | £700 – £800 |
| Head of Operational Resilience | £100k – £150k | £100k – £130k | £100k – £130k | £700 – £800 |
| BC Analyst | £35k – £60k | £30k – £55k | £30k – £55k | £450 – £550 |
| BC Specialist | £70k – £90k | £70k – £90k | £70k – £90k | £550 – £650 |
| BC Manager | £60k – £85k | £60k – £75k | £60k – £80k | £600 – £700 |
| Operational Resilience Analyst | £50k – £60k | £50k – £60k | £50k – £60k | £450 – £550 |
| Operational Resilience Manager | £70k – £95k | £65k – £80k | £70k – £90k | £600 – £700 |
| Operational Resilience Specialist | £70k – £90k | £70k – £90k | £70k – £90k | £550 – £650 |
Identity & Access Management Salaries
| Area | London | South East | Regional | Contract day rise |
|---|---|---|---|---|
| Head of IAM | £120k – £140k+ | £120k – £140k+ | £110k – £130k+ | £600 – £850 |
| IAM Manager | £90k – £120k | £90k – £120k | £85k – £110k | £500 – £700 |
| CIAM/PAM Lead | £95k – £120k | £95k – £120k | £85k – £110k | £500 – £700 |
| IAM Product Owner | £95k – £120k | £95k – £120k | £85k – £110k | £500 – £700 |
| IAM Architect | £90k – £120k+ | £90k – £120k+ | £80k – £110k+ | £500 – £700 |
| IAM Engineer | £75k – £95k | £75k – £95k | £70k – £90k | £400 – £600 |
| IAM Analyst | £60k – £85k | £60k – £85k | £55k – £80k | £350 – £500 |
Attract and retain the cyber security and data privacy professionals you need with Barclay Simpson
Barclay Simpson has specialised in the recruitment of cyber security and data privacy professionals since 2001. Our practice covers information security, cyber security, data protection and privacy. Our long-established team has extensive experience of recruiting on a permanent and contract basis for in-house positions in commerce and FS groups, as well as consultancy and systems integration businesses, and security vendors. We can help you create a talent attraction strategy with competitive salary offerings and support you as you build a cyber security or data privacy team that’s future proof. Or we can help you find a role that aligns with your long-term career goals. Arrange a consultation today.
If you are interested in a new cyber security or data privacy position or recruitment services, get in touch today.
