Psst! Infosec bigwigs: Wanna be head of security at HM Treasury for £50k?

Given the importance of the Treasury department’s function to Britain, Reg readers might expect the Head of Cyber Security vacancy currently being advertised would come with a salary that reflects its criticality.

They’d be sorely disappointed: the starting salary for the right candidate is £50,550 (c. $62,500), which many infosec hounds in the private sector may balk at.

The job, listed on LinkedIn – where CVs go to die – is a permanent post that could be either full or part time, and flexible working hours can be accommodated, working from London, Darlington or Norwich.

“We’re looking for a Head of Cyber Security to join the team and provide advice to seniors on cyber risks across our services and systems,” the posting reads. “This is an exciting and meaningful opportunity to work on cyber security at the heart of Government in a time of momentous change.”

HM Treasury says it is seeking a candidate who has “a consistent track record of managing cyber risk management services and people,” and the ability to “empower, lead and drive a team providing critical services to the organization” will also be key.

Oh, and money mustn’t be that important to you. After all, who cares about paying the bills at a time of the highest inflation hike for decades?

The Head of Cyber Security is only regarded as being a “Mid-Senior level” role, according to the Treasury. Perhaps that is why the salary government is offering is in the range of £50,550 to £57,500, while a quick glance at a few job sites shows that the going rate for a Head of IT Security in London is more like £85,000 to £100,000.

This is the government’s economic and finance ministry we are talking about here – the department with overall control of public spending and setting the direction of the UK’s economic policy – so you would think that being in overall charge of IT security would be a pretty demanding role.

In fact, the job ad says the Head of Cyber Security will be responsible for service delivery, people and service management, budget and supplier relationship management, security governance, monitoring and assurance. The winning candidate will also have oversight of “specialist security processes” and the provisioning of device security throughout the organization.

That sounds like quite a demanding job to us – especially as it is in an organization where a security breach could cause serious damage.

Some in the security industry itself are even more critical. Tom Lysemose Hansen, CTO and co-founder of Norwegian cybersecurity outfit Promon claimed that comparable jobs in the private sector are worth five to seven times the salary on offer.

“Such a startlingly low salary for a position as strategically important as this should concern UK taxpayers. If you pay peanuts, you get monkeys,” he said.

“Frankly, this gives the impression that the British government isn’t taking its cyber security seriously. If cyber security firms can see it, then you can bet that malicious actors can too.”

Such a senior cyber position comes with inherent stresses – especially as it is at such a financially and economically important institution – Hansen added, and so it is crucial the UK public sector pay a competitive salary to attract high caliber candidates well suited to the role.

“Otherwise, from a national security perspective, the UK is flirting with disaster and just waiting for the next major cyber attack or data breach.”

The government should recognize this – especially as the foreword to last year’s National Cyber Strategy states that “basic cyber security remains central to our efforts as we toughen up our response to those who attack the UK and our citizens. Our focus is also on making the public sector more resilient.”

Still, at least the successful candidate will have access to a cycle-to-work salary sacrifice scheme and season ticket advances. ®