Information security salaries; governance, risk and compliance

Are you looking to grow your governance, risk and compliance (GRC) teams but unsure what each skill set is worth? From information security officers and managers to data protection officers, what salaries can you expect to pay?

When a company says they’re looking to expand their cyber security team, nine times out of ten people will picture a techie, sat in a dark room with multiple screens and a hoodie on – of course there’s a hoodie!

Yes, the technical team represent a large percentage of a cyber security team (and no, they don’t all wear hoodies!) however there’s another group of employees that help to compliment these skills; the governance, risk and compliance teams. Usually sitting alongside technical teams, they conduct audits against the infrastructure, assess and improve existing policies and implement new procedures to ensure the company is compliant against industry accreditations and practices.

While you could talk about multiple roles and skill sets within GRC let’s focus on a few core areas that the majority of companies in the UK recruit for; ISO 27001 implementers, information security officers, data protection officers and information security managers.

Just like technical security teams that include SOC analysts and security engineers, there’s competition for GRC candidates. There’s a shortage across the industry so how much do you need to pay for good quality GRC focused individuals, and what potential skill sets can you find within the market?

ISO 27001 Implementers/Auditors

Focused around helping organisations comply to the ISO 27001 accreditation, they act as a bridge between the stakeholder strategy and technical teams; ensuring that all projects, systems, policies and staff adhere to the ISO 27001 framework.

Junior – £30,000 – £45,000
Mid – £45,000 – £60,000
Senior – £60,000+ (but to be honest, to get the best you’re probably going to be looking at contract rates rather than perm)

Information Security Officers

More of an all-round skill set within GRC rather than just focusing on ISO27001, information security officers will be conducting audits across all areas of the organisation, implementing a variety of policies and ensuring compliance throughout.

Junior – £25,000 – £40,000
Mid – £40,000 – £55,000
Senior – £55,000+

Data Protection Officers

Focused around protected data within a business, data protection officers (DPOs) represent a small section within the GRC teams, but they’re a vital cog that gets intertwined within most projects and are typically found within larger organisations.

Junior – £30,000 – £45,000
Mid – £45,000 – £60,000
Senior – £60,000+

Information Security Managers

Typically, information security managers would have responsibility (direct management) of the above skill sets/roles, so expect to be paying a decent wage for someone with this experience; you’ll want them to be knowledgeable in all GRC areas whilst also being able to lead teams. With that in mind, expect to be paying around £70,000 – £80,000+ for someone with this background.

Staying in touch with the latest information security salary information is essential for employers, whether you’re looking to bring in new hires or just check what the competition are paying their staff in equivalent roles to retain your current GRC teams.

There are lots of things to consider when figuring out information security salaries for your GRC team so hopefully these points give you something to think about.

If you have any questions about what to pay your GRC team or need some informal advice, then please feel free to get in touch.