Harvey Nash UK & IRE Cyber Security Survey 2016

HARVEY NASH & PGI
CYBERSECURITY
SURVEY2016

Please note: For the purposes of the survey, cyber security is defined as an umbrella term encompassing information
security and information assurance.
CONTENTS
Executive summary 3
Findings infogram 4
The findings 6
Conclusion 9
About Harvey Nash and PGI 11
#HNCyberSurvey

EXECUTIVE SUMMARY
POSITIVE SIGNS THAT INFORMATION
SECURITY CAREERS ARE MORE STRATEGIC
Chief information security officers (CISOs) and their
colleagues are working hard to ensure that their senior
executives and their boards are aware of information
security risk. Almost one in five senior information
security professionals (18 per cent) now report to the
CEO, lending them strategic influence. This also has
a beneficial impact on the earning potential for these
senior information security professionals, who can
make up to 17 per cent more than colleagues who have
less strategic reporting lines.
INCREASED DEMAND FOR INFORMATION
SECURITY TALENT
Most respondents have solid confidence in their
information security skills; over half (54 per
cent) rated themselves ‘very strong’. Demand for
information security skills also remains robust,
with half of all hiring managers looking for security
architecture skills, up 6 per cent from last year.
LACK OF SECURITY-AWARE CULTURE IS A
REALITY FOR HALF OF ORGANISATIONS
Cultivating a security-aware culture is a critical
component of successful information security,
as confirmed by almost three-quarters of senior
information security professionals (73 per cent).
Unfortunately this is lacking for almost half (49 per
cent) of organisations and it appears that more lip
service is being employed than actual experts on
the ground who can deliver information security
cultural change.
SENIOR EXECUTIVES MUST DO MORE TO
EDUCATE THEMSELVES ON INFORMATION
SECURITY RISK
Senior technology leaders like the CIO (54 per cent)
and the CTO (48 per cent) are rated highest by senior
information security professionals as being ‘very
well informed’ of risk. This compares with only 27
per cent of CEOs and 25 per cent of COOs. Faith in the
CMO’s and CFO’s knowledge of information security
risk is even lower, with only 20 per cent of senior
information security leaders rating the CMO, and
19 per cent the CFO, as ‘very well informed’. And
despite boards apparently accepting responsibility
for information security risk, they are also rated
lowest for their risk awareness, at 17 per cent.
CYBER RISKS ARE NOT BEING INSURED
AGAINST
Only 19 per cent of senior information security
professionals at small firms (£50m or less revenue)
currently have cyber insurance, and at larger firms
(£500m+ revenue) the proportion is only 24 per
cent. In addition, almost half of senior information
security professionals (46 per cent) say they do not
expect to purchase cyber insurance in future. Boards
must demand a vigorous approach from their
executive team on cyber insurance that is equal to
the focus they give employer liability or fire and theft.
Boards must also demand more effective solutions
from insurers that cover notification costs, growing
regulatory costs, and costs associated with recovering
systems after a cyber breach, even if reputational costs
are more difficult to define and cover.
IMPROVEMENTS ARE BEING MADE BUT MORE
TALENT AND GREATER PACE ARE REQUIRED
We hope this report clearly defines both the
challenges and the opportunities facing senior
information security professionals, senior business
leaders and boards in the year ahead. Opportunities
certainly exist for effective senior information
security professionals to lead a cultural change,
moving their organisation toward a more security-
aware state and a proactive attitude to preparedness
and response. Businesses will quickly realise that
such talent remains scarce and is highly valuable.
Welcome to the second annual Harvey Nash and PGI Cyber Security Survey. We are indebted to almost
200 senior information security professionals who took the time to complete the survey and provide their
expert insight.
Stephanie Crates
Head of London Information Security Practice,
Harvey Nash
Brian Lord
Managing Director, PGI Cyber

Security architecture
Security training and awareness
Senior information security leaders
SOC analyst
Security engineering
Senior-level buy-in
Security-aware culture
Understanding true risk
42+58+T42%
50+50+T50%
87+13+T87%
73+27+T73%
58+42+T58%
34+66+T34%
39+61+T39%
33+67+T33%
Fastest-growing information security skill:
security architecture, up 6% in 12 months
HARVEY NASH & PGI CYBER SECU
Average
salary in industry
£99,141
INFORMATION
SECURITYSKILLS:
most in demand by
hiring managers
CISO
£125,962
Head of information security
£90,714
Informationsecuritymanager
£71,538 CRITICAL TO INFORMATION SECURITY SUCCESS

INCIDENT RESPONSE PROCESS TESTED
INVESTING IN CYBER INSURANCE
Monthly
Quarterly
Half yearly
Yearly
Less often
CIO
CTO
CEO
COO
CMO
CFO
Board
11+89+T11%
14+86+T14%
23+77+T23%
27+73+T27%
24+76+T24%
48+52+T48%
54+46+T54%
20+80+T20%
27+73+T27%
19+81+T19%
25+75+T25%
17+83+T17%
URITY SURVEY 2016 KEY FINDINGS
Smallcompanies
(£50m or less revenue)
Mid-sized
(£50m–£500mrevenue)
Large
(£500m+ revenue)
48%ofallseniorinformation
securityprofessionalshave
noplanstoinvestincyber
insurancein2016
MOST INFORMED ABOUT INFORMATION SECURITY
19+81+T19%
29+71+T29%
24+76+T24%

HARVEY NASH & PGI CYBER SECURITY SURVEY 2016
6
ABOUT THE RESPONDENTS
The survey audience of almost 200 senior information security professionals provides a wealth of experience
and insight. Approximately four in ten respondents are C-level executives with responsibility for information
security, 16 per cent are CISOs and 9 per cent are CIOs. A further 13 per cent are heads of information security,
while 15 per cent have management responsibility for information security.
Almost one in five (18 per cent) of the survey respondents report to the CEO, while a quarter (23 per cent) report
to the CIO. Ten per cent report to the CTO and 9 per cent report to the COO. Overall, 74 per cent of respondents
report directly to a C-level executive, indicating that in the majority of organisations information security
issues are taken seriously and business leaders are aware of their responsibility.
Majority of information security professionals report to a C-level executive
Chart 1.Who do you report to?
The information security sector remains male dominated: 89 per cent of respondents are men. This is in line
with the wider IT industry, although ongoing efforts are needed to encourage more women to consider careers
in IT and information security.
The survey population represents the full spectrum of businesses. Approximately one-third (36 per cent)
work for smaller organisations with less than £50m turnover, four in ten (39 per cent) work for mid-sized
organisations (£50m–£500m), and 25 per cent work for large organisations (£500m+).

INFORMATION SECURITY SKILLS
Most respondents have confidence in their information security skills: over half (54 per cent) rated themselves
‘very strong’, another four in ten (42 per cent) rated their ability ‘quite strong’ while only 4 per cent rated
themselves ‘not strong’. The information security skills most in demand in 2015 are ‘security architecture’.
Half of all hiring managers (50 per cent) are looking for these skills, up 6 per cent from last year. Over four in
ten (42 per cent) of respondents are in need of security training and awareness skills, while 39 per cent are also
looking to add senior information security leaders to their team.
Skills most in demand in 2015 compared with 2014
2015 2014
Security architecture 50% 44%
Security training and awareness 42% N/A
Senior information security leaders 39% 44%
SOC analyst 34% 41%
Security engineering 33% 34%
Governance, risk and compliance 31% 37%
Penetration testing 21% N/A
18+9+4+1+10+23+35+A
n CEO
n COO
n CRO
n CFO
n CTO
n CIO
n Other (Non C-Level)
18%
9%
4%
1%10%
23%
36%

7
Demand for security architects has been the fastest-growing information security skill during the past 12
months, with demand up 6 per cent compared with last year. However, demand for senior information
security leaders has fallen by 5 per cent during the same period. Given that both of these skills were in demand
by 44 per cent of hiring managers in 2014, it is likely that information security teams continue to be built
around the leaders hired last year. SOC analysts and compliance skills are both down 7 per cent this year,
suggesting that security architects have been under-represented in information security teams to date.
Shift in demand for skills in past year will benefit security architecture in 2016
What skills do you feel you are lacking?

INFORMATION SECURITY SKILLS: ACCREDITATION
For three in ten hiring managers (29 per cent) information security accreditation is an essential component
of the hiring process. For a larger proportion (57 per cent) a candidate with accreditation would be preferable,
although hiring managers will sometimes hire without it.
Most hiring managers prefer information security candidates with accreditation
When hiring people,how important is it for them to have some kind of accreditation?
However, when it comes to the range of information security accreditation offered there appear to be limited
options for candidates or employers to choose from. The vast majority of respondents identify CISSP as the top
accreditation, although there appears to be relatively limited choice.
CISSP dominates most valued accreditation
What accreditation do you value most?
-7%700=
-7%700=
-5%500=
-1%100=
600=6%
SOCAnalyst
Governance,riskandcompliance
SeniorCyberLeaders
SecurityEngineering
SecurityArchitecture
29+57+14+A
n Very important
n Quite important
n Not important
14%
29%
57%

8
INFORMATION SECURITY STATUS
A majority of senior information security professionals (81 per cent) believe a clear owner of information
security risk is identified within their organisation; this is unchanged from 2014. However, this also means
no progress has been made for approximately one in five organisations (19 per cent), threatening their ability
to prepare for, prevent, or respond to a cyber breach. For most organisations it is the IT function that retains
most responsibility for information security risk, although it is encouraging to see that over half (54 per cent) of
respondents state that their board has accepted responsibility for information security risk oversight.
Senior IT leaders and boards share responsibility for information security risk
Where does the responsibility for information security sit within your organisation?
Over half of senior information security professionals (56 per cent) are concerned at the lack of an effective
budget for information security, and 37 per cent said a lack of budget threatens information security
preparedness. Three-quarters (73 per cent) of senior information security professionals rate a lack of security-
aware culture as most critical to information security success. Unfortunately this is lacking for almost half
(49 per cent) of organisations. While almost nine in ten senior information security professionals (87 per cent)
identify senior-level and board buy-in to information security responsibility as key to success, fortunately only
28 per cent of respondents said this buy-in was currently lacking in their organisation.
Creating security-aware culture most critical (yet lacking) action
What are the top factors in ensuring a successful information security strategy within your organisation?
Senior technology leaders like the CIO (54 per cent) and the CTO (48 per cent) are rated highest by senior
information security professionals as being ‘very well informed’ of risk, compared with only 27 per cent of CEOs
and 25 per cent of COOs. Faith in the CMO’s knowledge of information security risk is even lower, with only 20 per
cent of senior information security leaders rating the CMO as ‘very well informed’. And despite boards accepting
responsibility for information security risk (see above) they are rated lowest for their risk awareness, at 17 per cent.
Only CIOs score above 50% for knowledge of information security risk
In your opinion how well informed on information security risk do you feel your senior leadership team are? Very well informed
IT
Board
ComplianceTeam
RiskManagers
1000=56%
960=54%
640=36%
600=34%
560=56%
370=37%
490=49%
730=73%
430=43%
580=58%
380=38%
310=31%
280=28%
870=87%
250=25%
50=5%
Effectivebudgetforcyber
Securityawareculture
Understandingtruerisk
Internalcyberskills
Seniorlevelbuyin
Externalsecurityservices
50=Lackingintheorganisation
50=KeytoSuccess
CIO
CTO
CEO
COO
CMO
CFO
Board
1000=54%
900=48%
540=27%
500=25%
400=20%
380=19%
340=17%

9
Despite lingering concerns regarding the thoroughness of senior executives’ awareness and understanding of
information security risk, all senior executive leaders are rated higher this year compared with last year. The only
group that has not shown progress in grasping the threat of information security risk is the board, possibly due to
their lack of exposure to the daily operations of the business. Most progress is being made by the CMO (up 15 per
cent in the past 24 months), probably as a result of increased investment in digital marketing and the associated
responsibility for managing greater volumes of data that is generated by online customer interactions.
CMOs show most improvement in information security risk awareness
2014 -2015 increase in leaders who are Very Well Informed of information security risk.

OUTSOURCING AND PARTNERING
Outsourcing partners are being relied on to deliver a wide range of information security services. Penetration
testing is, by far, the most likely information security service to be delivered by external partners; 78 per cent
of senior information security professionals currently outsource this, while 36 per cent outsource ‘monitoring’.
Fewer than one in ten senior information security professionals (9 per cent) currently externalise incident
management, and even fewer rely on outside talent to develop security strategy (3 per cent).
Penetration testing is the most outsourced information security service
Have you outsourced any element of information security? If yes,which ones?
Half of senior information security professionals (50 per cent) will outsource services because they can guarantee
subject matter expertise, while four in ten (41 per cent) use external partners due to a lack of in-house skills. Only one
in five respondents (22 per cent) outsource information security services as part of a wider managed service contract.
Most outsourcing decisions are based on acquiring valuable skills and expertise
To guarantee subject matter expertise 50%
Lack of in-house information security skills 41%
Not part of your core business 31%
To achieve cost savings 29%
As part of a wider managed service contract 22%
To meet legal or regulatory requirements 22%
Reasons for outsourcing information security
CMO
CIO
CEO
COO
CFO
CTO
Board
1000=15%
600=9%
470=7%
470=7%
267=4%
199=3%
0=0%
Penetrationtesting
Monitoring
Forensics
ThreatAssessments
NetworkSecurity
PhysicalSecurity
TrainingandAwareness
IncidentManagement
SecurityStrategy
780=78%
360=36%
320=32%
240=24%
230=23%
210=21%
130=13%
90=9%
30=3%

10
More than seven in ten senior information security professionals require conditions to be met by suppliers
that enhance the security of their technology infrastructure. Cloud technology providers are under the most
scrutiny; 79 per cent of respondents will include security requirements in any procurement, up 6 per cent this
year. Operational technology, hardware and software vendors are expected to provide security assurances by
more than 70 per cent of senior information security professionals.
Cloud technology providers under greater scrutiny to provide security assurances
What information security credentials do you ask for when selecting key suppliers and partners?
Information security considerations are playing a more central role in wider procurement decision-making.
Almost two-thirds of senior information security professionals (65 per cent) said security considerations
changed a procurement decision, up 11 per cent on the previous year. With high-profile security breaches
prominent in the media, it is clear that information security concerns are reaching far beyond IT.
Significant increase in security concerns changing procurement decisions
Have security considerations ever changed a procurement decision?

YOUR APPROACH TO INFORMATION SECURITY
There is little change in the proportion of senior information security professionals who think they have a
robust risk assessment process in place for their organisation. Three-quarters (76 per cent) are confident that
their risk assessment is strong, compared with 75 per cent who thought the same last year. More than eight in
ten senior information security professionals (81 per cent) are also confident that they know which assets need
most protection in their organisation, in line with 83 per cent last year.
With a majority of senior information security professionals apparently content with their approach to
information security processes, and no real plans to change, one might think that complacency risks becoming
a concern. This opinion is reinforced when it comes to the issue of cyber insurance.
Onlyaquarter(24percent)havecyberinsurance Almost half (46 per cent) have no plans to buy

Does your organisation have cyber insurance? Are you considering securing cyber insurance in the next 12 months?
790=79%
730=73%
760=76%
780=78%
720=72%
710=71%
Effectivebudgetforcyber
Securityawareculture
Understandingtruerisk
50=2015
50=2014
650=65%
540=54%
130=13%
310=31%
Yes
No
50=2015
50=2014
24+50+26+A
n Yes
n No
n Don't Know
26% 24%
50%
26+46+28+A
n Yes
n No
n Don't Know
28% 26%
46%

11
Only one in four senior information security professionals (24 per cent) are aware that their organisation
has secured cyber insurance. This is a surprisingly low proportion, especially when respondents have been
so adamant previously in this report regarding their robust operational preparedness and board oversight.
In addition, almost half of senior information security professionals (46 per cent) say they do not expect to
purchase cyber insurance in the next 12 months.
Only 19 per cent of senior information security professionals at small firms (£50m or less revenue) currently
have cyber insurance; this increases to 29 per cent at mid-sized firms (£50m–£500m revenue), and at larger firms
(£500m+ revenues) the proportion falls again, to 24 per cent.
Perhaps the cyber insurance products currently on offer are not mature enough to provide the coverage that
respondents are seeking, or perhaps senior information security professionals believe their colleagues in the
finance function should be primarily responsible for insurance coverage.
Whatever the reason, it is clear that with rising information security threat levels and growing regulatory
burdens that include compensation for customers affected by cyber breaches the market for insurance needs to
adapt to support these changes.
IS0 27001 is the most common regulatory compliance standard, used by 81 per cent of senior information
security professionals to mitigate information security risk, compared with 53 per cent who adhere to PCIDSS.
A similar proportion of senior information security professionals (79 per cent) are confident that they have
processes in place to identify vulnerabilities, up 4 per cent compared with last year.
Only slightly more senior information security professionals would describe their operational security
as proactive (54 per cent) compared with reactive (46 per cent). There is anecdotal evidence that more
organisations are insourcing their operational security to be more proactive – deploying hunting teams to find
possible risks. Yet it would appear that almost half of senior information security professionals remain content
to let the threats come to them rather than go out looking for trouble!
Almost half of respondents define approach to operational security as reactive
How would you describe your operational security?
Growing confidence that systems in place to identify new security vulnerabilities
Do you have systems in place to identify new security vulnerabilities in your technology?

2015
2014
790=97%
750=75%
54+46+A n Proactive
n Reactive54%
46%

12
ARE HUMANS THE WEAKEST LINK?
An overwhelming 89 per cent of senior information security professionals say their organisation is committed to
developing and maintaining an information security-aware culture. This is notable because almost half (49 per
cent) of respondents have already confirmed (earlier in this report) that this culture is lacking in their organisation.
Therefore, significant attention and investment must still be needed if this objective is to be achieved.
Ambition outpaces actuality in developing security-aware culture
Is your organisation committed to developing and maintaining an information security-aware culture?
Another healthy majority (72 per cent) of senior information security professionals report having a well-
defined incident response process that is communicated throughout the business. However, when asked how
often this process is tested, less than half admit to testing more than once a year, and a quarter (24 per cent)
disclose it has rarely – if ever – been tested.
Incident response process tested yearly or less frequently by 51 per cent
How often is this tested?
These responses indicate that humans certainly could be the weakest link in any information security process.
While everyone wants a robust incident response process in place, less than half are prepared to test and
improve it regularly. And while every senior information security professional would like a security-aware
culture at their organisation, earlier evidence suggests that other operational priorities are distracting senior
leaders from investing in training and development to achieve this cultural ambition.
Over a third of senior information security professionals (36 per cent) suffered a ‘business-affecting information
security incident’ this year, up from 33 per cent last year. Most senior information security professionals (73 per
cent) report that phishing or social engineering were the form of attack, while 53 per cent reported a virus or
malware outbreak. Almost a quarter experienced a DOS or DDOS attack.
89+7+4+A
n Yes
n No
n Don't Know
7%
4%
89%
Monthly
Quarterly
Halfyearly
Yearly
Lessoften
350=11%
850=23%
460=14%
1000=27%
880=25%

13
Most information security incidents include phishing, malware or DDOS
What business-affecting information securityincident occurred?
The implications of these incidents are serious for business operations and brand reputation. In more than
half of cases (56 per cent) the incident results in a loss of revenue or profit, and in 35 per cent a loss of customer
confidence inflicts less tangible – but equally serious – damage.
Information security investment plans appear to be aligned to the biggest threats; 50 per cent of senior
information security professionals will invest in penetration testing to prevent phishing and malware virus
attacks. However, over half (53 per cent) of senior information security professionals think regulatory bodies
are doing too little to provide useful guidance to help manage risk.
Less than four in ten believe regulatory bodies provide useful guidance
Do you feel the regulatorybodies that govern your organisation provide useful guidance to help you manage information securityrisk?
More needs to be done to support senior information security professionals to develop robust strategies and
processes. Yet there are worrying signs that while regulatory accreditation, board understanding, and proactive
planning are improving, the speed of improvement is not fast enough.
38+53+9+A
n Yes
n No
n Don't Know
53%
9%
38%
Phishing/socialengineering
Virus/Malwareoutbreak
DOS/DDOS
Serviceinterruption
Datalossincident
730=73%
530=53%
240=24%
200=20%
180=18%

14
INFORMATION SECURITY SALARIES
The average base salary for a senior information security professional is very slightly under £100k per year, at
£99,141. The growing importance of information security to organisational growth and stability, as well as a
growing awareness by senior business leaders and boards as to the value of exceptional information security
talent, is helping to define a positive opportunity for information security skills remuneration in the market.
Information security salaries by job title
Average base salary
CISO £125,962
Head of Information Security £90,714
Information Security Manager £71,538
What is your annual basic salary?
There is a clear salary advancement for senior information security professionals as they develop their career,
with the average information security manager earning over £70k per year in base salary, while a chief
information security officer can anticipate an average of £125k+ per year in base salary.
Information security salaries by reporting line
Average base salary
CEO £108,214
CIO £89,595
What is your annual basic salary? Byreporting line
In organisations that prioritise information security as a responsibility that rests with the CEO, there is an
opportunity to enhance salary for top information security professionals. Those who report directly to the CEO
often have the opportunity to operate strategically, but also enhance earnings by up to 17 per cent.
Information security salaries by gender
What is your annual basic salary?
Average base salary
Male £97,619
Female £115,714
In a positive finding for women in technology, female senior information security professionals report being
paid a higher average base salary than their male counterparts. With fewer women candidates available in
the talent pool, combined with a growing demand for diverse IT and leadership teams, female information
security professionals can expect to command a salary premium, especially for senior roles.

15

16
Harvey Nash Information Security Practice
Our Information Security practice is the newest of our specialist vertical teams,
and is run by consultants dedicated to this increasingly vital function. Over the
last 18 months, we’ve seen demand for information security related skill sets
increase by 70 per cent across the UK alone. This is a clear response to the ever-
changing threat landscape and the challenges our industry faces in keeping
data, information and assets secure. Our extensive global network and talent
pool means our team can provide tailored resourcing strategies to meet this
demand. Our Information Security team offer a complete end-to-end recruitment
service. We deliver both contract and permanent staff for technical, governance,
risk and strategic security skill sets. We have a successful track record of placing
professionals at global Chief Information Security Officer level through to Security
Operation Analysts. Our team are also heavily involved in thought leadership
and advisory services, and have contributed to articles written by Computing and
Bloomberg.
Stephanie Crates
Head of Information Security Practice, London
E: stephanie.crates@harveynash.com
T: 020 7333 1854
M: 07568 116387
James Walsh
Head of Information Security Practice, Birmingham
E: james.walsh@harveynash.com
T: 0121 717 1946
M: 07896 019475

17
PGI
PGI’s mission is to provide high quality, expert and proportionate services, including
raising security awareness and providing related certified education.
Whether you are a small company or large organisation, PGI can help make your
business as secure as it needs to be. Our team of world class cyber experts are some
of the best qualified in the country, allowing you to rest easy that you are in safe
hands with us.
We were also the first company in Europe to open its own cyber academy, a
building that gives us the opportunity to provide first class education and cyber
security training. PGI operates on a global scale and truly believes our motto,
‘making the world a safer place to do business’.
Whether you need intelligence, risk mitigation or physical security services, PGI is an
organisation you can trust to keep your organisation as secure as you need it to be.
www.pgitl.com

18

Harvey Nash UK & IRE Cyber Security Survey 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (6)

Similar to Harvey Nash UK & IRE Cyber Security Survey 2016

Similar to Harvey Nash UK & IRE Cyber Security Survey 2016 (20)

Recently uploaded

Recently uploaded (20)

Harvey Nash UK & IRE Cyber Security Survey 2016