SlideShare a Scribd company logo

Stott & May - Report

J
James Campbell-Clause
1 of 10
Download to read offline
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 3 Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey 2016 Stott and May London Eleventh Floor 5 Aldermanbury Square London, EC2V 7HR +44 (0) 207 496 3650 info@stottandmay.com
us trust and unparalleled loyalty from candidates and clients alike. This is the foundation that will make us an immovable force in this market for many years to come. The purpose of this market report is to give context to the wider security market. We aim to raise awareness of key hinge points, highlight significant trends and be a trusted guide by which to make informed decisions for you business and career. The survey has been comprehensively deduced from information gathered by our team of expert consultants in 2015. We have also carried out external research, visited many of the international conferences. We have consolidated our findings to reinforce our commentary through-out. Introduction Contents LeadersIt is people that determine the future of business. Our industry experts help unearth the leaders of today. TimeOur targeted and meticulous approach ensures that we safeguard your most precious commodity – Time. ConfidenceUnparalleled market insight is at the heart of everything that we do. We help you make well informed decisions. Global Leaders In Cyber Security Over the years we have been privileged to partner up with the most ambitious and innovative cyber teams in the world. We have a thirst for offering the most compelling opportunities to the industry elite. Our results are a consequence of a unique mindset which enables more collaborative and strategic out- comes. Whether you are a candidate or a client our approach is uniform. We start by considering your objectives. What is it you are trying to achieve and why. Once we have fathomed your motivations we empower you to plan and execute your journey. The advice that we offer is often not in our best interest. We operate at a level of transparency which has differentiated us from our competition. It has bought 6.Vendors Europe 10.The Numbers 8.Tech Focus 12.The Market 14.Q&A With Charlie Timblin “If we always look for the same, we are never going to reap the value that diversity offers. Look for difference – you’ll be amazed at what you find.” Charlie Timblin WSS Cyber Security Market Intelligence and Salary Survey | 5
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 7 The security vendor space is gathering momentum at a staggering pace. New and established vendors are all competing for market share and we are seeing some aggressive expansion campaigns. It seems that significant budget is still available to ensure a multi- layered and robust perimeter is at the heart of every security strategy. Many industry experts are coining the phrase “good hygiene” which epitomises this notion. PREDICTIONS FOR 2016-2017 • The skills gaps will be subsidized by the relocation of candidates from other parts of Europe. • We may see that investment into the UK will pause suddenly in anticipation of the results of the referendum in June. • With vendor portfolios increasing we will see greater convergence of skills. This could lead to a more versatile workforce. • Increased sourcing into vendors from resellers. Comparison By Region Salary Survey Country Comparison Vendor Presales Basic Salary Typical Vendor Territory Account Manager Sales Basic GBP £1000s EURO €1000s GBP £1000s EURO €1000s Eastern Europe 28 35 31 39 South Africa 30 37 33 41 Israel 38 48 34 43 Spain 44 56 47 60 Italy 49 62 47 60 France 50 63 50 63 Netherlands 56 71 52 66 Sweden 60 76 53 67 Germany 66 83 56 71 UK 71 90 67 85 UAE 85 107 69 88 Switzerland 99 125 73 92 Survey taken from 50 employees in each region from Gartner magic quadrant vendors. fig. 1 CEUR is a very steady market. The Netherlands are developing a reputation for versatile talent. The available talent pool has maintained salaries in this region and makes it an attractive option for a regional office. Belgium offers good language options but a limited candidate pool. The DACH region maintains a signifiant appetite for security despite some tricky privacy laws. Germany remains the hub of this region, however, salaries in Switzerland are significantly higher. DACH has a strong hold in the IAM skills market with many boutique consultancies branching out internationally. SEUR is seeing the least growth due to economic crisis. Language, cultural barriers and tricky employment contracts have an effect. The UK remains the gateway into the EMEA market with most vendors choosing this as their strategic base. Basic economics dictate inflated salaries higher than the rest of Europe. NORDICS & BENELUX EASTERN EUROPE MIDDLE EAST SOUTHERN EUROPE DACH ISRAEL UK & IRELAND Eastern Europe and parts of Africa have seen an injection in investment with many enterprise organisations outsourcing large parts of their infrastructure into these regions. Despite this, salaries remain the lowest in all of EMEA. The Israel government is offering subsidies and has developed into hot bed for cyber security start-ups. We are seeing a number of these flourishing on a global scale. Israel has many talented security professionals and are very good value for money. The Middle East has the largest variation in salaries. Experts from other parts are inflating salaries. We are likely to see a significant decrease in salaries in this region once the reliance on imported talent diminishes.
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 9 As the threat surfaces swells and sophistication of attacks evolves, innovation is essential. This is our pick of trending technologies based on market intelligence gathered within our network. Technology Focus CASB The emergence of Cloud Access Security Brokering (CASB) is of no surprise as this helps to resolve a prominent problem within most enterprise environments. Enabling organisation to administer policies and protect and cloud based applications and shadow IT. We have seen the birth of many start-ups helping to address this and it is likely that most of these will be swallowed up by established vendors whilst some of them have already began developing their own capability. Threat Intelligence & Analytics Enhanced maturity levels are normally very labor expensive. We are seeing a lot of innovation in automation and streamlined processes. Threat Intelligence, machine learning and UEAB are all integral cogs to this evolution. The military and law enforcement seem to be a hot bed for talent and we are seeing adaptation of tools, techniques and skills integrating into the private sector. Deception based technologies We have started to see different ways of identifying attacks such as deception-based technologies. Whilst they are by no means a silver bullet they boast a zero false-positive alert capability which is compelling in its own right. Watch this space. PAM PKI and IAM are still a key component. PAM is the evolution of these technologies with integration and has applications which are relevant to restricting an attackers mobility. Whilst Privilege Access Management is not new to the market, it is reaching a level of momentum which needs to be acknowledged. Emerging Trends 100 80 60 40 20 0 9.82640.542 102232.532.94184110 VCInvestmentinMillion$ Security / Cyber IT Company Zscaler Cybereason Cylance Team8 Darktrace Countertack Ironnet Cybersecurity ArgusCyber Security Digital Shadows Morphick CyberSecurity E8Security Rising Venture Capital Interest In Cybersecurity Startups 2010 2012 20142011 2013 2015 $0.8 108 $1.2 156 $2.5 240 $0.8 120 $1.7 201 $3.3 255 Investments, in billions of dollars Number of deals $228m $210m 1 2 3 4 5 $149m$202m $110m Notable VC’s The numbers quoted in Fig. 4 refer to the value of deals that the quoted VC’s have been involved in as opposed to their individual contribution. Source Crunchbase.com Top 5 VC Investors 2015 fig. 2 fig. 3 fig. 4
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 11 Qualification Analysis We have taken a sample of 100 job descriptions, chosen from 4 companies within 5 magic quadrants. The purpose of the analysis is demonstrate the type of skills which are most in demand. We have highlighted the difference between skills required and desirable. Fig. 5 highlight the variations in salary relative to technologies. Numbers quoted taken from a sample 720 professionals from security vendors based in the UK. We have focused on 4 main areas and taken equal samples for each permutation. The salary sample was taken with consideration to a candidates skills as opposed to the technology vendor for whom they work for. We have cleaned the data and adjusted it for ease of viewing. The numbers quoted refer to the fixed basic salary. The table is an extension of the table above. We have taken a sample of 720 professionals from 5 countries including France, Germany, Sweden, Spain and the Netherlands. Figure … shows the variation in salaries relative to role. Numbers quoted are OTE based on a 50/50 split. SCADA IAM GRC MALWARE ANALYSIS HIPS ENDPOINT FORENSICS DLP PENTEST / CEH WAF SCRIPTING SIEM VULNERABILITY DDOS O/S IPS CORE NETWORKING PROXY FIREWALLS Required 40 45 42 38 37 32 30 32 31 23 11 19 13 17 16 21 14 126 7 7 8 9 5 14 10 11 17 18 26 25 30 34 38 3 3 2 1 APT SIEM NETWORK SECURITY IAM SI & MSSP Typical Basic/ Variable Split Pre Sales Manager £110-120k £90-120k £90-120k £90-120k 70/30 | 80/20 Principal Security Engineer £85-110k £65-95k £85-110k £85-120k 70/30 | 80/20 Product Manager £90-110k £75/90k £90-110k - 90/10 Solution Architect £80-100k £65-85k £90-120k £65-100k 70/30 Principal Architect £95-130k £65-95k £90-140k £90-120k 80/20 Enterprise Architect - - - £90-125k 90/10 Security Engineer (delivery) £40-65k £40-65k £50-75k £50-75k 90/10 Support £30-50k £30-50k £30-50k £30-50k 95/5 Sales Specialist £60-80k £60-80k £70-90k £70-90k 50/50 | 60/40 APT SIEM NETWORK SECURITY IAM SI & MSSP Pre Sales Manager €120-140 €100-130 €120-140 €100-130 Principal Security Engineer €100-130 €90-110 €100-130 €100-130 Product Manager €120-140 €90-110€ €120-140 - Solution Architect €100-140 €90-130 €100-140 €90-130 Principal Architect €70-100 €60-90 €70-100 €60-90 Enterprise Architect - - - €100-150 Security Engineer (delivery) €50-80 €40-65 €60-90 €50-80 Support €30-60 €30-60 €30-60 €30-60 Sales Specialist €80-100 €70-90 €80-100 €75-100 Salary Data Cyber Security Pre Sales UK Cyber Security Sales UK & Europe Cyber Security Pre Sales Central Europe UK Salary (OTE 50/50) Europe Salary (OTE 50/50) Enterprise Account Manager £140-£160k €140-£160k Global Account Manager £180-£200k €180-£200k Territory Account Manager / Regional Sales Manager £120-£140k €120-£140k Channel Account Manager Tier 1, 2, 3 Reseller £140-£150k €140-£150k Channel Account Manager MSP/SP £150-£160k €150-£160k Sales Manager £200-£220k €200-£220k Sales Director / Country Manager £220-£240k €220-£240k EMEA Sales Director £220-£280k €220-£280k VP Sales £300-£350k €300-£350k Desirable fig. 5 fig. 7 fig. 8 fig. 6
Cyber Security Market Intelligence and Salary Survey Information Security | 13Stott and May Imagine Agile Expansion Global Security A Spotlight The Top Five By Revenues According To Gartner 2015 Symantec with $3.69 billion in revenues, 17.2% market share, and a (- 1.3%) decline in growth Intel Security with $1.825 billion in revenues, 8.5% market share, and 4.5% growth IBM Security with $1.486 billion in revenues, 6.9% market share, and 17% growth Trend Micro with $1.052 billion in revenues, 4.9% market share, and a (-5.9%) decline in growth EMC (includes its RSA business) with $798 million in revenues, 3.7% market share, and 5% growth 1. 2. 3. 4. 5. Sources: MicroMarketMonitor, Gartner, Markets and Market, Visiongain $35.53 billion Estimated value of Europe Cyber Market by 2019 Europe Makes Up 26.95% Of The Global Market Value $101 billion The World Spend on information security by 2018 $170 billion Estimated Cyber security market by 2020 9.8% Global Compound Annual Growth Rate 2015-2020 Next Generation Cyber Security Market Will Generate Revenues Of $35.7 Billion In 2016 The chart below shows the breakdown of the top 5 sectors by incidents which accounted for approximately 75% of all sector- specific incidents. Financial services and govt/wider public sector remain the two highest sectors while we had no reported incidents occur this quarter in the civil nuclear and legal sectors. Once again, we do not assess these to be a representation of UK cyber health, but rather a reflection of the good communication and information sharing that we see in each sector. Countries by percentage of users targeted. Good communications with the top 5 sectors means they account for 75% of all incidents reported %ofSectorDistribution 100 90 80 70 60 50 40 30 20 10 0 Financial Services Govt/Wider PubicSector Communications Managed Services Professional Services Top 5 Sectors By Incident Type Cert UK Attacks By Sector June 2015 Banking Malware Attacks Singapore Switzerland Australia Brazil Hong Kong South Africa Spain UK Italy Germany US France Japan Russia 11.6 10.6 10.1 9.8 9.0 8.2 5.4 5.1 5.0 3.8 3.2 2.9 2.5 2.0 Website - Defacement (Passive) Website - DoS / DDoS Website - Defacement (Active) Vulnerability - Un-patched Network - Compromise of infrastructure Malware - Unknown/Unidentified Malware - Known/Identified Email - Suspicious/SPAM/Phishing Email - Spear-Phishing Data - Exfiltration Abuse - Unsecured infrastructure Abuse - Credentials Abuse - Attacker infrastructure fig. 7 fig. 8
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 15 What can be done to combat the inequality that still exists in security? I suppose my answer covers not only the gender equality issue, but also the lack of diversity as a whole within the profession. We need to translate words to action. Security leaders who are recruiting should not be fearful of mixing things up a little! Diversity is needed not only from a gender perspective but from a background, competency and skillset perspective and that means looking for different talent pipelines and wording job specifications differently – avoid ‘techno-babble’ and a proliferation of sometimes unpronounceable certs for entry level positions! Apprentice schemes are out there, but they are few and far between and often written in a way that either discounts individuals without a degree in computer science or encourages individuals to discount themselves. I’d like to see more apprenticeship schemes which provide entry level opportunities that consider alternates to the traditional graduate pipeline. If there aren’t enough graduates (irrespective of gender) we need to recognise skill sets and competencies that can be developed and find a way to advertise entry level roles to target individuals that possess key competencies, transferrable skills, drive, passion, a willingness to commit to be trained, mentored, developed, evolved. Lift up the stones and see what’s beneath, invest time in approaching things differently, don’t simply define talent as a standard package at entry level. If we always look for the same, we are never going to reap the value that diversity offers. Look for difference – you’ll be amazed at what you find. Q&A 60 SEC’s CHARLIE TIMBLIN WSS(Womens Security Society) Co-Founder Q&A With Charlie Timblin Is this an issue that needs to be addressed at Graduate level? I’m inclined to suggest focusing purely on the graduate pipeline could limit diversity. We know from data available that representation at UK Universities by individuals from low income families and minority backgrounds is low, too low. Hence, recruiting only from a grad talent pipeline potentially limits diversity and fails to recognise untapped talent that just hasn’t had an opportunity to realise their potential yet! I’d suggest a common set of agreed upon job titles, with an overview of tasks and responsibilities is developed by a global professional body and organisations commit to use this as a common body of knowledge (CBOK). This should be supported with guidance on access via the graduate and non-graduate routes. Grads should be provided careers advice together with advice as to how they can embrace current approaches to networking and job hunting. They should be mentored on how to craft a LinkedIn profile, on LinkedIn ‘protocols’, how to leverage LinkedIn groups, how to search for roles, find events/ forums to attend and how to network (virtually and physically), with confidence. I’d like to see universities actively marketing their grads. “recruiting only from a grad talent pipeline potentially limits diversity & fails to recognise untapped talent that just hasn’t had an opportunity to realise their potential” Is enough being done to entice women pursuing a career in security? No, I don’t believe enough is being done to entice women (or individuals from diverse backgrounds) into security. Returning to work mothers, for example, a wealth of untapped talent. Many have transferrable skill sets or past technology experience – most, if not all, are unaware of the new ‘cyber world’ and how they could potentially add value. We all see the stats regarding the low volumes of females opting for STEM subjects. So, if you want to entice women into security and there aren’t sufficient numbers available from the grad route, actively consider and search for different potential from other professions. I don’t have a degree in computer science (yet... the future - maybe). I read voraciously, I’m analytical, I apply critical thinking, I learn, I collaborate, ask questions and seek answers (constantly), engage with SMEs and learn from them. I have sought professional certs after understanding which ones are right for my role. I’m not from the ‘traditional’ IT risk background and I like that. I work in IT Risk because someone [a leader] saw passion and competencies in me that he knew could be enhanced and built upon. He gave me an opportunity. What is the WSS doing to break the mould? What I believe sets the WSS apart is we recognise the word ‘security’ has many facets and that individuals operating within security really need to be multi- dimensional hence, we try to make our events attractive to individuals from multiple professions. Despite our name, the drive for diversity isn’t solely focused on gender. All our events are free, we don’t charge at all for attendance. Solely due to the generosity of our sponsors. We ask our speakers to remain at events and to actively network with individuals, to be available, to connect. The WSS board has full time jobs, and families – delivering events for the WSS sometimes has an adverse impact on our spare time (and stress levels!) But we don’t mind about that, because we want to make a difference, we want to help make the security profession a great place to be or to interact with. Are there particular certifications you would encourage graduates / women to pursue? Certifications are role specific. Often you see people being guided by marketing material. I’d encourage individuals to research roles. Then, once they have an idea on the type of role they wish to perform, to research certifications, not with training providers but by networking with individuals who are performing those roles. What topics are being neglected/missed at board level? I think board discussions on talent should be encouraged (wherever practicable). I’m a great believer in talking positively to others about talent. When you see someone with potential, speak out. The sharing of a name, does wonders for the exposure of that individual. It’s a low effort, high return way of sponsoring an individual that has potential. Your views on the subject of equality in security – Are there challenges/opportunities or is it a genuine skills gap? The topic is out there and that introduces great opportunity. There are some fab bloggers and advocates (Jane Frankland being a fantastic front runner here). Discussion and debate eventually prompts action and change. When hiring managers recruiting entry level or junior positions opt for the pre-packaged candidate as opposed to an individual they can develop, the skills and gender gap situation is propagated.
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Information Security | 17 UK FS / BANKING CONSULTING / PROFESSIONAL SERVICES TELCO LEGAL PUBLIC SECTOR CISO £140 - 180k £120 - 140k £130 - 150k £130 - 150k £130 - 150k CIO £150 - 200k £130 - 150k £150 - 180k £140 - 160k £140 - 150k IT Security Manager £65 - 75k £55 - 65k £65 - 75k £60 - 70k £65 - 75k Information Security Manager £60 - 80k £60 - 70k £60 - 80k £65 - 75k £50 - 80k PCI DSS Specialist £50-65k £45 - 55k £50 - 65k £50 - 55k £50 - 65k QSA £70 - 80k £60 - 70k £70 - 80k £60 - 80k £50 - 80k CLAS Consultant (CCP) n/a n/a £70 - 90k n/a £70 - 90k Information Security Consultant £50-60k £45-50k £50 - 60k £50 - 60k £50 - 60k IT Security Analyst £45-50k £40-50k £40-50k £45-50k £45-50k Security Architect £75-90k £65-80k £70 - 90k £70 - 80k £70 - 80k Application Security Specialist £80 - 100k £70 - 90k £75 - 85k £70 - 90k £85 - 95k Network Security Specialist £45 - 55k £40 - 50k £40 - 55k £40 - 55k £45 - 55k Cyber Security Director £130 - 170k £110 - 120k £110 - 130k £120 - 130k £120 - 130k Penetration Tester £70k - 85k £60 - 80k £70 - 90k £50 - 80k £65 - 85k Data Protection £45 - 55k £40k - 50k £45k - 55k £45k - 50k £45k - 55k CSO £150 - 200k £130 - 150k £40 - 180k £140 - 150k £140 - 160k Technology Risk Consultant/Manager £60 - 80k £50 - 65k £65 - 75k £70 - 75k £70 - 75k Head of IT Risk £90 - 120k £80 - 1000k £80 - 1100k £90 - 100k £90 - 100k CHECK Team Leader £70 - 90k £60 - 75k £70 - 90k £70 - 80k £70 - 80k Business Continuity Manager £55 - 70k £50 - 60k £40 - 50k £50 - 60k £55 - 65k Incident Response Specialist £50 - 65k £45 - 60k £50 - 60k £50 - 50k £50 - 60k Head of Information Security £90 - 120k £80 - 100k £90 - 110k £90 - 100k £90 - 100k SOC Tier 1 Analyst £30 - 45k £30 - 45k £30 - 35k £35 - 40k £30 - 35k SOC Tier 2 Analyst £35 - 50k £35 - 50k £35 - 45k £40 - 50k £35 - 45k IA Consultant £50 - 65k £50 - 65k £50 - 60k £50 - 65k £40 - 55k Government Security Consultant N/A N/A N/A N/A £50 - 80k http://www.forbes.com/sites/susanadams/2015/09/03/the-most-prestigious-consulting-firms-2/#4578a63d7382 Vault.com, the career website, has released a ranking of the most prestigious consulting firms. A little like the Oscars, which turns to the movie industry to tally its votes, Vault’s list comes from a survey of consultants who are asked to rank their peers and competitors. Vault ran its survey for six weeks in March and April and gathered votes from 9,000 consultants at 65 North American firms. For the prestige ranking, consultants were not allowed to vote for their own firms, and they were asked only to rate firms with which they were familiar. They rated each firm on a scale of 1 (least prestigious) to 10. Vault has been running the survey for 14 years, and every year McKinsey has come out on top. In fact, the top four are unchanged from last year: McKinsey, Boston Consulting Group, Bain and Deloitte Consulting. Why is prestige important in the consulting business? For job seekers, having McKinsey or Boston Consulting on a résumé can open up opportunities, as The New York Times or The Wall Street Journal would on a journalist’s CV. Also people simply care about prestige. For many people, their career defines them. They want to work for the most prestigious firms because of that. The list is dominated by huge firms with workforces in the thousands and multiple worldwide offices. An exception: the Bridgespan Group, located on Boston’s Copley Place. The firm has 158 employees and its focus is the nonprofit sector. It spun off from Bain in 1999 but kept its ties to the firm. Bain consultants can take a leave and work six to 12 months at Bridgespan. SEP 3, 2015 The information in Fig 9 have been collected by a sample of over 5000 security professionals in the UK. The values stated are basic fixed salary. Information Security UK Only Salary Survey Numbers The Most Prestigious The Top 10 Most Prestigious Firms According To Vault The Top 10 1. McKinsey & Company 2. The Boston Consulting Group 3. Bain & Company 4. Deloitte Consulting 5. Booz Allen Hamilton 6. PricewaterhouseCoopers 7. EY LLP Consulting Practice 8. Accenture 9. KPMG LLG (Consulting Practice) 10. IBM Global Business Services APT hunting / CERT” and point it at SOC Analyst Tier 2 fig. 9
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 19 had a huge effect on the organisation. Adversaries seem to always remain one step ahead. There is a lack of good technology to manage and understand the behaviour that takes place on networks. A number of technologies are emerging but this is still in its infancy. Equality in security – is there a genuine skills gap? I think it’s a genuine skills gap but I also think that the projections of numbers of people in cyber skills mean that we will be short of the number needed. We haven’t really been selling cyber security as a profession or career path for new graduates. On top of that we have a problem with attracting females. We have females in government awareness policy space but not in the technical aspects of cyber security. Hacking, architecture there aren’t enough. It’s not something females have been attracted to. Females bring a new dynamic to the team – any team that has a diverse group of people from all walks of life and a mix of males and females gives a more diverse view on how to tackle problems. We need to make it a more attractive industry to graduates and women and people from diverse backgrounds by showing it’s a really interesting industry to work in. Any advice on the reporting line? There is no one straight answer as it each organisations needs to be considered objectively. What is clear is that it should be independent of the technology team. Reporting line has to have sufficient impact in the organisation to be able to hold and gain credibility and have a line of communication to management that’s influential to making things happen. The only reason why I’m reluctant to see infosec embedded with technology is because there can be a clash between what the technologist is trying to deliver to make business work, and what the security dimension of that technology might be. The technology team make the ultimate decisions at the top of the tree and security often is given the push to not happen and that’s why you have to operate independent of tech but in a reporting chain that’s meaningful to the organisation and has significant impact and clout to be recognised. What’s been your key to success? What advice would you give to current CISOs or aspiring ones? My key advice is understanding your business, the dynamics of the strategy of the organisation and align your security strategy to answer and allude to the strategy of the organisation. Be pragmatic about what you are trying to achieve. Don’t be the deliverer of doom and gloom – pick something from the business strategy and hook to it something that aligns to the security approach you are trying to take. Your job isn’t always to say no – it’s about how you can enable the business to do things in a secure way. What’s the best way to get board level buy in? You can’t go into a board room with scare tactics. Talk to them in the language they are used to – be pragmatic and open about challenges but be honest. They are employing you to make sure that what you say is meaningful and will protect the organisation. You need to speak the business language and understand the real risks and threats and explain them in plain English. Q&A With Paul Wood • The Chief Risk and Compliance Officer at Bloomberg. • 35 years’ experience in cyber sec risk space – Wide spectrum of experience at the highest level across a variety of industries – both public and private in government and notably within financial services. • MBE for services to the government (MoD). • Board of advisors /steering committee for a number of organisations including, Global Cyber Alliance & SINET. • Member of KPMG’s 1-4 initative. • Industry speaker known for his pragmatic and no non- sense approach – known to challenge the status quo. What are common cyber security concerns in the boardroom right now? How effective is their cyber security controlled environment and how can they get a good understanding of the right things to tackle. Is the money being placed in the right areas to gain the right level of assurance? Have they’ve got right cyber security strategy in place, appointed the right people, right resources and made the right investment in tools? How can we get a measure of how successful that is? How do I know my CISO is doing the right thing? Is there a way of quantifying ROI in cyber security? Difficult to put real metrics generically across all industries. You need to understand the risk to your business and consider 4 main dimensions - Prevention, Detection, Response and Resilience/Recovery when facing a threat – Start to build metrics around how these business process are improved - Has your tech you have invested in resolved a problem without increasing work load? It is often hard to really quantify ROI but look for business process improvements. Is a risk based approach to cyber security the only way? A risk based approach is the correct way of deciding on your investment. You need to evaluate the threats you face, understand totally what they are and understand the attack vectors you need to defend yourself against. Not all organisations would be susceptible to the same attacks. Then you take a risk based approach across the dimensions of detection, response and recover and decide how you are to align your efforts to address those threats. It seems like we are seeing a lot more threat intelligence and analytics being introduced? There is a big gap in this technology space. We go through phases where new technologies come to life trying to be the next great answer. Normally they emerge with no business case and there is no surprise that they often can’t deliver what they say “on the box”. Big Data and Analytics have not seen a clear winner. You must be conscious that vendors will try and sell you something but is it really going to achieve what they claim it will? You should consider if it has been a fully embedded and there are implemented solutions to reinforce their claims. One area we need to improve is to understand the threat profile of an organisation. Greater consideration needs to be given to the strategic purpose, nature and capabilities of emerging threats. Some intelligence tools are useful but you need to do your own profiling – then find other intelligence sources to help you establish the threat vectors you face. Many think that in order to understand threats you need to enquire internally first, do you agree? The organisation needs to decide what it’s concerned about. What are our critical assets and what are the threats to these assets that could cause you to fail. Consideration should be given to who are the people who are likely to come after these assets. It is equally as important to determine the nature of your insider threat. They already have access to your systems, some will really control the keys to all your data. Boards don’t really consider this as much as they should. What topics are being neglected at board level? The regulated industries seem to have greater awareness but in general there is a basic understanding of what cyber security really means at board level. In fact, many organisations seem to have a false sense of security. Just because there’s a CISO and infrastructure in place they have to rely on their judgement that their investment is being used in the right way. In general board do not understand the real threat and more importantly the real cost of a breach to their business. More needs to be done to understand where the threats are coming from and how they are protecting themselves. They will not succeed if they do not have systems in place to react and respond when things go wrong. “More needs to be done to understand where the threats are coming from and how they are protecting themselves. ”Is it fair to be accountable if you are restricted by budget restraints? There’s not a never ending pot of gold for these problems, that’s why a risk based approach has to be applied. You have to understand your threats and utilise your resources within your budget constraints. In a lot of cases, education, training, awareness and process improvement don’t need budget. You can control risk by stopping people having access to things they don’t need access to and removing access when they leave the company. Budget is an issue but it shouldn’t be a full constraint. You have to a take a holistic view on security and manage your investment in tech, process and people accordingly. What’s been the most significant change in the cyber landscape and why? Sophistication and the nature of the evolving threat landscape is the single biggest change. We are seeing more aggressive attacks for things we wouldn’t have expected and many of these are attributable to host nation attacks – Sony and Ashley Maddison are great examples of this. The exposure of embarrassing emails “Q&A With Paul Wood”MBE
Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Information Security | 21 Meet The Team Cyber Security Simon Kouttis Manager, Cyber Security As Manager of Stott and May’s Cyber Security recruitment division, Simon Kouttis is in charge of maintaining the team’s industry-leading reputation. Simon specialises in permanent placements with a global footprint, and senior executive appointments across the IT sector. Simon is currently heading up Stott and May’s Cyber Security Centre of Excellence, a one-of-a-kind training facility designed to produce recruitment specialists with unparalleled industry knowledge. A University of Reading graduate, Simon’s interests include golf, football, gourmet food and travel. Oliver Kuehne Manager, Cyber Security An essential member of Stott and May’s world-leading Cyber Security recruitment division, Oliver’s vast network of highly experienced candidates enables him to place the best IT security sales professionals on the market. An expert at working with security vendors and re-sellers, he recruits at all levels of sales: Account Managers, VPs, Channel Specialists, and beyond. In his spare time, Oliver enjoys water sports in Brighton while spending time with his family and friends. Andrew Gee Executive Vice President, USA Executive Vice President and Director Andrew joined the company in April 2011, after seven years working in International Business Development. He currently heads up the company’s New York Office. In his spare time, Andrew is an active sportsman and has won several awards for tennis, football and table tennis. Alongside his aid work in Sri Lanka, post-Tsunami, Andrew rates completing the London Marathon as one of his greatest achievements. Stephen Stott CEO & Founder Prior to founding Stott and May, CEO Stephen Stott co-founded Huntress Search, a technology recruitment company. During this period, he established and took sole responsibility for EMEA and Asia operations, adding £60 million to company revenues, rose to Managing Director, and oversaw a $105 million 1st tier PE MBO by a 1st tier Investment Bank. Seeking a new challenge, Stephen launched Stott and May in December 2009, and in the years since, the company has firmly established itself as a leading executive recruitment business and grown to over £30m in revenue.

Recommended

Stott & May Salary Survey
Stott & May Salary SurveyStott & May Salary Survey
Stott & May Salary SurveyAlly Esmaeili
 
IT Vertical Overview
IT Vertical OverviewIT Vertical Overview
IT Vertical OverviewTom Burns
 
CommerzVentures is looking for an intern starting in January 2017!
CommerzVentures is looking for an intern starting in January 2017!CommerzVentures is looking for an intern starting in January 2017!
CommerzVentures is looking for an intern starting in January 2017!CommerzVentures
 
Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...
Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...
Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...Brenton Charnley
 
Accelerate to a Frictionless Future in Rail and Transit
Accelerate to a Frictionless Future in Rail and Transit Accelerate to a Frictionless Future in Rail and Transit
Accelerate to a Frictionless Future in Rail and Transit accenture
 
The European Talent Landscape
The European Talent Landscape The European Talent Landscape
The European Talent Landscape Balderton Capital
 
2013 07 go4_bulletin
2013 07 go4_bulletin2013 07 go4_bulletin
2013 07 go4_bulletinSHARE MIND
 
SEG March Flash Report
SEG March Flash ReportSEG March Flash Report
SEG March Flash ReportKristopher Beible
 

Recommended

Stott & May Salary Survey
Stott & May Salary SurveyStott & May Salary Survey
Stott & May Salary SurveyAlly Esmaeili
 
IT Vertical Overview
IT Vertical OverviewIT Vertical Overview
IT Vertical OverviewTom Burns
 
CommerzVentures is looking for an intern starting in January 2017!
CommerzVentures is looking for an intern starting in January 2017!CommerzVentures is looking for an intern starting in January 2017!
CommerzVentures is looking for an intern starting in January 2017!CommerzVentures
 
Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...
Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...
Disruptive Innovations arising from Insurtech - Brenton Charnley Insurtech A...Brenton Charnley
 
Accelerate to a Frictionless Future in Rail and Transit
Accelerate to a Frictionless Future in Rail and Transit Accelerate to a Frictionless Future in Rail and Transit
Accelerate to a Frictionless Future in Rail and Transit accenture
 
The European Talent Landscape
The European Talent Landscape The European Talent Landscape
The European Talent Landscape Balderton Capital
 
2013 07 go4_bulletin
2013 07 go4_bulletin2013 07 go4_bulletin
2013 07 go4_bulletinSHARE MIND
 
SEG March Flash Report
SEG March Flash ReportSEG March Flash Report
SEG March Flash ReportKristopher Beible
 
DealMarket DIGEST Issue 163 //21 November 2014
DealMarket DIGEST Issue 163 //21 November 2014DealMarket DIGEST Issue 163 //21 November 2014
DealMarket DIGEST Issue 163 //21 November 2014CAR FOR YOU
 
Fintech Capital Magazine #4
Fintech Capital Magazine #4Fintech Capital Magazine #4
Fintech Capital Magazine #4Lee Harding
 
May monthly current
May monthly currentMay monthly current
May monthly currentSoftwareEquity
 
Asean landscape overview
Asean landscape overview Asean landscape overview
Asean landscape overview Yon Heong
 
INTERQUEST GROUP: Where opportunity connects with talent
INTERQUEST GROUP: Where opportunity connects with talent INTERQUEST GROUP: Where opportunity connects with talent
INTERQUEST GROUP: Where opportunity connects with talent InterQuest Group
 
State of South East Asia (SEA) Technology Startup Ecosystem 2016
State of South East Asia (SEA) Technology Startup Ecosystem 2016State of South East Asia (SEA) Technology Startup Ecosystem 2016
State of South East Asia (SEA) Technology Startup Ecosystem 2016ERIC TAN
 
πρόγραμμα αυτόνομης διαβίωσης
πρόγραμμα αυτόνομης διαβίωσηςπρόγραμμα αυτόνομης διαβίωσης
πρόγραμμα αυτόνομης διαβίωσηςmaria krhtikou
 
Cerrebro presentation
Cerrebro presentationCerrebro presentation
Cerrebro presentationCerrebro
 
Lolo
LoloLolo
LoloLoyce Chinembiiri
 
Presentation1
Presentation1Presentation1
Presentation1JanyAji
 
CV for Loyce Tafadzwa Chinembiri
CV for Loyce Tafadzwa Chinembiri CV for Loyce Tafadzwa Chinembiri
CV for Loyce Tafadzwa Chinembiri Loyce Chinembiiri
 
Accounting for Sustainability
Accounting for SustainabilityAccounting for Sustainability
Accounting for SustainabilityEdward Johnston
 
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารบทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารmonthiraqq
 
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารบทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารmonthiraqq
 
Ho-Ren-So Tips
Ho-Ren-So TipsHo-Ren-So Tips
Ho-Ren-So TipsNgo Duy Son
 
2016/17 China Macroeconomic Outlook & Market Opportunities
2016/17 China Macroeconomic Outlook & Market Opportunities2016/17 China Macroeconomic Outlook & Market Opportunities
2016/17 China Macroeconomic Outlook & Market OpportunitiesNan BAI,CFA
 
ShenZhen-HongKong Connect - Another milestone achieved
ShenZhen-HongKong Connect - Another milestone achievedShenZhen-HongKong Connect - Another milestone achieved
ShenZhen-HongKong Connect - Another milestone achievedNan BAI,CFA
 
Harrington Starr Salary Survey 2013
Harrington Starr Salary Survey 2013Harrington Starr Salary Survey 2013
Harrington Starr Salary Survey 2013Tom Kemp - 0203 002 2850
 
Chubb Fst It Wealth Management V1
Chubb Fst It Wealth Management V1Chubb Fst It Wealth Management V1
Chubb Fst It Wealth Management V1sidofthesububs
 
Meeting Point Corporate Brochure
Meeting Point Corporate BrochureMeeting Point Corporate Brochure
Meeting Point Corporate BrochureThe PDF Chef
 
MeetingPoint Goes Global
MeetingPoint Goes GlobalMeetingPoint Goes Global
MeetingPoint Goes GlobalIan Brigden
 
MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018Match-Maker Ventures
 

More Related Content

What's hot

DealMarket DIGEST Issue 163 //21 November 2014
DealMarket DIGEST Issue 163 //21 November 2014DealMarket DIGEST Issue 163 //21 November 2014
DealMarket DIGEST Issue 163 //21 November 2014CAR FOR YOU
 
Fintech Capital Magazine #4
Fintech Capital Magazine #4Fintech Capital Magazine #4
Fintech Capital Magazine #4Lee Harding
 
Asean landscape overview
Asean landscape overview Asean landscape overview
Asean landscape overview Yon Heong
 
INTERQUEST GROUP: Where opportunity connects with talent
INTERQUEST GROUP: Where opportunity connects with talent INTERQUEST GROUP: Where opportunity connects with talent
INTERQUEST GROUP: Where opportunity connects with talent InterQuest Group
 
State of South East Asia (SEA) Technology Startup Ecosystem 2016
State of South East Asia (SEA) Technology Startup Ecosystem 2016State of South East Asia (SEA) Technology Startup Ecosystem 2016
State of South East Asia (SEA) Technology Startup Ecosystem 2016ERIC TAN
 

What's hot (6)

DealMarket DIGEST Issue 163 //21 November 2014
DealMarket DIGEST Issue 163 //21 November 2014DealMarket DIGEST Issue 163 //21 November 2014
DealMarket DIGEST Issue 163 //21 November 2014
 
Fintech Capital Magazine #4
Fintech Capital Magazine #4Fintech Capital Magazine #4
Fintech Capital Magazine #4
 
May monthly current
May monthly currentMay monthly current
May monthly current
 
Asean landscape overview
Asean landscape overview Asean landscape overview
Asean landscape overview
 
INTERQUEST GROUP: Where opportunity connects with talent
INTERQUEST GROUP: Where opportunity connects with talent INTERQUEST GROUP: Where opportunity connects with talent
INTERQUEST GROUP: Where opportunity connects with talent
 
State of South East Asia (SEA) Technology Startup Ecosystem 2016
State of South East Asia (SEA) Technology Startup Ecosystem 2016State of South East Asia (SEA) Technology Startup Ecosystem 2016
State of South East Asia (SEA) Technology Startup Ecosystem 2016
 

Viewers also liked

πρόγραμμα αυτόνομης διαβίωσης
πρόγραμμα αυτόνομης διαβίωσηςπρόγραμμα αυτόνομης διαβίωσης
πρόγραμμα αυτόνομης διαβίωσηςmaria krhtikou
 
Cerrebro presentation
Cerrebro presentationCerrebro presentation
Cerrebro presentationCerrebro
 
Presentation1
Presentation1Presentation1
Presentation1JanyAji
 
CV for Loyce Tafadzwa Chinembiri
CV for Loyce Tafadzwa Chinembiri CV for Loyce Tafadzwa Chinembiri
CV for Loyce Tafadzwa Chinembiri Loyce Chinembiiri
 
Accounting for Sustainability
Accounting for SustainabilityAccounting for Sustainability
Accounting for SustainabilityEdward Johnston
 
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารบทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารmonthiraqq
 
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารบทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารmonthiraqq
 
2016/17 China Macroeconomic Outlook & Market Opportunities
2016/17 China Macroeconomic Outlook & Market Opportunities2016/17 China Macroeconomic Outlook & Market Opportunities
2016/17 China Macroeconomic Outlook & Market OpportunitiesNan BAI,CFA
 
ShenZhen-HongKong Connect - Another milestone achieved
ShenZhen-HongKong Connect - Another milestone achievedShenZhen-HongKong Connect - Another milestone achieved
ShenZhen-HongKong Connect - Another milestone achievedNan BAI,CFA
 

Viewers also liked (11)

πρόγραμμα αυτόνομης διαβίωσης
πρόγραμμα αυτόνομης διαβίωσηςπρόγραμμα αυτόνομης διαβίωσης
πρόγραμμα αυτόνομης διαβίωσης
 
Cerrebro presentation
Cerrebro presentationCerrebro presentation
Cerrebro presentation
 
Lolo
LoloLolo
Lolo
 
Presentation1
Presentation1Presentation1
Presentation1
 
CV for Loyce Tafadzwa Chinembiri
CV for Loyce Tafadzwa Chinembiri CV for Loyce Tafadzwa Chinembiri
CV for Loyce Tafadzwa Chinembiri
 
Accounting for Sustainability
Accounting for SustainabilityAccounting for Sustainability
Accounting for Sustainability
 
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารบทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
 
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสารบทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
บทที่1 เทคโนโลยีสารสนเทศและการสื่อสาร
 
Ho-Ren-So Tips
Ho-Ren-So TipsHo-Ren-So Tips
Ho-Ren-So Tips
 
2016/17 China Macroeconomic Outlook & Market Opportunities
2016/17 China Macroeconomic Outlook & Market Opportunities2016/17 China Macroeconomic Outlook & Market Opportunities
2016/17 China Macroeconomic Outlook & Market Opportunities
 
ShenZhen-HongKong Connect - Another milestone achieved
ShenZhen-HongKong Connect - Another milestone achievedShenZhen-HongKong Connect - Another milestone achieved
ShenZhen-HongKong Connect - Another milestone achieved
 

Similar to Stott & May - Report

Chubb Fst It Wealth Management V1
Chubb Fst It Wealth Management V1Chubb Fst It Wealth Management V1
Chubb Fst It Wealth Management V1sidofthesububs
 
Meeting Point Corporate Brochure
Meeting Point Corporate BrochureMeeting Point Corporate Brochure
Meeting Point Corporate BrochureThe PDF Chef
 
MeetingPoint Goes Global
MeetingPoint Goes GlobalMeetingPoint Goes Global
MeetingPoint Goes GlobalIan Brigden
 
MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018Match-Maker Ventures
 
Keynote address channel middle east 2013
Keynote address channel middle east 2013Keynote address channel middle east 2013
Keynote address channel middle east 2013Meera Kaul
 
Sasi it security market overview 3 15
Sasi it security market overview 3 15Sasi it security market overview 3 15
Sasi it security market overview 3 15Dan Blank
 
Application & Mobile App Development for Start-ups by pliXos
Application & Mobile App Development for Start-ups by pliXosApplication & Mobile App Development for Start-ups by pliXos
Application & Mobile App Development for Start-ups by pliXospliXos GmbH
 
Application & Mobile App Development for Start-ups
Application & Mobile App Development for Start-upsApplication & Mobile App Development for Start-ups
Application & Mobile App Development for Start-upsAditya Joshi
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Corinna Fortner
 
Next Ventures Company Brochure 2016
Next Ventures Company Brochure 2016Next Ventures Company Brochure 2016
Next Ventures Company Brochure 2016Darren Jacks
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Tomaso Pellegrini
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Gareth Thomas
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016James Rielly
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016David King
 
Strategic market intelligence tips and myths (Voka april 2013)
Strategic market intelligence tips and myths (Voka april 2013)Strategic market intelligence tips and myths (Voka april 2013)
Strategic market intelligence tips and myths (Voka april 2013)Frederic De Meyer
 
Cybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoiseCybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoisePhil Agcaoili
 

Similar to Stott & May - Report (20)

Harrington Starr Salary Survey 2013
Harrington Starr Salary Survey 2013Harrington Starr Salary Survey 2013
Harrington Starr Salary Survey 2013
 
Chubb Fst It Wealth Management V1
Chubb Fst It Wealth Management V1Chubb Fst It Wealth Management V1
Chubb Fst It Wealth Management V1
 
Meeting Point Corporate Brochure
Meeting Point Corporate BrochureMeeting Point Corporate Brochure
Meeting Point Corporate Brochure
 
MeetingPoint Goes Global
MeetingPoint Goes GlobalMeetingPoint Goes Global
MeetingPoint Goes Global
 
MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018
 
Keynote address channel middle east 2013
Keynote address channel middle east 2013Keynote address channel middle east 2013
Keynote address channel middle east 2013
 
Sasi it security market overview 3 15
Sasi it security market overview 3 15Sasi it security market overview 3 15
Sasi it security market overview 3 15
 
Application & Mobile App Development for Start-ups by pliXos
Application & Mobile App Development for Start-ups by pliXosApplication & Mobile App Development for Start-ups by pliXos
Application & Mobile App Development for Start-ups by pliXos
 
Application & Mobile App Development for Start-ups
Application & Mobile App Development for Start-upsApplication & Mobile App Development for Start-ups
Application & Mobile App Development for Start-ups
 
Next Ventures
Next VenturesNext Ventures
Next Ventures
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016
 
Next Ventures Company Brochure 2016
Next Ventures Company Brochure 2016Next Ventures Company Brochure 2016
Next Ventures Company Brochure 2016
 
Brochure NV
Brochure NVBrochure NV
Brochure NV
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016
 
Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016Next Ventures' Corporate Brochure 2016
Next Ventures' Corporate Brochure 2016
 
Strategic market intelligence tips and myths (Voka april 2013)
Strategic market intelligence tips and myths (Voka april 2013)Strategic market intelligence tips and myths (Voka april 2013)
Strategic market intelligence tips and myths (Voka april 2013)
 
The Value Plus Magazine - October GITEX Issue
The Value Plus Magazine - October GITEX IssueThe Value Plus Magazine - October GITEX Issue
The Value Plus Magazine - October GITEX Issue
 
Cybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoiseCybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the Noise
 

Stott & May - Report

  • 1. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 3 Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey 2016 Stott and May London Eleventh Floor 5 Aldermanbury Square London, EC2V 7HR +44 (0) 207 496 3650 info@stottandmay.com
  • 2. us trust and unparalleled loyalty from candidates and clients alike. This is the foundation that will make us an immovable force in this market for many years to come. The purpose of this market report is to give context to the wider security market. We aim to raise awareness of key hinge points, highlight significant trends and be a trusted guide by which to make informed decisions for you business and career. The survey has been comprehensively deduced from information gathered by our team of expert consultants in 2015. We have also carried out external research, visited many of the international conferences. We have consolidated our findings to reinforce our commentary through-out. Introduction Contents LeadersIt is people that determine the future of business. Our industry experts help unearth the leaders of today. TimeOur targeted and meticulous approach ensures that we safeguard your most precious commodity – Time. ConfidenceUnparalleled market insight is at the heart of everything that we do. We help you make well informed decisions. Global Leaders In Cyber Security Over the years we have been privileged to partner up with the most ambitious and innovative cyber teams in the world. We have a thirst for offering the most compelling opportunities to the industry elite. Our results are a consequence of a unique mindset which enables more collaborative and strategic out- comes. Whether you are a candidate or a client our approach is uniform. We start by considering your objectives. What is it you are trying to achieve and why. Once we have fathomed your motivations we empower you to plan and execute your journey. The advice that we offer is often not in our best interest. We operate at a level of transparency which has differentiated us from our competition. It has bought 6.Vendors Europe 10.The Numbers 8.Tech Focus 12.The Market 14.Q&A With Charlie Timblin “If we always look for the same, we are never going to reap the value that diversity offers. Look for difference – you’ll be amazed at what you find.” Charlie Timblin WSS Cyber Security Market Intelligence and Salary Survey | 5
  • 3. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 7 The security vendor space is gathering momentum at a staggering pace. New and established vendors are all competing for market share and we are seeing some aggressive expansion campaigns. It seems that significant budget is still available to ensure a multi- layered and robust perimeter is at the heart of every security strategy. Many industry experts are coining the phrase “good hygiene” which epitomises this notion. PREDICTIONS FOR 2016-2017 • The skills gaps will be subsidized by the relocation of candidates from other parts of Europe. • We may see that investment into the UK will pause suddenly in anticipation of the results of the referendum in June. • With vendor portfolios increasing we will see greater convergence of skills. This could lead to a more versatile workforce. • Increased sourcing into vendors from resellers. Comparison By Region Salary Survey Country Comparison Vendor Presales Basic Salary Typical Vendor Territory Account Manager Sales Basic GBP £1000s EURO €1000s GBP £1000s EURO €1000s Eastern Europe 28 35 31 39 South Africa 30 37 33 41 Israel 38 48 34 43 Spain 44 56 47 60 Italy 49 62 47 60 France 50 63 50 63 Netherlands 56 71 52 66 Sweden 60 76 53 67 Germany 66 83 56 71 UK 71 90 67 85 UAE 85 107 69 88 Switzerland 99 125 73 92 Survey taken from 50 employees in each region from Gartner magic quadrant vendors. fig. 1 CEUR is a very steady market. The Netherlands are developing a reputation for versatile talent. The available talent pool has maintained salaries in this region and makes it an attractive option for a regional office. Belgium offers good language options but a limited candidate pool. The DACH region maintains a signifiant appetite for security despite some tricky privacy laws. Germany remains the hub of this region, however, salaries in Switzerland are significantly higher. DACH has a strong hold in the IAM skills market with many boutique consultancies branching out internationally. SEUR is seeing the least growth due to economic crisis. Language, cultural barriers and tricky employment contracts have an effect. The UK remains the gateway into the EMEA market with most vendors choosing this as their strategic base. Basic economics dictate inflated salaries higher than the rest of Europe. NORDICS & BENELUX EASTERN EUROPE MIDDLE EAST SOUTHERN EUROPE DACH ISRAEL UK & IRELAND Eastern Europe and parts of Africa have seen an injection in investment with many enterprise organisations outsourcing large parts of their infrastructure into these regions. Despite this, salaries remain the lowest in all of EMEA. The Israel government is offering subsidies and has developed into hot bed for cyber security start-ups. We are seeing a number of these flourishing on a global scale. Israel has many talented security professionals and are very good value for money. The Middle East has the largest variation in salaries. Experts from other parts are inflating salaries. We are likely to see a significant decrease in salaries in this region once the reliance on imported talent diminishes.
  • 4. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 9 As the threat surfaces swells and sophistication of attacks evolves, innovation is essential. This is our pick of trending technologies based on market intelligence gathered within our network. Technology Focus CASB The emergence of Cloud Access Security Brokering (CASB) is of no surprise as this helps to resolve a prominent problem within most enterprise environments. Enabling organisation to administer policies and protect and cloud based applications and shadow IT. We have seen the birth of many start-ups helping to address this and it is likely that most of these will be swallowed up by established vendors whilst some of them have already began developing their own capability. Threat Intelligence & Analytics Enhanced maturity levels are normally very labor expensive. We are seeing a lot of innovation in automation and streamlined processes. Threat Intelligence, machine learning and UEAB are all integral cogs to this evolution. The military and law enforcement seem to be a hot bed for talent and we are seeing adaptation of tools, techniques and skills integrating into the private sector. Deception based technologies We have started to see different ways of identifying attacks such as deception-based technologies. Whilst they are by no means a silver bullet they boast a zero false-positive alert capability which is compelling in its own right. Watch this space. PAM PKI and IAM are still a key component. PAM is the evolution of these technologies with integration and has applications which are relevant to restricting an attackers mobility. Whilst Privilege Access Management is not new to the market, it is reaching a level of momentum which needs to be acknowledged. Emerging Trends 100 80 60 40 20 0 9.82640.542 102232.532.94184110 VCInvestmentinMillion$ Security / Cyber IT Company Zscaler Cybereason Cylance Team8 Darktrace Countertack Ironnet Cybersecurity ArgusCyber Security Digital Shadows Morphick CyberSecurity E8Security Rising Venture Capital Interest In Cybersecurity Startups 2010 2012 20142011 2013 2015 $0.8 108 $1.2 156 $2.5 240 $0.8 120 $1.7 201 $3.3 255 Investments, in billions of dollars Number of deals $228m $210m 1 2 3 4 5 $149m$202m $110m Notable VC’s The numbers quoted in Fig. 4 refer to the value of deals that the quoted VC’s have been involved in as opposed to their individual contribution. Source Crunchbase.com Top 5 VC Investors 2015 fig. 2 fig. 3 fig. 4
  • 5. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Vendor | 11 Qualification Analysis We have taken a sample of 100 job descriptions, chosen from 4 companies within 5 magic quadrants. The purpose of the analysis is demonstrate the type of skills which are most in demand. We have highlighted the difference between skills required and desirable. Fig. 5 highlight the variations in salary relative to technologies. Numbers quoted taken from a sample 720 professionals from security vendors based in the UK. We have focused on 4 main areas and taken equal samples for each permutation. The salary sample was taken with consideration to a candidates skills as opposed to the technology vendor for whom they work for. We have cleaned the data and adjusted it for ease of viewing. The numbers quoted refer to the fixed basic salary. The table is an extension of the table above. We have taken a sample of 720 professionals from 5 countries including France, Germany, Sweden, Spain and the Netherlands. Figure … shows the variation in salaries relative to role. Numbers quoted are OTE based on a 50/50 split. SCADA IAM GRC MALWARE ANALYSIS HIPS ENDPOINT FORENSICS DLP PENTEST / CEH WAF SCRIPTING SIEM VULNERABILITY DDOS O/S IPS CORE NETWORKING PROXY FIREWALLS Required 40 45 42 38 37 32 30 32 31 23 11 19 13 17 16 21 14 126 7 7 8 9 5 14 10 11 17 18 26 25 30 34 38 3 3 2 1 APT SIEM NETWORK SECURITY IAM SI & MSSP Typical Basic/ Variable Split Pre Sales Manager £110-120k £90-120k £90-120k £90-120k 70/30 | 80/20 Principal Security Engineer £85-110k £65-95k £85-110k £85-120k 70/30 | 80/20 Product Manager £90-110k £75/90k £90-110k - 90/10 Solution Architect £80-100k £65-85k £90-120k £65-100k 70/30 Principal Architect £95-130k £65-95k £90-140k £90-120k 80/20 Enterprise Architect - - - £90-125k 90/10 Security Engineer (delivery) £40-65k £40-65k £50-75k £50-75k 90/10 Support £30-50k £30-50k £30-50k £30-50k 95/5 Sales Specialist £60-80k £60-80k £70-90k £70-90k 50/50 | 60/40 APT SIEM NETWORK SECURITY IAM SI & MSSP Pre Sales Manager €120-140 €100-130 €120-140 €100-130 Principal Security Engineer €100-130 €90-110 €100-130 €100-130 Product Manager €120-140 €90-110€ €120-140 - Solution Architect €100-140 €90-130 €100-140 €90-130 Principal Architect €70-100 €60-90 €70-100 €60-90 Enterprise Architect - - - €100-150 Security Engineer (delivery) €50-80 €40-65 €60-90 €50-80 Support €30-60 €30-60 €30-60 €30-60 Sales Specialist €80-100 €70-90 €80-100 €75-100 Salary Data Cyber Security Pre Sales UK Cyber Security Sales UK & Europe Cyber Security Pre Sales Central Europe UK Salary (OTE 50/50) Europe Salary (OTE 50/50) Enterprise Account Manager £140-£160k €140-£160k Global Account Manager £180-£200k €180-£200k Territory Account Manager / Regional Sales Manager £120-£140k €120-£140k Channel Account Manager Tier 1, 2, 3 Reseller £140-£150k €140-£150k Channel Account Manager MSP/SP £150-£160k €150-£160k Sales Manager £200-£220k €200-£220k Sales Director / Country Manager £220-£240k €220-£240k EMEA Sales Director £220-£280k €220-£280k VP Sales £300-£350k €300-£350k Desirable fig. 5 fig. 7 fig. 8 fig. 6
  • 6. Cyber Security Market Intelligence and Salary Survey Information Security | 13Stott and May Imagine Agile Expansion Global Security A Spotlight The Top Five By Revenues According To Gartner 2015 Symantec with $3.69 billion in revenues, 17.2% market share, and a (- 1.3%) decline in growth Intel Security with $1.825 billion in revenues, 8.5% market share, and 4.5% growth IBM Security with $1.486 billion in revenues, 6.9% market share, and 17% growth Trend Micro with $1.052 billion in revenues, 4.9% market share, and a (-5.9%) decline in growth EMC (includes its RSA business) with $798 million in revenues, 3.7% market share, and 5% growth 1. 2. 3. 4. 5. Sources: MicroMarketMonitor, Gartner, Markets and Market, Visiongain $35.53 billion Estimated value of Europe Cyber Market by 2019 Europe Makes Up 26.95% Of The Global Market Value $101 billion The World Spend on information security by 2018 $170 billion Estimated Cyber security market by 2020 9.8% Global Compound Annual Growth Rate 2015-2020 Next Generation Cyber Security Market Will Generate Revenues Of $35.7 Billion In 2016 The chart below shows the breakdown of the top 5 sectors by incidents which accounted for approximately 75% of all sector- specific incidents. Financial services and govt/wider public sector remain the two highest sectors while we had no reported incidents occur this quarter in the civil nuclear and legal sectors. Once again, we do not assess these to be a representation of UK cyber health, but rather a reflection of the good communication and information sharing that we see in each sector. Countries by percentage of users targeted. Good communications with the top 5 sectors means they account for 75% of all incidents reported %ofSectorDistribution 100 90 80 70 60 50 40 30 20 10 0 Financial Services Govt/Wider PubicSector Communications Managed Services Professional Services Top 5 Sectors By Incident Type Cert UK Attacks By Sector June 2015 Banking Malware Attacks Singapore Switzerland Australia Brazil Hong Kong South Africa Spain UK Italy Germany US France Japan Russia 11.6 10.6 10.1 9.8 9.0 8.2 5.4 5.1 5.0 3.8 3.2 2.9 2.5 2.0 Website - Defacement (Passive) Website - DoS / DDoS Website - Defacement (Active) Vulnerability - Un-patched Network - Compromise of infrastructure Malware - Unknown/Unidentified Malware - Known/Identified Email - Suspicious/SPAM/Phishing Email - Spear-Phishing Data - Exfiltration Abuse - Unsecured infrastructure Abuse - Credentials Abuse - Attacker infrastructure fig. 7 fig. 8
  • 7. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 15 What can be done to combat the inequality that still exists in security? I suppose my answer covers not only the gender equality issue, but also the lack of diversity as a whole within the profession. We need to translate words to action. Security leaders who are recruiting should not be fearful of mixing things up a little! Diversity is needed not only from a gender perspective but from a background, competency and skillset perspective and that means looking for different talent pipelines and wording job specifications differently – avoid ‘techno-babble’ and a proliferation of sometimes unpronounceable certs for entry level positions! Apprentice schemes are out there, but they are few and far between and often written in a way that either discounts individuals without a degree in computer science or encourages individuals to discount themselves. I’d like to see more apprenticeship schemes which provide entry level opportunities that consider alternates to the traditional graduate pipeline. If there aren’t enough graduates (irrespective of gender) we need to recognise skill sets and competencies that can be developed and find a way to advertise entry level roles to target individuals that possess key competencies, transferrable skills, drive, passion, a willingness to commit to be trained, mentored, developed, evolved. Lift up the stones and see what’s beneath, invest time in approaching things differently, don’t simply define talent as a standard package at entry level. If we always look for the same, we are never going to reap the value that diversity offers. Look for difference – you’ll be amazed at what you find. Q&A 60 SEC’s CHARLIE TIMBLIN WSS(Womens Security Society) Co-Founder Q&A With Charlie Timblin Is this an issue that needs to be addressed at Graduate level? I’m inclined to suggest focusing purely on the graduate pipeline could limit diversity. We know from data available that representation at UK Universities by individuals from low income families and minority backgrounds is low, too low. Hence, recruiting only from a grad talent pipeline potentially limits diversity and fails to recognise untapped talent that just hasn’t had an opportunity to realise their potential yet! I’d suggest a common set of agreed upon job titles, with an overview of tasks and responsibilities is developed by a global professional body and organisations commit to use this as a common body of knowledge (CBOK). This should be supported with guidance on access via the graduate and non-graduate routes. Grads should be provided careers advice together with advice as to how they can embrace current approaches to networking and job hunting. They should be mentored on how to craft a LinkedIn profile, on LinkedIn ‘protocols’, how to leverage LinkedIn groups, how to search for roles, find events/ forums to attend and how to network (virtually and physically), with confidence. I’d like to see universities actively marketing their grads. “recruiting only from a grad talent pipeline potentially limits diversity & fails to recognise untapped talent that just hasn’t had an opportunity to realise their potential” Is enough being done to entice women pursuing a career in security? No, I don’t believe enough is being done to entice women (or individuals from diverse backgrounds) into security. Returning to work mothers, for example, a wealth of untapped talent. Many have transferrable skill sets or past technology experience – most, if not all, are unaware of the new ‘cyber world’ and how they could potentially add value. We all see the stats regarding the low volumes of females opting for STEM subjects. So, if you want to entice women into security and there aren’t sufficient numbers available from the grad route, actively consider and search for different potential from other professions. I don’t have a degree in computer science (yet... the future - maybe). I read voraciously, I’m analytical, I apply critical thinking, I learn, I collaborate, ask questions and seek answers (constantly), engage with SMEs and learn from them. I have sought professional certs after understanding which ones are right for my role. I’m not from the ‘traditional’ IT risk background and I like that. I work in IT Risk because someone [a leader] saw passion and competencies in me that he knew could be enhanced and built upon. He gave me an opportunity. What is the WSS doing to break the mould? What I believe sets the WSS apart is we recognise the word ‘security’ has many facets and that individuals operating within security really need to be multi- dimensional hence, we try to make our events attractive to individuals from multiple professions. Despite our name, the drive for diversity isn’t solely focused on gender. All our events are free, we don’t charge at all for attendance. Solely due to the generosity of our sponsors. We ask our speakers to remain at events and to actively network with individuals, to be available, to connect. The WSS board has full time jobs, and families – delivering events for the WSS sometimes has an adverse impact on our spare time (and stress levels!) But we don’t mind about that, because we want to make a difference, we want to help make the security profession a great place to be or to interact with. Are there particular certifications you would encourage graduates / women to pursue? Certifications are role specific. Often you see people being guided by marketing material. I’d encourage individuals to research roles. Then, once they have an idea on the type of role they wish to perform, to research certifications, not with training providers but by networking with individuals who are performing those roles. What topics are being neglected/missed at board level? I think board discussions on talent should be encouraged (wherever practicable). I’m a great believer in talking positively to others about talent. When you see someone with potential, speak out. The sharing of a name, does wonders for the exposure of that individual. It’s a low effort, high return way of sponsoring an individual that has potential. Your views on the subject of equality in security – Are there challenges/opportunities or is it a genuine skills gap? The topic is out there and that introduces great opportunity. There are some fab bloggers and advocates (Jane Frankland being a fantastic front runner here). Discussion and debate eventually prompts action and change. When hiring managers recruiting entry level or junior positions opt for the pre-packaged candidate as opposed to an individual they can develop, the skills and gender gap situation is propagated.
  • 8. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Information Security | 17 UK FS / BANKING CONSULTING / PROFESSIONAL SERVICES TELCO LEGAL PUBLIC SECTOR CISO £140 - 180k £120 - 140k £130 - 150k £130 - 150k £130 - 150k CIO £150 - 200k £130 - 150k £150 - 180k £140 - 160k £140 - 150k IT Security Manager £65 - 75k £55 - 65k £65 - 75k £60 - 70k £65 - 75k Information Security Manager £60 - 80k £60 - 70k £60 - 80k £65 - 75k £50 - 80k PCI DSS Specialist £50-65k £45 - 55k £50 - 65k £50 - 55k £50 - 65k QSA £70 - 80k £60 - 70k £70 - 80k £60 - 80k £50 - 80k CLAS Consultant (CCP) n/a n/a £70 - 90k n/a £70 - 90k Information Security Consultant £50-60k £45-50k £50 - 60k £50 - 60k £50 - 60k IT Security Analyst £45-50k £40-50k £40-50k £45-50k £45-50k Security Architect £75-90k £65-80k £70 - 90k £70 - 80k £70 - 80k Application Security Specialist £80 - 100k £70 - 90k £75 - 85k £70 - 90k £85 - 95k Network Security Specialist £45 - 55k £40 - 50k £40 - 55k £40 - 55k £45 - 55k Cyber Security Director £130 - 170k £110 - 120k £110 - 130k £120 - 130k £120 - 130k Penetration Tester £70k - 85k £60 - 80k £70 - 90k £50 - 80k £65 - 85k Data Protection £45 - 55k £40k - 50k £45k - 55k £45k - 50k £45k - 55k CSO £150 - 200k £130 - 150k £40 - 180k £140 - 150k £140 - 160k Technology Risk Consultant/Manager £60 - 80k £50 - 65k £65 - 75k £70 - 75k £70 - 75k Head of IT Risk £90 - 120k £80 - 1000k £80 - 1100k £90 - 100k £90 - 100k CHECK Team Leader £70 - 90k £60 - 75k £70 - 90k £70 - 80k £70 - 80k Business Continuity Manager £55 - 70k £50 - 60k £40 - 50k £50 - 60k £55 - 65k Incident Response Specialist £50 - 65k £45 - 60k £50 - 60k £50 - 50k £50 - 60k Head of Information Security £90 - 120k £80 - 100k £90 - 110k £90 - 100k £90 - 100k SOC Tier 1 Analyst £30 - 45k £30 - 45k £30 - 35k £35 - 40k £30 - 35k SOC Tier 2 Analyst £35 - 50k £35 - 50k £35 - 45k £40 - 50k £35 - 45k IA Consultant £50 - 65k £50 - 65k £50 - 60k £50 - 65k £40 - 55k Government Security Consultant N/A N/A N/A N/A £50 - 80k http://www.forbes.com/sites/susanadams/2015/09/03/the-most-prestigious-consulting-firms-2/#4578a63d7382 Vault.com, the career website, has released a ranking of the most prestigious consulting firms. A little like the Oscars, which turns to the movie industry to tally its votes, Vault’s list comes from a survey of consultants who are asked to rank their peers and competitors. Vault ran its survey for six weeks in March and April and gathered votes from 9,000 consultants at 65 North American firms. For the prestige ranking, consultants were not allowed to vote for their own firms, and they were asked only to rate firms with which they were familiar. They rated each firm on a scale of 1 (least prestigious) to 10. Vault has been running the survey for 14 years, and every year McKinsey has come out on top. In fact, the top four are unchanged from last year: McKinsey, Boston Consulting Group, Bain and Deloitte Consulting. Why is prestige important in the consulting business? For job seekers, having McKinsey or Boston Consulting on a résumé can open up opportunities, as The New York Times or The Wall Street Journal would on a journalist’s CV. Also people simply care about prestige. For many people, their career defines them. They want to work for the most prestigious firms because of that. The list is dominated by huge firms with workforces in the thousands and multiple worldwide offices. An exception: the Bridgespan Group, located on Boston’s Copley Place. The firm has 158 employees and its focus is the nonprofit sector. It spun off from Bain in 1999 but kept its ties to the firm. Bain consultants can take a leave and work six to 12 months at Bridgespan. SEP 3, 2015 The information in Fig 9 have been collected by a sample of over 5000 security professionals in the UK. The values stated are basic fixed salary. Information Security UK Only Salary Survey Numbers The Most Prestigious The Top 10 Most Prestigious Firms According To Vault The Top 10 1. McKinsey & Company 2. The Boston Consulting Group 3. Bain & Company 4. Deloitte Consulting 5. Booz Allen Hamilton 6. PricewaterhouseCoopers 7. EY LLP Consulting Practice 8. Accenture 9. KPMG LLG (Consulting Practice) 10. IBM Global Business Services APT hunting / CERT” and point it at SOC Analyst Tier 2 fig. 9
  • 9. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 19 had a huge effect on the organisation. Adversaries seem to always remain one step ahead. There is a lack of good technology to manage and understand the behaviour that takes place on networks. A number of technologies are emerging but this is still in its infancy. Equality in security – is there a genuine skills gap? I think it’s a genuine skills gap but I also think that the projections of numbers of people in cyber skills mean that we will be short of the number needed. We haven’t really been selling cyber security as a profession or career path for new graduates. On top of that we have a problem with attracting females. We have females in government awareness policy space but not in the technical aspects of cyber security. Hacking, architecture there aren’t enough. It’s not something females have been attracted to. Females bring a new dynamic to the team – any team that has a diverse group of people from all walks of life and a mix of males and females gives a more diverse view on how to tackle problems. We need to make it a more attractive industry to graduates and women and people from diverse backgrounds by showing it’s a really interesting industry to work in. Any advice on the reporting line? There is no one straight answer as it each organisations needs to be considered objectively. What is clear is that it should be independent of the technology team. Reporting line has to have sufficient impact in the organisation to be able to hold and gain credibility and have a line of communication to management that’s influential to making things happen. The only reason why I’m reluctant to see infosec embedded with technology is because there can be a clash between what the technologist is trying to deliver to make business work, and what the security dimension of that technology might be. The technology team make the ultimate decisions at the top of the tree and security often is given the push to not happen and that’s why you have to operate independent of tech but in a reporting chain that’s meaningful to the organisation and has significant impact and clout to be recognised. What’s been your key to success? What advice would you give to current CISOs or aspiring ones? My key advice is understanding your business, the dynamics of the strategy of the organisation and align your security strategy to answer and allude to the strategy of the organisation. Be pragmatic about what you are trying to achieve. Don’t be the deliverer of doom and gloom – pick something from the business strategy and hook to it something that aligns to the security approach you are trying to take. Your job isn’t always to say no – it’s about how you can enable the business to do things in a secure way. What’s the best way to get board level buy in? You can’t go into a board room with scare tactics. Talk to them in the language they are used to – be pragmatic and open about challenges but be honest. They are employing you to make sure that what you say is meaningful and will protect the organisation. You need to speak the business language and understand the real risks and threats and explain them in plain English. Q&A With Paul Wood • The Chief Risk and Compliance Officer at Bloomberg. • 35 years’ experience in cyber sec risk space – Wide spectrum of experience at the highest level across a variety of industries – both public and private in government and notably within financial services. • MBE for services to the government (MoD). • Board of advisors /steering committee for a number of organisations including, Global Cyber Alliance & SINET. • Member of KPMG’s 1-4 initative. • Industry speaker known for his pragmatic and no non- sense approach – known to challenge the status quo. What are common cyber security concerns in the boardroom right now? How effective is their cyber security controlled environment and how can they get a good understanding of the right things to tackle. Is the money being placed in the right areas to gain the right level of assurance? Have they’ve got right cyber security strategy in place, appointed the right people, right resources and made the right investment in tools? How can we get a measure of how successful that is? How do I know my CISO is doing the right thing? Is there a way of quantifying ROI in cyber security? Difficult to put real metrics generically across all industries. You need to understand the risk to your business and consider 4 main dimensions - Prevention, Detection, Response and Resilience/Recovery when facing a threat – Start to build metrics around how these business process are improved - Has your tech you have invested in resolved a problem without increasing work load? It is often hard to really quantify ROI but look for business process improvements. Is a risk based approach to cyber security the only way? A risk based approach is the correct way of deciding on your investment. You need to evaluate the threats you face, understand totally what they are and understand the attack vectors you need to defend yourself against. Not all organisations would be susceptible to the same attacks. Then you take a risk based approach across the dimensions of detection, response and recover and decide how you are to align your efforts to address those threats. It seems like we are seeing a lot more threat intelligence and analytics being introduced? There is a big gap in this technology space. We go through phases where new technologies come to life trying to be the next great answer. Normally they emerge with no business case and there is no surprise that they often can’t deliver what they say “on the box”. Big Data and Analytics have not seen a clear winner. You must be conscious that vendors will try and sell you something but is it really going to achieve what they claim it will? You should consider if it has been a fully embedded and there are implemented solutions to reinforce their claims. One area we need to improve is to understand the threat profile of an organisation. Greater consideration needs to be given to the strategic purpose, nature and capabilities of emerging threats. Some intelligence tools are useful but you need to do your own profiling – then find other intelligence sources to help you establish the threat vectors you face. Many think that in order to understand threats you need to enquire internally first, do you agree? The organisation needs to decide what it’s concerned about. What are our critical assets and what are the threats to these assets that could cause you to fail. Consideration should be given to who are the people who are likely to come after these assets. It is equally as important to determine the nature of your insider threat. They already have access to your systems, some will really control the keys to all your data. Boards don’t really consider this as much as they should. What topics are being neglected at board level? The regulated industries seem to have greater awareness but in general there is a basic understanding of what cyber security really means at board level. In fact, many organisations seem to have a false sense of security. Just because there’s a CISO and infrastructure in place they have to rely on their judgement that their investment is being used in the right way. In general board do not understand the real threat and more importantly the real cost of a breach to their business. More needs to be done to understand where the threats are coming from and how they are protecting themselves. They will not succeed if they do not have systems in place to react and respond when things go wrong. “More needs to be done to understand where the threats are coming from and how they are protecting themselves. ”Is it fair to be accountable if you are restricted by budget restraints? There’s not a never ending pot of gold for these problems, that’s why a risk based approach has to be applied. You have to understand your threats and utilise your resources within your budget constraints. In a lot of cases, education, training, awareness and process improvement don’t need budget. You can control risk by stopping people having access to things they don’t need access to and removing access when they leave the company. Budget is an issue but it shouldn’t be a full constraint. You have to a take a holistic view on security and manage your investment in tech, process and people accordingly. What’s been the most significant change in the cyber landscape and why? Sophistication and the nature of the evolving threat landscape is the single biggest change. We are seeing more aggressive attacks for things we wouldn’t have expected and many of these are attributable to host nation attacks – Sony and Ashley Maddison are great examples of this. The exposure of embarrassing emails “Q&A With Paul Wood”MBE
  • 10. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey Information Security | 21 Meet The Team Cyber Security Simon Kouttis Manager, Cyber Security As Manager of Stott and May’s Cyber Security recruitment division, Simon Kouttis is in charge of maintaining the team’s industry-leading reputation. Simon specialises in permanent placements with a global footprint, and senior executive appointments across the IT sector. Simon is currently heading up Stott and May’s Cyber Security Centre of Excellence, a one-of-a-kind training facility designed to produce recruitment specialists with unparalleled industry knowledge. A University of Reading graduate, Simon’s interests include golf, football, gourmet food and travel. Oliver Kuehne Manager, Cyber Security An essential member of Stott and May’s world-leading Cyber Security recruitment division, Oliver’s vast network of highly experienced candidates enables him to place the best IT security sales professionals on the market. An expert at working with security vendors and re-sellers, he recruits at all levels of sales: Account Managers, VPs, Channel Specialists, and beyond. In his spare time, Oliver enjoys water sports in Brighton while spending time with his family and friends. Andrew Gee Executive Vice President, USA Executive Vice President and Director Andrew joined the company in April 2011, after seven years working in International Business Development. He currently heads up the company’s New York Office. In his spare time, Andrew is an active sportsman and has won several awards for tennis, football and table tennis. Alongside his aid work in Sri Lanka, post-Tsunami, Andrew rates completing the London Marathon as one of his greatest achievements. Stephen Stott CEO & Founder Prior to founding Stott and May, CEO Stephen Stott co-founded Huntress Search, a technology recruitment company. During this period, he established and took sole responsibility for EMEA and Asia operations, adding £60 million to company revenues, rose to Managing Director, and oversaw a $105 million 1st tier PE MBO by a 1st tier Investment Bank. Seeking a new challenge, Stephen launched Stott and May in December 2009, and in the years since, the company has firmly established itself as a leading executive recruitment business and grown to over £30m in revenue.