Penetration testing has been an area that in recent years has boomed. Generally there has been consistent demand primarily from the consultancies that offer this service and also from some end-users who directly employ penetration testers. However, there has been a slow down as the bulk of employers of pen testers, boutique as well as global consultancies, have become more cautious. Also many security practitioners have a fear (though most often perceived as opposed to real) about moving jobs during a recession. As a result less penetration testers are leaving their positions, resulting in fewer roles to backfill.

Managed Security Services (MSS) and Security as a Service (SaaS) are market areas which are less likely to be negatively affected by the recession. While companies do not wish to spend IT budgets on new technologies and implementing, integrating, configurating and managing those technologies in-house, it makes financial sense to outsource. There has been more recruitment in these areas in the last year, and we expect it to continue at all levels from senior management though to hands-on operational roles.


Other areas of growth for 2009 include companies looking to recruit their first Information Security Officer, usually a stand alone post with no direct reports, reporting into the COO, Head of Risk or CIO. Such roles have been created due to PCI compliance, FSA regulation and to counter the reputational risk of data leakages. Also following data leakages, the Hannigan Report which highlighted improvements such as increased encryption, penetration testing and a raised awareness of information security across government departments, should create more roles in the public sector. In addition the private sector has responded to this by investing in privacy personnel and aligning with ISO 27001 which is also likely to create new business critical positions. The contract security market, although previously experiencing a slowdown has begun to pick up and is likely to continue to do so, particularly in the public sector.

Overall 2009 will see a decline in the creation of new vacancies and as such the pool of redundant information security practitioners will increase. However as information security is essential to business many positions are secure and back filling of certain open roles will need to occur. Whilst information security will not be as badly affected as other areas, any upturn in recruitment generally does not occur until a recession is over. It is hard therefore to predict how long the market will remain subdued.