IR35's impact on cyber security departments
The IR35 reforms coming into effect this April have become a hot topic. One key reason is that large organisations are deciding to either curtail their use of contractors completely or to force them to work “inside” of IR35 - the so called blanket ban. This article discusses the impact of these blanket bans on already overstretched cyber security departments and suggests three practical solutions CISOs may want to consider.
What’s wrong with blanket bans?
Whilst there are many HMRC and insurance related risks to blanket bans, the main impact to cyber security departments stems from cost increases and issues with project delivery. It's helpful here to look at the impact of these reforms on the public sector two years ago, where the use of blanket bans led to a whopping 71% of projects being delayed, and 42% of contractors raising their rates to cover the increased tax burden.
In cyber security departments with large change and security improvement programmes these impacts will be particularly acute. Cyber security contractors have extremely specialist skills and are in very high demand. They are highly unlikely to want to shoulder the increased tax burden themselves and will likely move roles to secure their take home pay. All of which, of course, has the potential to disrupt both project timelines and budgets.
Are blanket bans appropriate?
The short answer to this is no.
The aim of the IR35 reforms is to prevent disguised employment. As such it is very hard to understand why specialist project resourcing should be in scope. After all you wouldn’t hire and fire someone for 12 months purely to deliver a new cyber security technology, so how could hiring a contractor to do the same thing possibly be disguised employment? What this means is that many project focused cyber security contractors should actually be determined outside of IR35.
Additionally HMRC have made it clear that when determining the status of a contractor 'reasonable care' must be taken by organisations to get that determination correct, something that a broad ranging blanket approach can never be said to do.
Taking both into account it is apparent that when businesses enforce blanket bans they aren’t implementing the IR35 reforms as efficiently as they should, and are in some ways are even diverging from HMRC guidance. This should be food for thought!
Despite this however well-meaning but under-resourced HR departments are doing exactly that – after all blanket bans appear to be the easy and risk-free route. What this does though is push the problem onto other departments, such as cyber security, who pay the price through increased costs and project delays.
What can you do about a blanket ban?
For CISO’s and Heads of IT Security the obvious first path is to lobby HR in order to protect the specialist project resource that is vital to their delivery programmes in 2020. As explained above there is a strong case for this.
Secondly, it is time to engage with other providers of specialist resource - Big4 consultancies, outsourcers and IT service providers. Many conversations are no doubt going on in this space.
A third option is to engage with boutique consultancies specialising in Cyber Security. Boutique firms are extremely responsive to client demands, and don’t have the overheads associated with large organisations. In addition they can often supply highly specialised and experienced consultants who are not interested in working for the Big4 and other IT service providers.
Working through scoped and managed project briefs they are also fully IR35 compliant.
At Nicolson Bray we provide responsive on demand access to cyber security consultants with decades of experience at a 25% cost saving to the Big4 consultancies and IT service providers.
If you would like to know more about our boutique cyber security offerings, please click here