The average wage paid by the UK's top cybersecurity providers now tops £60,000, a figure that is up nearly 10 per cent on an annual comparison.
That's one of the headline findings of CRN's 2018 Cybersecurity Provider Report, which gives an in-depth view of the UK's top boutique cybersecurity providers and the trends that will shape their businesses in 2018.
According to our recent Staff and Salaries study, average wages across the UK's top 250 resellers, MSPs and consultancies in their last reported financial years rose by an inflation-equalling 2.2 per cent to £46,140.
Those specialising in cybersecurity, however, have had to increase salaries far above that level to retain and attract staff, with average (mean) wages among those who disclosed the relevant data ballooning 9.74 per cent to £60,709 in their last reported financial years.
That mirrors a wider 10 per cent annual spike in UK cybersecurity salaries recorded by recruitment firm Hayes last November. It fingered the cybersecurity skills shortage as the cause.
NTT Security, which is among the top providers featured in the report, said retention bonuses and increased guaranteed commissions it paid out in its fiscal 2017 added £3m to its UK wage bill.
Speaking to us for the Cybersecurity Provider Report, Guy Golan, CEO of South Africa-based cybersecurity provider Performanta, which has a 38-employee UK operation, admitted that providers are under as much pressure as end users are when it comes to the war for talent.
He said this had prompted Performanta to form a cybersecurity skills academy.
"The market is feeling the pressure - there is no question about that," he said.
"We don't want to get into that rat race of head hunting people and - even worse - getting people who aren't worth it whose salaries have doubled in a very short period of time. So we have ‘bred' 38 people in a period of nine months and these people have in nine months the equivalent of three years' experience. Historically, when you finish [cybersecurity training] you're sucked into a vendor discussion. But when we breed these people we are looking at security holistically, which alleviates a lot of the pressure that some others in the market are under. We haven't head hunted for three years."
At 2.6 per cent, average margins among the UK's leading cybersecurity providers are the lowest of all five specialist sectors CRN is analysing in a series of mini-reports available to CRN Essential subscribers over the coming months.
Leading providers we spoke to complained that the prices they can charge for their services are not necessarily rising in line with wages.
"For contracts we negotiated three years ago, we are still charging the customer a similar amount today, and are probably doing between 30 and 40 per cent more work in those environments," said Tom Millar, CEO of ITC Secure Networking.
"There's a point at which we all need to face up to the fact that delivering good security operations is expensive, and is getting more so."
Millar said ITC's goal now is to do more things with big data and analytics and less with humans, which he said would help to restore parity in the battle against rising wages, and boost service levels.
"We are going to see much more investment from MSSPs into more analytics- and big data-driven security, rather than traditional SIEM-type security, to minimise the risk some of this very sophisticated malware can deliver," he said.
"We will also charge more for the services that we deliver. A lot of companies have chopped and chopped and chopped, and security operations have been hit by cheaper providers coming into the market. But I think the market will right itself - the people who are doing it properly will rise to the top and the people messing around will either disappear or have to change their business models."
David Lannin, director of technology at Sapphire, argued that those providing managed services around commodity items such as firewalls have been hardest hit by margin pressure.
"The offerings we put out tend to be much more specialist, so we're not having to compete in a race to the bottom to offer these really tight margins to win business," he said. "The average day rate for a security consultant is probably £1,000 or £1,500. If you start selling that on a CISO-as-a service basis, you can double or treble that quite easily, so it's being able to pick what you are selling."
A full breakdown of what is happening to wages, headcount, profits and revenues across the UK's leading boutique cybersecurity providers can be found in our Cybersecurity Provider Report, which is available only to subscribers of CRN Essential.
CRN Essential subscribers will also unlock access to our Staff and Salaries study and profiles and analysis of the UKs Top 250 resellers, as well as regular monthly and quarterly round-ups of the main news and trends affecting the UK channel, a free taster of which can be viewed here.
Struggling security titan makes three board appointments after investor took 5.8 per cent stake last month
Commvault ousted its CEO in May and has since undergone a radical refocus
As employees demand more flexible working environments, CRN asks how the channel is adapting to the changing working landscape
Wall Street less than impressed with Oracle's growth as cloud numbers remain hidden