A CISO we spoke with thought the average was “about right” for large enterprises, especially those in regulated markets. However, he thought the figure was not reflective of smaller organizations where a leader may be tasked with security responsibilities, but may not hold the designated title of CISO.
That CISO works for a sizable managed services provider serving a sensitive vertical market. He requested his comments remain anonymous.
Overall his reaction wasn’t so much as to whether or not $273,000 was the right figure, but emphasized value a CISO delivers as the driver behind rising salaries. It’s “not whether it’s the correct amount in relation to the responsibility, it’s the value you receive from a CISO that is going to really understand this space, drive compliance measures and help align and balance risks, in conjunction with the board [of directors],” he said. He likened the role of the CISO to other leaders in the C-suite. They all have responsibilities that extend to other areas of the business and are not typically well understood.
"You need a trusted advisor and business leader," he said. A CISO provides subject matter expertise that helps enterprises mitigate risk and "minimize bad outcomes." He was careful to underscore the leadership aspects of a CISO as well. He noted that supporting staff are still necessary to execute on security recommendations.
"That makes more sense when you see that spending in risk mitigation should be some factor of that potential loss exposure. Organizations that hire a $273K CISO and then starve security spending thinking that’s the key are not getting the bigger picture."
Benchmarking: 3 Additional Security Salary Surveys
While just 74 CISOs took the Security Current survey, nearly half of the respondents (46%) said they were the first person to hold the CISO title in their organization. This suggests that industry benchmarks including the role, responsibilities and compensation are still emerging. Even so, we also reviewed three other salary surveys to identify ranges or other salary benchmarks that might prove useful to a CISO.
1) 2017 Salary Outlook by Mondo. Citing the 2017 Salary Outlook by the talent agency Mondo, Ann Bednarz of Network World reported: “CISO ranks third in Mondo’s salary guide, with a salary range of $145,000 at the low end and $250,000 at the high end.” “It’s one of two security jobs with a salary range that tops $200,000,” she noted in her piece titled, 13 tech jobs that pay $200k salaries. “The other is application security engineer, which commands between $125,000 and $210,000.”
The Mondo guide did not provide an average or median salary as a point of comparison.
2) SilverBull on CISO Salaries, Cities and Issues. The second benchmark we looked at was from the staffing agency SilverBull. This recruiting agency has published several surveys like this that have been widely reported. The most recent survey we spotted was published in May of 2016 and put the median salary for CISO at $224,000 with a range between $137,000 and $346,000. An infographic visualizing the SilverBull data lists six cities, all notable tech hubs, where CISO jobs are most in demand. These cities are Boston, New York, Washington, Atlanta, Chicago and San Francisco.
It also lists 10 top issues facing CISOs including advanced persistent threats (APTs), cloud security, bring-your-own-device (BYOD), network transformation, and malware or spyware.
3) The median for a CISO by Salary.com. The third and final source we revised was an assessment provided by Salary.com. The website said, “The median annual Chief Information Security Officer salary is $198,226, as of January 30, 2017, with a range usually between $166,662-$239,680.” The website provides a caveat noting the range “can vary widely depending on a variety of factors.”
CISOs May Earn More than CIOs
“In some cases, CISOs may now make more than CIOs,” according to CIO Dive citing the 2017 Technology & IT Salary Guide by the recruiting and staffing firm Robert Half Technology in a comparison to the Security Current survey. That guide puts estimates salaries for chief information officers will range between $175,000 and $ 279,000 – a 3.1% gain year-over-year. While the Robert Half survey doesn’t list the title of CISO, it does estimate a compensation bracket for the comparative title of Chief Security o
Officers (CSOs) at between $145,250 and $236,750. Those salaries will rise at a slightly higher rate – 5.3% – over the previous year.
CISO Reporting to the CEO
It’s not just that CISOs might earn more money than CIOs, they, in fact, might be on their way to becoming peers. In a column for Forbes, Steve Morgan, the founder of Cybersecurity Ventures, cited research from IDC predicting three-quarters of CSOs and CISO will “report directly to the CEO, not the CIO” by 2018. And that might make sense when the responsibilities of these professionals are considered in context. For example, in a commentary published on LinkedIn about CISO salaries and recruiting, Bruce A. Brody, a CISO with PricewaterhouseCoopers noted, “the average breach now costs almost $4 million according to the Ponemon Institute.”
Mr. Brody’s commentary is now older, but still quite relevant. Newer data only seems to substantiate his assessment. For example, as we noted earlier, reports stemming from the 2016/2017 Global Fraud and Risk Report by Kroll detailed the cost of cyber incidents (as opposed to breaches) as a percentage of revenue.
The majority respondents (57%) said costs of such incidents costs enterprises 1-3% of revenue; another 10% said the cost was 4-6% of revenue, and 3% put the cost between 7-10% of revenue. About one-third (30%) put the cost at < 1% of revenue.
The Human Problem in CISO Demand
The market for CISOs is likely to remain highly competitive as demand continues to outpace supply. More importantly, some CISOs seem open to jumping ship. About half of all respondents (51%) to the Security Current survey “said they would be open to accepting a new position in 2017.” While about the same number (47%) cited the chance to earn more money as a motivation for a job change, “other influencing factors included more visibility to the board and executive leadership team as well as an equity stake.”
To that end, it’s not just money or even demand that makes recruiting the CISO role so challenging, as New York University Professor Nasir Memon explained to the New York Law Journal.
"Security is not just a technical problem," he said in an interview for a piece titled, FBI Official: Feds Can't Compete With Top Tech Companies for Cybersecurity Analysts. "It's a legal problem. It's a policy problem. It's a human behavior problem."
* * *
What do you think? Are you addressing the legal, policy and behavior challenges related to security? Are your security challenges being starved of appropriate funding?
If you enjoyed this post, you might also like:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Pixabay (CC0 1.0)