HM Treasury is advertising for a Head of Cyber Security, with a salary band of £50,550 - £57,500.
The salary has triggered a fresh outcry among security professionals about the widening gap between the public and private sectors – where triple that salary would not be a challenge in many industry verticals.
Of over 600 senior government officials on the most recent Cabinet Office spreadsheet of civil servants earning over £150,000, just one has “cyber” in their title – and a quick check by The Stack shows that they were a contractor and have now left their role for a job in the private sector as a CIO in an insurance company.
(The list also includes two CISOs and six CIOs.)
The advert comes after another HMG agency advertised a Chief Digital and Information Officer (CDIO) role with a £54k-£62k salary band earlier this year; around a quarter of the achievable equivalent for a private sector equivalent position – many achieve comfortably over £200,000 depending on the industry and company scale.
HM Treasury Head of Cyber Security role
HM Treasury Head of Cyber Security’s responsibilities will include “leading monitoring, response and vulnerability management operations for HM Treasury corporate IT systems” and embedding “secure principles to protect HM Treasury information” among other critical tasks that come amid heightened threats.
Despite the responsibilities (including “design and governance of red-teaming and threat-hunting activity” HM Treasury appears to tacitly acknowledge that the role is a capabilities-building one for a civil servant taking a step up, with direct management of “two cyber security apprentices” rather than a large internal team.
Joe Honey, Talent Manager, Searchlight Cyber, said in an emailed comment: "An experienced SOC Analyst, with no management or leadership experience, is likely to be earning £40-60k or more, which demonstrates how much this role is in need of a review. Additionally, the job description is quite unclear. Is this a role to build a security function, or to manage an existing SOC and the associated monitoring and incident response capability?
"This may seem like a slight distinction, however there are significantly different skill sets involved in building that kind of infrastructure from scratch and will ultimately affect the type of candidate the Treasury needs."
The National Cyber Security Centre (NCSC)’s CEO Lindy Cameron has described ransomware as the most acute threat facing the country and cybersecurity incidents have triggered the majority of recent British government “Cobra” crisis management meetings. A ransomware attack every three weeks (18 incidents in 12 months) meanwhile “required a nationally coordinated response” last year, according to the NCSC’s annual report.
Owanate Bestman, director of specialist cybersecurity talent network Bestman Solutions, told The Stack: "The equivalent in the private sector is likely to be £120- £140k. Of course we would need to take into account aspects such as industry sector, reporting lines, maturity of the function and the typical profile they will consider.
"Whilst the numeration on offer for this role is woefully out of touch with the market, it’s not unusual to see public sector failing to adequately benchmark security roles. This is for several reasons.
- The perceived prestige of working for the government (this depends on the division though) can be seen as compensation for the salary not hitting the mark. (Outdated perspective in my opinion)
- Public sector offers greater flexibility and attractive benefits, namely pension
- Cyber roles are often grouped with generalist IT roles and betrays a lack of awareness of sought after security skills."
Stephen Murdoch, Professor of Security Engineering Royal Society, earlier commenting on Twitter about a senior intelligence professional departing for the private sector, commented that “while I’m sure money isn’t the main consideration for such a role it is ridiculous that technical lead for such an important high-tech organisation gets less than £150k. Government might not be able to match private sector salaries and can make up for some difference in other ways, but there gets to be a point where the mismatch isn’t tenable.”
He added: “They seem to have recognised this for management roles (£250k+ is not uncommon) but not for technical. If the UK wants to be a high tech powerhouse there must be a cultural change where technical expertise is valued just as much as business knowledge. It’s as important in the public sector as in the private.”
An HM Treasury spokesperson said: “Pay must be affordable and fair so that it delivers value for the taxpayer while recognising the importance of talent. The wider remuneration package for this role contains a generous public sector pension entitlement, a substantial potential allowance and access to other benefits.”
That allowance is understood to include up to £10k for personal ICT equipment.