1. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey
Vendor
| 3
Stott and May
Imagine Agile Expansion
Cyber Security
Market Intelligence
and Salary Survey
2016
Stott and May London
Eleventh Floor
5 Aldermanbury Square
London, EC2V 7HR
+44 (0) 207 496 3650
info@stottandmay.com
2. us trust and unparalleled loyalty from candidates and
clients alike. This is the foundation that will make us an
immovable force in this market for many years to come.
The purpose of this market report is to give context to
the wider security market. We aim to raise awareness
of key hinge points, highlight significant trends and be
a trusted guide by which to make informed decisions
for you business and career.
The survey has been comprehensively deduced from
information gathered by our team of expert consultants
in 2015. We have also carried out external research,
visited many of the international conferences. We have
consolidated our findings to reinforce our commentary
through-out.
Introduction
Contents
LeadersIt is people that determine the
future of business. Our industry
experts help unearth the leaders
of today.
TimeOur targeted and meticulous
approach ensures that we
safeguard your most precious
commodity – Time.
ConfidenceUnparalleled market insight is
at the heart of everything that
we do. We help you make well
informed decisions.
Global Leaders In
Cyber Security
Over the years we have been privileged to partner
up with the most ambitious and innovative cyber
teams in the world. We have a thirst for offering the
most compelling opportunities to the industry elite.
Our results are a consequence of a unique mindset
which enables more collaborative and strategic out-
comes. Whether you are a candidate or a client our
approach is uniform. We start by considering your
objectives. What is it you are trying to achieve and why.
Once we have fathomed your motivations we empower
you to plan and execute your journey.
The advice that we offer is often not always in our best
interest. We operate at a level of transparency which has
differentiated us from our competition. It has bought
6.Vendors Europe
10.The Numbers
8.Tech Focus
12.The Market
14.Q&A With
Charlie Timblin
“If we always look for
the same, we are never
going to reap the value
that diversity offers. Look
for difference – you’ll be
amazed at what you find.”
Charlie Timblin
WSS
Cyber Security Market Intelligence and Salary Survey | 5
3. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey
Vendor
| 7
The security vendor space is gathering momentum
at a staggering pace. New and established vendors
are all competing for market share and we are seeing
some aggressive expansion campaigns. It seems that
significant budget is still available to ensure a multi-
layered and robust perimeter is at the heart of every
security strategy. Many industry experts are coining the
phrase “good hygiene” which epitomises this notion.
PREDICTIONS
FOR 2016-2017
• The skills gaps will be subsidized by the relocation
of candidates from other parts of Europe.
• We may see that investment into the UK will
pause suddenly in anticipation of the results of the
referendum in June.
• With vendor portfolios increasing we will see
greater convergence of skills. This could lead to a
more versatile workforce.
• Increased sourcing into vendors from resellers.
Comparison
By Region
Salary Survey
Country
Comparison
Vendor Presales
Basic Salary
Typical Vendor
Territory Account
Manager Sales Basic
GBP
£1000s
EURO
€1000s
GBP
£1000s
EURO
€1000s
Eastern Europe 28 35 31 39
South Africa 30 37 33 41
Israel 38 48 34 43
Spain 44 56 47 60
Italy 49 62 47 60
France 50 63 50 63
Netherlands 56 71 52 66
Sweden 60 76 53 67
Germany 66 83 56 71
UK 71 90 67 85
UAE 85 107 69 88
Switzerland 99 125 73 92
Survey taken from 50 employees in each region from Gartner
magic quadrant vendors.
fig. 1
CEUR is a very steady market.
The Netherlands are developing
a reputation for versatile talent.
The available talent pool has
maintained salaries in this region
and makes it an attractive option
for a regional office. Belgium
offers good language options
but a limited candidate pool.
The DACH region maintains a
signifiant appetite for security
despite some tricky privacy laws.
Germany remains the hub of
this region, however, salaries
in Switzerland are significantly
higher. DACH has a strong hold
in the IAM skills market with
many boutique consultancies
branching out internationally.
SEUR is seeing the least
growth due to economic crisis.
Language, cultural barriers
and tricky employment
contracts have an effect.
The UK remains the gateway
into the EMEA market with most
vendors choosing this as their
strategic base. Basic economics
dictate inflated salaries higher
than the rest of Europe.
NORDICS &
BENELUX
EASTERN
EUROPE
MIDDLE
EAST
SOUTHERN
EUROPE
DACH
ISRAEL
UK &
IRELAND
Eastern Europe and parts of
Africa have seen an injection
in investment with many
enterprise organisations
outsourcing large parts of their
infrastructure into these regions.
Despite this, salaries remain the
lowest in all of EMEA.
The Israel government is
offering subsidies and has
developed into hot bed for cyber
security start-ups. We are seeing
a number of these flourishing on
a global scale. Israel has many
talented security professionals
and are very good value for
money.
The Middle East has the largest
variation in salaries. Experts
from other parts are initiating
salaries. We are likely to see a
significant decrease in salaries
in this region once the reliance
on imported talent diminishes.
4. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey
Vendor
| 9
As the threat surfaces swells
and sophistication of attacks
evolves, innovation is
essential. This is our pick of
trending technologies based
on market intelligence
gathered within our
network.
Technology
Focus
CASB The emergence of CASB is of no surprise as this helps
to resolve a prominent problem within most enterprise
environments. Enabling organisation to administer policies
and protect and cloud based applications and shadow IT.
We have seen the birth of many start-ups helping to address
this and it is likely that most of these will be swallowed up by
established vendors whilst some of them have already began
developing their own capability.
Threat Intelligence & Analytics Enhanced maturity levels
are normally very labor expensive. We are seeing a lot of
innovation in automation and streamlined processes. Threat
Intelligence, machine learning and UEAB are all integral cogs
to this evolution. The military and law enforcement seem to
be a hot bed for talent and we are seeing adaptation of tools,
techniques and skills integrating into the private sector.
Deception based technologies We have started to see
different ways of identifying attacks such as deception-based
technologies. Whilst they are by no means a silver bullet they
boast a zero false-positive alert capability which is compelling
in its own right. Watch this space.
PAM PKI and IAM are still a key component. PAM is the
evolution of these technologies with integration and has
applications which are relevant to restricting an attackers
mobility. Whilst PAM is not new to the market, it is reaching
a level of momentum which needs to be acknowledged.
Emerging
Trends
100
80
60
40
20
0
9.82640.542 102232.532.94184110
VCInvestmentinMillion$
Security / Cyber IT Company
Zscaler
Cybereason
Cylance
Team8
Darktrace
Countertack
Ironnet
Cybersecurity
ArgusCyber
Security
Digital
Shadows
Morphick
CyberSecurity
E8Security
Rising Venture Capital Interest
In Cybersecurity Startups
2010 2012 20142011 2013 2015
$0.8
108
$1.2
156
$2.5
240
$0.8
120
$1.7
201
$3.3
255
Investments, in billions of dollars
Number of deals
$228m $210m
1 2 3 4 5
$149m$202m $110m
Notable VC’s
The numbers quoted in Fig. 4 refer to the
value of deals that the quoted VC’s have been
involved in as opposed to their individual
contribution. Source Crunchbase.com
Top 5 VC Investors 2015
fig. 2
fig. 3
fig. 4
5. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey
Vendor
| 11
Qualification
Analysis
We have taken a sample of 100 job descriptions. We
have chosen 4 companies from 5 magic quadrants. The
purpose of the analysis is demonstrate the type of skills
which are most in demand. We have highlighted the
difference between skills required and desirable.
Fig. 5 highlight the variations in salary relative to
technologies. Numbers quoted taken from a sample 720
professionals from security vendors based in the UK. We
have focused on 4 main areas and taken equal samples
for each permutation. The salary sample was taken with
consideration to a candidates skills as opposed to the
technology vendor for whom they work for. We have
cleaned the data and adjusted it for ease of viewing. The
numbers quoted refer to the fixed basic salary.
The table is an extension of the table above. We have
taken a sample of 720 professionals from 5 countries
including France, Germany, Sweden, Spain and the
Netherlands.
Figure … shows the variation in salaries relative to role.
Numbers quoted are OTE based on a 50/50 split.
SCADA
IAM
GRC
MALWARE ANALYSIS
HIPS
ENDPOINT
FORENSICS
DLP
PENTEST / CEH
WAF
SCRIPTING
SIEM
VULNERABILITY
DDOS
O/S
IPS
CORE NETWORKING
PROXY
FIREWALLS
Required
40
45
42
38
37
32
30
32
31
23
11
19
13
17
16
21
14
126
7
7
8
9
5
14
10
11
17
18
26
25
30
34
38
3
3
2
1
APT SIEM
NETWORK
SECURITY
IAM SI & MSSP
Typical Basic/
Variable Split
Pre Sales Manager £110-120k £90-120k £90-120k £90-120k 70/30 | 80/20
Principal Security Engineer £85-110k £65-95k £85-110k £85-120k 70/30 | 80/20
Product Manager £90-110k £75/90k £90-110k - 90/10
Solution Architect £80-100k £65-85k £90-120k £65-100k 70/30
Principal Architect £95-130k £65-95k £90-140k £90-120k 80/20
Enterprise Architect - - - £90-125k 90/10
Security Engineer (delivery) £40-65k £40-65k £50-75k £50-75k 90/10
Support £30-50k £30-50k £30-50k £30-50k 95/5
Sales Specialist £60-80k £60-80k £70-90k £70-90k 50/50 | 60/40
APT SIEM
NETWORK
SECURITY
IAM SI & MSSP
Pre Sales Manager €120-140 €100-130 €120-140 €100-130
Principal Security Engineer €100-130 €90-110 €100-130 €100-130
Product Manager €120-140 €90-110€ €120-140 -
Solution Architect €100-140 €90-130 €100-140 €90-130
Principal Architect €70-100 €60-90 €70-100 €60-90
Enterprise Architect - - - €100-150
Security Engineer (delivery) €50-80 €40-65 €60-90 €50-80
Support €30-60 €30-60 €30-60 €30-60
Sales Specialist €80-100 €70-90 €80-100 €75-100
Salary Data
Cyber Security
Pre Sales UK
Cyber Security Sales
UK & Europe
Cyber Security
Pre Sales Central Europe
UK Salary
(OTE 50/50)
Europe Salary
(OTE 50/50)
Enterprise Account Manager £140-£160k €140-£160k
Global Account Manager £180-£200k €180-£200k
Territory Account Manager / Regional Sales Manager £120-£140k €120-£140k
Channel Account Manager Tier 1, 2, 3 Reseller £140-£150k €140-£150k
Channel Account Manager MSP/SP £150-£160k €150-£160k
Sales Manager £200-£220k €200-£220k
Sales Director / Country Manager £220-£240k €220-£240k
EMEA Sales Director £220-£280k €220-£280k
VP Sales £300-£350k €300-£350k
Desirable
fig. 5 fig. 7
fig. 8
fig. 6
6. Cyber Security Market Intelligence and Salary Survey
Information Security
| 13Stott and May Imagine Agile Expansion
Global Security
A Spotlight
The Top Five
By Revenues
According To Gartner 2015
Symantec with $3.69 billion in revenues, 17.2%
market share, and a (- 1.3%) decline in growth
Intel Security with $1.825 billion in revenues,
8.5% market share, and 4.5% growth
IBM Security with $1.486 billion in revenues,
6.9% market share, and 17% growth
Trend Micro with $1.052 billion in revenues, 4.9%
market share, and a (-5.9%) decline in growth
EMC (includes its RSA business) with $798 million
in revenues, 3.7% market share, and 5% growth
1.
2.
3.
4.
5.
Sources: MicroMarketMonitor, Gartner, Markets and Market, Visiongain
$35.53
billion
Estimated value
of Europe Cyber
Market by 2019
Europe Makes Up
26.95%
Of The Global
Market Value
$101
billion
The World Spend
on information
security by 2018
$170
billion
Estimated Cyber
security market
by 2020
9.8%
Global Compound
Annual Growth
Rate 2015-2020
Next Generation
Cyber Security
Market Will Generate
Revenues Of
$35.7 Billion
In 2016
The chart below shows the breakdown of the top 5 sectors by incidents
which accounted for approximately 75% of all sector- specific incidents.
Financial services and govt/wider public sector remain the two highest
sectors while we had no reported incidents occur this quarter in the
civil nuclear and legal sectors. Once again, we do not assess these to be
a representation of UK cyber health, but rather a reflection of the good
communication and information sharing that we see in each sector.
Countries by percentage of users targeted.
Good communications with the
top 5 sectors means they account
for 75% of all incidents reported
%ofSectorDistribution
100
90
80
70
60
50
40
30
20
10
0
Financial
Services
Govt/Wider
PubicSector
Communications
Managed
Services
Professional
Services
Top 5 Sectors
By Incident Type
Cert UK Attacks By Sector
June 2015
Banking Malware
Attacks
Singapore
Switzerland
Australia
Brazil
Hong Kong
South Africa
Spain
UK
Italy
Germany
US
France
Japan
Russia
11.6
10.6
10.1
9.8
9.0
8.2
5.4
5.1
5.0
3.8
3.2
2.9
2.5
2.0
Website - Defacement (Passive)
Website - DoS / DDoS
Website - Defacement (Active)
Vulnerability - Un-patched
Network - Compromise of infrastructure
Malware - Unknown/Unidentified
Malware - Known/Identified
Email - Suspicious/SPAM/Phishing
Email - Spear-Phishing
Data - Exfiltration
Abuse - Unsecured infrastructure
Abuse - Credentials
Abuse - Attacker infrastructure
fig. 7
fig. 8
7. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 15
What can be done to combat the inequality that
still exists in security?
I suppose my answer covers not only the gender
equality issue, but also the lack of diversity as a
whole within the profession. We need to translate
words to action. Security leaders who are recruiting
should not be fearful of mixing things up a little!
Diversity is needed not only from a gender perspective
but from a background, competency and skillset
perspective and that means looking for different
talent pipelines and wording job specifications
differently – avoid ‘techno-babble’ and a proliferation
of sometimes unpronounceable certs for entry level
positions! Apprentice schemes are out there, but they
are few and far between and often written in a way
that either discounts individuals without a degree in
computer science or encourages individuals to discount
themselves. I’d like to see more apprenticeship schemes
which provide entry level opportunities that consider
alternates to the traditional graduate pipeline. If there
aren’t enough graduates (irrespective of gender) we
need to recognise skill sets and competencies that can
be developed and find a way to advertise entry level
roles to target individuals that possess key competencies,
transferrable skills, drive, passion, a willingness to
commit to be trained, mentored, developed, evolved.
Lift up the stones and see what’s beneath, invest time in
approaching things differently, don’t simply define talent
as a standard package at entry level. If we always look
for the same, we are never going to reap the value that
diversity offers. Look for difference – you’ll be amazed at
what you find.
Q&A 60 SEC’s
CHARLIE TIMBLIN
WSS(Womens Security Society)
Co-Founder
Q&A With Charlie Timblin
Is this an issue that needs to be addressed at
Graduate level?
I’m inclined to suggest focusing purely on the graduate
pipeline could limit diversity. We know from data
available that representation at UK Universities by
individuals from low income families and minority
backgrounds is low, too low. Hence, recruiting only from
a grad talent pipeline potentially limits diversity and fails
to recognise untapped talent that just hasn’t had an
opportunity to realise their potential yet! I’d suggest a
common set of agreed upon job titles, with an overview
of tasks and responsibilities is developed by a global
professional body and organisations commit to use this
as a common body of knowledge (CBOK). This should
be supported with guidance on access via the graduate
and non-graduate routes. Grads should be provided
careers advice together with advice as to how they can
embrace current approaches to networking and job
hunting. They should be mentored on how to craft a
LinkedIn profile, on LinkedIn ‘protocols’, how to leverage
LinkedIn groups, how to search for roles, find events/
forums to attend and how to network (virtually and
physically), with confidence. I’d like to see universities
actively marketing their grads.
“recruiting only from
a grad talent pipeline
potentially limits
diversity & fails to
recognise untapped
talent that just hasn’t
had an opportunity to
realise their potential”
Is enough being done to entice women pursuing
a career in security?
No, I don’t believe enough is being done to entice
women (or individuals from diverse backgrounds) into
security. Returning to work mothers, for example, a
wealth of untapped talent. Many have transferrable skill
sets or past technology experience – most, if not all, are
unaware of the new ‘cyber world’ and how they could
potentially add value. We all see the stats regarding the
low volumes of females opting for STEM subjects. So,
if you want to entice women into security and there
aren’t sufficient numbers available from the grad route,
actively consider and search for different potential from
other professions. I don’t have a degree in computer
science (yet... the future - maybe). I read voraciously, I’m
analytical, I apply critical thinking, I learn, I collaborate,
ask questions and seek answers (constantly), engage
with SMEs and learn from them. I have sought
professional certs after understanding which ones are
right for my role. I’m not from the ‘traditional’ IT risk
background and I like that. I work in IT Risk because
someone [a leader] saw passion and competencies in
me that he knew could be enhanced and built upon. He
gave me an opportunity.
What is the WSS doing to break the mould?
What I believe sets the WSS apart is we recognise the
word ‘security’ has many facets and that individuals
operating within security really need to be multi-
dimensional hence, we try to make our events attractive
to individuals from multiple professions. Despite our
name, the drive for diversity isn’t solely focused on
gender. All our events are free, we don’t charge at all for
attendance. Solely due to the generosity of our sponsors.
We ask our speakers to remain at events and to actively
network with individuals, to be available, to connect. The
WSS board has full time jobs, and families – delivering
events for the WSS sometimes has an adverse impact
on our spare time (and stress levels!) But we don’t mind
about that, because we want to make a difference, we
want to help make the security profession a great place
to be or to interact with.
Are there particular certifications you would
encourage graduates / women to pursue?
Certifications are role specific. Often you see people
being guided by marketing material. I’d encourage
individuals to research roles. Then, once they have
an idea on the type of role they wish to perform, to
research certifications, not with training providers but by
networking with individuals who are performing those
roles.
What topics are being neglected/missed at
board level?
I think board discussions on talent should be
encouraged (wherever practicable). I’m a great believer
in talking positively to others about talent. When you
see someone with potential, speak out. The sharing of a
name, does wonders for the exposure of that individual.
It’s a low effort, high return way of sponsoring an
individual that has potential.
Your views on the subject of equality in security
– Are there challenges/opportunities or is it a
genuine skills gap?
The topic is out there and that introduces great
opportunity. There are some fab bloggers and advocates
(Jane Frankland being a fantastic front runner here).
Discussion and debate eventually prompts action and
change. When hiring managers recruiting entry level or
junior positions opt for the pre-packaged candidate as
opposed to an individual they can develop, the skills and
gender gap situation is propagated.
8. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey
Information Security
| 17
UK
FS /
BANKING
CONSULTING /
PROFESSIONAL
SERVICES
TELCO LEGAL
PUBLIC
SECTOR
CISO £140 - 180k £120 - 140k £130 - 150k £130 - 150k £130 - 150k
CIO £150 - 200k £130 - 150k £150 - 180k £140 - 160k £140 - 150k
IT Security Manager £65 - 75k £55 - 65k £65 - 75k £60 - 70k £65 - 75k
Information Security Manager £60 - 80k £60 - 70k £60 - 80k £65 - 75k £50 - 80k
PCI DSS Specialist £50-65k £45 - 55k £50 - 65k £50 - 55k £50 - 65k
QSA £70 - 80k £60 - 70k £70 - 80k £60 - 80k £50 - 80k
CLAS Consultant (CCP) n/a n/a £70 - 90k n/a £70 - 90k
Information Security Consultant £50-60k £45-50k £50 - 60k £50 - 60k £50 - 60k
IT Security Analyst £45-50k £40-50k £40-50k £45-50k £45-50k
Security Architect £75-90k £65-80k £70 - 90k £70 - 80k £70 - 80k
Application Security Specialist £80 - 100k £70 - 90k £75 - 85k £70 - 90k £85 - 95k
Network Security Specialist £45 - 55k £40 - 50k £40 - 55k £40 - 55k £45 - 55k
Cyber Security Director £130 - 170k £110 - 120k £110 - 130k £120 - 130k £120 - 130k
Penetration Tester £70k - 85k £60 - 80k £70 - 90k £50 - 80k £65 - 85k
Data Protection £45 - 55k £40k - 50k £45k - 55k £45k - 50k £45k - 55k
CSO £150 - 200k £130 - 150k £40 - 180k £140 - 150k £140 - 160k
Technology Risk Consultant/Manager £60 - 80k £50 - 65k £65 - 75k £70 - 75k £70 - 75k
Head of IT Risk £90 - 120k £80 - 1000k £80 - 1100k £90 - 100k £90 - 100k
CHECK Team Leader £70 - 90k £60 - 75k £70 - 90k £70 - 80k £70 - 80k
Business Continuity Manager £55 - 70k £50 - 60k £40 - 50k £50 - 60k £55 - 65k
Incident Response Specialist £50 - 65k £45 - 60k £50 - 60k £50 - 50k £50 - 60k
Head of Information Security £90 - 120k £80 - 100k £90 - 110k £90 - 100k £90 - 100k
SOC Tier 1 Analyst £30 - 45k £30 - 45k £30 - 35k £35 - 40k £30 - 35k
SOC Tier 2 Analyst £35 - 50k £35 - 50k £35 - 45k £40 - 50k £35 - 45k
IA Consultant £50 - 65k £50 - 65k £50 - 60k £50 - 65k £40 - 55k
Government Security Consultant N/A N/A N/A N/A £50 - 80k
http://www.forbes.com/sites/susanadams/2015/09/03/the-most-prestigious-consulting-firms-2/#4578a63d7382
Vault.com, the career website, has released a ranking of the most
prestigious consulting firms.
A little like the Oscars, which turns to the movie industry to tally its votes,
Vault’s list comes from a survey of consultants who are asked to rank their
peers and competitors. Vault ran its survey for six weeks in March and
April and gathered votes from 9,000 consultants at 65 North American
firms.
For the prestige ranking, consultants were not allowed to vote for their
own firms, and they were asked only to rate firms with which they were
familiar. They rated each firm on a scale of 1 (least prestigious) to 10.
Vault has been running the survey for 14 years, and every year McKinsey
has come out on top. In fact, the top four are unchanged from last year:
McKinsey, Boston Consulting Group, Bain and Deloitte Consulting.
Why is prestige important in the consulting business? For job seekers,
having McKinsey or Boston Consulting on a résumé can open up
opportunities, as The New York Times or The Wall Street Journal would on
a journalist’s CV. Also people simply care about prestige. Says Stott, “For
many people, their career defines them,” says Stott. “They want to work for
the most prestigious firms because of that.”
The list is dominated by huge firms with workforces in the thousands and
multiple worldwide offices. An exception: the Bridgespan Group, located
on Boston’s Copley Place. The firm has 158 employees and its focus is the
nonprofit sector. It spun off from Bain in 1999 but kept its ties to the firm.
Bain consultants can take a leave and work six to 12 months at Bridgespan.
SEP 3, 2015
The information in Fig 9 have been collected by a sample
of over 5000 security professionals in the UK. The values
stated are basic fixed salary.
Information
Security UK Only
Salary Survey
Numbers
The Most
Prestigious
The Top 10 Most Prestigious
Firms According To Vault
The Top 10
1. McKinsey & Company
2. The Boston Consulting Group
3. Bain & Company
4. Deloitte Consulting
5. Booz Allen Hamilton
6. PricewaterhouseCoopers
7. EY LLP Consulting Practice
8. Accenture
9. KPMG LLG (Consulting Practice)
10. IBM Global Business Services
APT hunting /
CERT” and point
it at SOC Analyst
Tier 2
fig. 9
9. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey | 19
Q&A With Paul Wood
• The Chief Risk and Compliance Officer at Bloomberg.
• 35 years’ experience in cyber sec risk space – Wide
spectrum of experience at the highest level across
a variety of industries – both public and private in
government and notably within financial services.
• MBE for services to the government (MoD).
• Board of advisors /steering committee for a number of
organisations including, Global Cyber Alliance & SINET.
• Member of KPMG’s 1-4 initative.
• Industry speaker known for his pragmatic and no non-
sense approach – known to challenge the status quo.
What are common cyber security concerns in the
boardroom right now?
How effective is their cyber security controlled
environment and how can they get a good
understanding of the right things to tackle. Is the money
being placed in the right areas to gain the right level of
assurance? Have they’ve got right cyber security strategy
in place, appointed the right people, right resources and
made the right investment in tools? How can we get a
measure of how successful that is? How do I know my
CISO is doing the right thing?
Is there a way of quantifying ROI in cyber security?
Difficult to put real metrics generically across all
industries. You need to understand the risk to your
business and consider 4 main dimensions - Prevention,
Detection, Response and Resilience/Recovery when
facing a threat – Start to build metrics around how these
business process are improved - Has your tech you have
invested in resolved a problem without increasing work
load? It is often hard to really quantify ROI but look for
business process improvements.
Is a risk based approach to cyber security the only way?
A risk based approach is correct way of deciding on your
investment. You need to evaluate the threats you face,
understand totally what they are and understand the
attack vectors you need to defend yourself against. Not
all organisations would be susceptible to the same
attacks. Then you take a risk based approach across the
dimensions of detection, response and recover and decide
how you are to align your efforts to address those threats.
It seems like we are seeing a lot more threat
intelligence and analytics being introduced?
There is a big gap in this technology space. We go
through phases where new technologies come to
life trying to be the next great answer. Normally they
emerge with no business case and there is no surprise
that they often can’t deliver what they say “on the box”.
Big Data and Analytics have not seen a clear winner.
You must be conscious that vendors will try and sell
you something but is it really going to achieve what
they claim it will? You should consider if it has been a
fully embedded and there are implemented solutions
to reinforce their claims. One area we need to improve
is to understand the threat profile of an organisation.
Greater consideration needs to be given to the strategic
purpose, nature and capabilities of emerging threats.
Some intelligence tools are useful but you need to do
your own profiling – then find other intelligence sources
to help you establish the threat vectors you face.
Many think that in order to understand threats you
need to enquire internally first, do you agree?
The organisation needs to decide what it’s concerned
about. What are our critical assets and what are the
threats to these assets that could cause you to fail.
Consideration should be given to who are the people
who are likely to come after these assets. It is equally as
important to determine the nature of your insider threat.
They already have access to your systems, some will
really control the keys to all your data. Boards don’t really
consider this as much as they should.
What topics are being neglected at board level?
The regulated industries seem to have greater awareness
but in general there is a basic understanding of what
cyber security really means at board level. In fact, many
organisations seem to have a false sense of security. Just
because there’s a CISO and infrastructure in place they
have to rely on their judgement that their investment
is being used in the right way. In general board do not
understand the real threat and more importantly the
real cost of a breach to their business. More needs to be
done to understand where the threats are coming from
and how they are protecting themselves. They will not
succeed if they do not have systems in place to react
and respond when things go wrong.
“More needs to be
done to understand
where the threats are
coming from and how
they are protecting
themselves. ”Is it fair to be accountable if you are restricted by
budget restraints?
There’s not a never ending pot of gold for these
problems that’s why risk based approach has to be
applied. You have to understand your threats and utilise
your resources within your budget constraints. In a lot
of cases, education, training, awareness and process
improvement don’t need budget. You can control risk
by stopping people having access to things they don’t
need access to and removing access when they leave
the company. Budget is an issue but it shouldn’t be a full
constraint. You have to a take a holistic view on security
and manage your investment in tech, process and
people accordingly.
What’s been most significant change in cyber
landscape and why?
Sophistication and the nature of the evolving threat
landscape is the single biggest change. We are seeing
more aggressive attacks for things we wouldn’t have
expected and many of these are attributable to host
nation attacks – Sony and Ashley Maddison are great
examples of this. The exposure of embarrassing emails
had a huge effect on the organisation. Adversaries seem
to always remain one step ahead. There is a lack of good
technology to manage and understand the behaviour
that takes place on networks. A number of technologies
are emerging but this is still in its infancy.
Equality in security – is there a genuine skills gap?
I think it’s a genuine skills gap but I also think that
the projections of numbers of people in cyber skills
mean that we will be short of the number needed. We
haven’t really been selling cyber sec as a profession or
career path for new graduates. On top of that we have
a problem with attracting females. We have females
in government awareness policy space but not in the
technical aspects of cyber sec. Hacking, architecture
there aren’t enough. It’s not something females have
been attracted to. Females bring a new dynamic to the
team – any team that has a diverse group of people from
all walks of life and a mix of males and females gives
a more diverse view on how to tackle problems. We
need to make it a more attractive industry to graduates
and women and people from diverse backgrounds by
showing it’s a really interesting industry to work in.
Any advice on the reporting line?
There is no one straight answer as it each organisations
needs to be considered objectively. What is clear is
that it should be independent of the technology team.
Reporting line has to have sufficient impact in the
organisation to be able to hold and gain credibility and
have a line of communication to management that’s
influential to making things happen. The only reason
why I’m reluctant to see info sec embedded with
technology is because there can be a clash between
what the technologist is trying to deliver to make
business work, and what the security dimension of that
technology might be. The technology team make the
ultimate decisions at the top of the tree and security
often is given the push to not happen and that’s why you
have to operate independent of tech but in a reporting
chain that’s meaningful to the organisation and has
significant impact and clout to be recognised.
What’s been your key to success? What advice would
you give to current CISOs or aspiring ones?
My key advice is understanding your business, the
dynamics of the strategy of the organisation and align
your security strategy to answer and allude to the
strategy of the organisation. Be pragmatic about what
you are trying to achieve. Don’t be the deliverer of doom
and gloom – pick something from the business strategy
and hook to it something that aligns to the security
approach you are trying to take. Your job isn’t always to
say no – it’s about how you can enable the business to
do things in a secure way.
What’s the best way to get board level buy in?
You can’t go into a board room with scare tactics. Talk
to them in the language they are used to – be pragmatic
and open about challenges but be honest. They are
employing you to make sure that what you say is
meaningful and will protect the organisation. You need
to speak the business language and understand the real
risks and threats and explain them in plain English.
“Q&A With
Paul Wood”MBE
10. Stott and May Imagine Agile Expansion Cyber Security Market Intelligence and Salary Survey
Information Security
| 21
Meet The Team
Cyber Security
Simon Kouttis
Manager, Cyber Security
As Manager of Stott and May’s Cyber Security recruitment division, Simon
Kouttis is in charge of maintaining the team’s industry-leading reputation.
Simon specialises in permanent placements with a global footprint, and senior
executive appointments across the IT sector. Simon is currently heading up
Stott and May’s Cyber Security Centre of Excellence, a one-of-a-kind training
facility designed to produce recruitment specialists with unparalleled industry
knowledge. A University of Reading graduate, Simon’s interests include golf,
football, gourmet food and travel.
Oliver Kuehne
Manager, Cyber Security
An essential member of Stott and May’s world-leading Cyber Security recruitment
division, Oliver’s vast network of highly experienced candidates enables him to
place the best IT security sales professionals on the market. An expert at working
with security vendors and re-sellers, he recruits at all levels of sales: Account
Managers, VPs, Channel Specialists, and beyond. In his spare time, Oliver enjoys
water sports in Brighton while spending time with his family and friends.
Andrew Gee
Executive Vice President, USA
Executive Vice President and Director Andrew joined the company in April
2011, after seven years working in International Business Development. He
currently heads up the company’s New York Office. In his spare time, Andrew
is an active sportsman and has won several awards for tennis, football and
table tennis. Alongside his aid work in Sri Lanka, post-Tsunami, Andrew rates
completing the London Marathon as one of his greatest achievements.
Stephen Stott
CEO & Founder
Prior to founding Stott and May, CEO Stephen Stott co-founded Huntress
Search, a technology recruitment company. During this period, he established
and took sole responsibility for EMEA and Asia operations, adding £60 million
to company revenues, rose to Managing Director, and oversaw a $105 million
1st tier PE MBO by a 1st tier Investment Bank. Seeking a new challenge,
Stephen launched Stott and May in December 2009, and in the years since,
the company has firmly established itself as a leading executive recruitment
business and grown to over £30m in revenue.