HM Treasury seeks new head of cybersecurity, sparks criticism over £57k salary

The UK’s HM Treasury is looking to hire an “experienced” head of cybersecurity to lead a team and protect it from a “wide range of cyber and technical” threats. The successful candidate will work closely with the UK National Cyber Security Centre (NCSC) and central government cyber authorities to identify and protect emerging threats in cyberspace, according to a job posting on the UK government website.

The permanent role is described as an “exciting and significant opportunity” to work at the heart of government in a time of momentous change, offering flexible working patterns (part-time, job-share, condensed hours). However, significant criticism has been levied over the proposed salary of £50,550 – £57,500, which HM Treasury confirmed and is in line with the UK Grade 7 civil service pay categorisation. UK cybersecurity, IT, and tech professionals claim it is far below what the compensatory pay should be for such a role based on the advertised responsibilities and requirements.

Last year, the UK Cabinet Office advertised it was recruiting a new director of cybersecurity to support the government in delivering its National Cyber Strategy. The full-time position offered a far more competitive salary of between £150,000 and £160,000 per year.

Head of cybersecurity will “identify and mitigate” HM Treasury’s cyber risks

HM Treasury sits at the centre of UK government, collaborating with other departments to ensure public money is spent well and to drive strong and sustainable economic growth. The head of cybersecurity will work to identify and mitigate the cyber-related risks HM Treasury faces, providing risk or service owners with advice to help them make well informed risk-based decisions, it said. A successful candidate must have a consistent track record of managing cyber risk management services and people, along with the ability to empower, lead, and drive a team providing critical services to the organisation.

“As a member of HMG’s security profession, you will continually refresh and develop your professional skills, maintaining a current understanding of the latest thinking in security and its impact on existing security practices,” the job spec reads. “You will have a role in participating in workshops and forums across government, providing practical insight to aid and influence the improvement of security practices.” The role also includes working collaboratively with the wider cyber community.

The key responsibilities of the HM Treasury’s head of cybersecurity include:

• Leading monitoring, response, and vulnerability management operations for HM Treasury corporate IT systems working with suppliers, HM Treasury teams and other partners
• Leading collaboration with the NCSC, cyber/IT security colleagues, and suppliers to develop requirements and high-level designs for security controls
• Management of two cybersecurity apprentices, developing their knowledge and expertise within government cybersecurity and to support their progress throughout their external degree apprenticeship
• Acting as service owner for new security operations tooling and/or services

The government said candidates would be at a significant advantage if they hold one or more of the following information security qualifications:

• BCS Certificate in Information Security Management (CISM)
• Certified Information Systems Security Professional (CISSP)
• NCSC CCP SIRA

The Closing date for applications is April 16, 2023.

Twitter users criticise “horrific” salary, say role won’t be adequately filled

The advertisement has drawn condemnation on Twitter with a raft of cybersecurity, IT, and tech professionals voicing disapproval of the salary range being offered. “It’s horrific. If people want to know one of the reasons why there’s a cyber skills shortage, that’s it right there,” wrote one Twitter user. “The depressing bit is that’s a story replicated across the public sector and a side-effect of how specialist jobs are banded. No-one will take it and we’ll end up paying for a consultancy at market rate plus margin, rather than employing directly at market rate,” wrote another.

Others argued that the position will never be filled by anyone suitably qualified and that it’s unlikely any successful candidate would have anywhere near the budget to properly protect the HM Treasury based on the advertised salary.

Salary does not fit role or required experience

“It’s quite surprising to see HM Treasury advertising the critical role of head of cybersecurity with a salary cap that appears to be just £57k, which seems relatively low considering the immense responsibility and importance attached to the position,” says Javvad Malik, lead cybersecurity awareness advocate at KnowBe4. “While the role is undoubtedly crucial, offering a salary below the industry standards might lead to attracting unsuitable candidates who may not possess the experience, skills, or knowledge necessary to fortify the Treasury’s cyber defences effectively.” A more competitive compensation package would go a long way in ensuring this crucial position is filled with an experienced professional, Malik adds.

The salary for this role matches neither the job title nor the listed responsibilities for the role, and is between £50-70k per year light of what an experienced candidate would expect, argues Joe Honey, talent manager, Searchlight Cyber. “For example, an experienced SOC analyst, with no management or leadership experience, is likely to be earning £40-60k or more, which demonstrates how much this role is in need of a review.”

An experienced candidate, holding a CISSP, and with a history of managing teams is probably earning at least £80k at the moment, and likely significantly more, Honey says. “Additionally, the job description is quite unclear. Is this a role to build a security function, or to manage an existing SOC and the associated monitoring and incident response capability? There are significantly different skill sets involved in building that kind of infrastructure from scratch and will ultimately affect the type of candidate the Treasury needs.”

The headline pay for the head of cybersecurity at the HM Treasury is paltry compared to equivalent roles in the private sector. However, nobody joins the civil service for money, Brad Freeman, director of technology at SenseOn, tells CSO. “It’s easy to jump on the ‘pay peanuts get monkeys’ bandwagon. With an opaque ‘ICT allowance’ to bump up the salary, employer pension contributions of 27%, annual holiday entitlement rising to 30 days, and a real sense of mission outside of making money, in the private sector, it will appeal to many.”