December 17, 2020 – In an environment where chief information security officers are increasingly part of the C-suite, and are viewed as business risk executives, time is scarce, and accurate, real-time aggregated benchmarking data is difficult to find, according to a new report by cybersecurity practice leaders at Caldwell and security research firm IANS Research.
The CISO study focuses on compensation for the role, security program budgeting and overall job satisfaction. As first-movers in the cybersecurity recruiting space, Matt Comyns and Steve Martano of Caldwell’s cyber practice have had a seat on the ground floor of the information security leadership revolution. Focused on recruiting CISOs and CISO direct reports for Fortune 500 companies, they have helped bring aboard security leaders for some of the world’s best known brands and companies. As security has moved to the forefront of private equity and venture capital groups, they continue to do more and more for private companies looking to build a program from the ground up.
Caldwell and IANS partnered on this CISO report to bridge the information gap between practitioners, breaking down barriers to benchmarking, and understanding where a program stands related to a peer group. Beyond compensation and program budget benchmarking, the research also looked at the main drivers of CISO satisfaction to better understand the calculus behind a CISO’s openness to a job change.
Amidst an incredibly complex threat environment, security program stability and CISO engagement has never been more important. With the average cost of a breach in the $4 million range, (according to IBM’s 2019 Cost of a Data Breach Report), and over 82 percent of companies reporting a shortage of cyber skills within their organization (2019 CSIS Survey), security leadership and stability is paramount.
“Beyond the financial costs of a breach, security leaders are entrusted with leading programs and the teams that are integral to business continuity and enablement,” said Mr. Martano. Unveiling some of the data behind compensation and program budgeting breeds an environment of transparency, he noted. “In a function where regulatory and compliance pressure is constantly changing and evolving, stability, continuity, and multi-year security roadmaps are essential to long-term program success.”
Matt Comyns is managing partner of Caldwell’s cybersecurity practice and a member of the firm’s Stamford, Conn. office. His focus is on recruiting chief information security officers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cybersecurity consultants for leading professional services firms and top executives for cybersecurity technology companies. Mr. Comyns also serves as a strategic advisor for ClearSky, a venture capital/growth equity firm.
Similar to other functions, the cost of retaining a CISO is generally less expensive than the cost of recruiting a new executive, said Mr. Comyns. “Between recruiting costs, bonus and equity buy-outs, motivating incentive to make a change, and training and scaling a new CISO, managers and HR leaders have an opportunity to assess current CISO satisfaction, and mitigate the risk of an unwanted and unexpected CISO departure,” he noted.
Understanding the drivers of CISO satisfaction can enable proactive discussions between CISOs and hiring managers, and HR business partners. Communicating with CISOs to understand what drives them, and how they view the broader business is integral to properly assessing whether an information security leader is fully engaged or has one foot out the door.
Based on the report findings, compensation is not the primary driver in CISOs leaving their current roles, though unsurprisingly it does play a part. Beyond compensation, CISOs are looking to leaders in their organization to provide the proper organizational support to successfully lead a program. Additionally, CISOs who are open to a job change are presently dissatisfied with the career development plans (if there are any) in front of them.
“The security function has a reputation as being a revolving-door, with average tenures anywhere from 18 to 24 months,” said Mr. Martano. “With more transparency, organizations can mitigate the risk of an unexpected departure by honing-in on satisfaction drivers, and providing CISOs with the proper organizational support and career and personal development to succeed.”
In one example, Mr. Martano explained how he engages with his clients and placements well after the recruitment process ends. “I can specifically recall an example a few years ago, where I flew out to Minnesota to facilitate a discussion with a CISO we had recruited to a well-known health system,” he said.
“By setting aside time for the CISO and CIO to talk about what was working and what wasn’t in their first year, we were able to quickly identify some of the communication and expectation gaps,” he added. “By facilitating a transparent and honest conversation about priorities, we setup that CISO to succeed. I’m happy to say he’s still in that role nearly five years later.
Steven Martano is a consultant in Caldwell’s cybersecurity practice, and a member of the firm’s Stamford, Conn. office. Previously, he was a principal at a boutique search firm, serving clients across the technology and industrial spaces. Prior to that, Mr. Martano spent seven years at Russell Reynolds Associates, where he helped build the cybersecurity and supply chain functional practices, along with practice head Matt Comyns.
“It’s all about organizational support and relationship building,” said Mr. Martano. “We recently placed a CISO with a private-equity backed mortgage lender – the company’s first-ever organizational CISO. We presented a candidate who wasn’t exactly right on paper, someone we had sourced as a real talent through our own network.” The hiring manager / CIO served as a hands-on partner throughout the recruitment process, and had a perspective on organizational support for the CISO going forward. “That relationship and articulation got her on board as she and the CIO really hit it off. It was the longer-term thinking and conversation that got her excited for the role; the CIO could articulate how the organization would support her as the company scaled, and she turned down another good offer to take that one.”
In the time that Mr. Comyns and Mr. Martano have been in the market, compensation profiles, structures and numbers have changed significantly. While not quite at an equilibrium, compensation is less variable than it was several years ago.
Still, there is considerable misinformation regarding CISO compensation in the market, something that served as one of the primary drivers for the CISO study. “We’d review third-party compensation studies and reporting structures, and it would not match what we heard every day from practitioners,” said Mr. Martano. “This was one of the main motivators for us to go out and come up with an aggregated data set – one that is multi-year, where we can track trends and give some real-time insights.”
The compensation profile for a chief information security officer has changed over time as the function has evolved and gained more importance and visibility in the organization. According to Mr. Comyns, “A few years ago you’d rarely hear of a CISO in an unregulated industry getting board exposure, now it’s one of the first questions we’re asked when we talk to potential candidates about a new role: ‘Does the position have board support and will I have board access if I were to take it?’”
The CISO position has been elevated to the point where candidates expect that level of exposure to make a move to a new company. As risk executives, they want to know they are valued walking in the door, and as one form of commitment, they are commanding more equity.
Private Equity and Venture Capital Firms
“With private equity and venture capital firms catching up to the broader market for security talent, one of the differentiators for them is that a majority of the compensation ends up being the equity piece,” said Mr. Coymns. “PE firms are often not only giving equity as part of an annual comp package, but they are offering buy-ins at reduced prices for individuals to invest their own capital in the business they are joining.”
Security Threats Create Talent Challenges, Opportunities
Cybersecurity might well be the greatest challenge facing corporate America today. The threat to reputation, private information and dollars — both from immediate theft and the cost of repairing the damage of a cyber-attack — can be staggering.
Whether it’s understanding job satisfaction, budgeting or compensation, it’s all about risk mitigation, the report said. Benchmarking in the security arena is difficult due to the obligations and distractions of the CISO’s day job. Using the CISO study as a tool to facilitate transparency between CISOs and hiring managers can drive good conversations that lead to longer-tenured security executives.
The report said that while benchmarking isn’t meant to be a panacea, it creates the foundation of trust and transparency, and demonstrates that an organization is open to understanding how their security leaders stack up against their peer group from a compensation, staffing and budgetary perspective.
“One main challenge in today’s security environment is the information imbalance,” said Mr. Martano. “While CISOs rarely talk to each other and exchange notes on complex threat environments, malicious actors regularly sync up and exchange notes via the dark web.” The importance of a transparent market in everything from threat intel to budgeting to job satisfaction is meant to have a positive effect on the overall CISO community.
“As a recurring study, we look forward to seeing what 2021 and 2022 bring from a data perspective,” said Mr. Martano. “Drivers of satisfaction may change, and compensation may increase, or start to level off, but regardless, tracking industry trends related to hiring and the talent gap in security is a worthwhile endeavor.”
If you are interested in the high level findings, [click here]
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media