October 11, 2023 – The CISO role was partially shielded from the macroeconomic challenges of 2023. The average increase in total compensation among CISOs was 11 percent in the latest comp cycle—a drop from 14 percent in 2022, but a relatively small dip in light of the economic climate. One in five CISOs didn’t receive an increase in compensation. IANS Research and Artico Search jointly fielded the fourth annual Compensation and Budget survey. Between April and August 2023, we received compensation data from more than 600 CISOs in the U.S. and Canada.
The sample has strong representation from firms in eight industries—finance, tech, healthcare, manufacturing, retail, consumer goods and services, business services, and legal—with varying ownership structures including privately owned, publicly listed firms and quasi-government entities. Their revenues range from less than $100 million to more than $150 billion. This report combines survey data with insights from executives at Artico Search, in particular Matt Comyns, co-founder and president, and Steve Martano, partner in Artico’s cyber practice. “Many companies that invested in security heavily in 2021 and 2022 are scaling back in 2023,” Mr. Comyns said.
“The year 2022 was marked by a challenging global economy amidst a struggle to tame inflation, higher cost of borrowing money, and economic and political volatility overseas,” said Mr. Comyns. “While the overall cyber threat environment remains high, we do not see the same level of investments in cyber program growth in the most recent budget cycle that we saw in the two prior budget cycles.”
This year, 80 percent of CISOs received raises—a 10 percentage point decline from last year’s figure of 90 percent. The share of CISOs with bigger bonuses and equity packages also declined year-over-year (YOY), by 12 and eight percentage points, respectively. The average base salary increase was seven percent in 2023—down from 10 percent in the previous year. Bonus and equity increases also faced downward pressure. As a result, total comp increases dropped YOY also. When focusing just on merit increases, the decline between 2023 and 2022 cycles are remarkably similar. The average merit increase to the base salary was six percent in the most recent comp cycle and seven percent the prior year.
This year, for CISOs working in the U.S., the average total compensation—defined as base salary plus annual target bonus and the annual equity value—is $550,000 with a median of $388,000. This means that for half of the CISOs in the sample, the total annual compensation is $388,000 or less, while the other half earns more.
The majority earns below $400,000 or above $700,000, with a minority in the middle. The total compensation data shows 30 percent of the sample has total earnings below $300,000, followed by 22 percent who earn between $300,000 and $400,000, annually. In the so-called middle-comp ranges, the bars are much shorter: just six percent earn between $500,000 and $600,000, and only eight percent earn between $600,000 and $700,000. At the other end, 20 percent of CISOs have a total annual comp that exceeds $700,000.
Heightened Demand for Cybersecurity Leaders Keeps Executive Recruiters Busy
Increasingly, organizations of all sizes are awakening to the perils posed by cyberattacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate. These days, more groups are coming to understand how ruinous such intrusions could be and cyberattacks show no signs of abating.
The past three years, finance and tech firms were consistently in the top three for CISO total compensation. The report found that this year is no different. Finance CISOs have a total average comp of $728,000—of which, $548,000 (75 percent) is cash compensation. Tech CISO total comp is not far behind at $678,000, but cash comp comprises just 58 percent of total comp and nearly $300,000 comes from annual equity. Business services and retail CISOs have above-average cash comp plus equity. CISOs in legal, healthcare and manufacturing have total comp that is well below the overall average. Their cash comp ranges from $327,000 to $378,000, plus relatively small equity value.
The report also found that regional pay differences stem from variations in cost of living, talent market dynamics and the concentration of high-paying companies in the tech and finance sectors. Of the four U.S. regions, West-based CISOs have the highest total compensation, averaging $628,000. However, cash-based comp in the West is below that of CISOs working in the Northeast region and on par with that of Central-based CISOs. CISOs in the Northeast region have the highest bonuses, contributing to the highest cash-based comp in the nation. Southeast-based CISOs are roughly 17 percent behind the national average in total compensation.
In addition to cost of living and talent competition differences, Canada has a different healthcare and benefits system than the U.S. As a result, its pay bands are lower than in the U.S., in general, including for CISOs.
One in five CISOs is a C-level executive at their organization, on par with functions like the CIO or chief financial officer. They typically report to the CEO, general manager or chief operating officer. Another 17 percent are at the executive vice president (EVP) or SVP levels, 35 percent are at the VP level and 22 percent are director level. Compensation follows title level with a cash pay jump between director and VP of more than $100,000, as well as a sizable equity stake. The difference in annual cash comp between VP to SVP is also more than $100,000, with a small bump in equity.
Are CISOs Satisfied With Their Compensation?
The share of respondents who are considering a job change (including those who answered “maybe”) within the next 12 months ticked up eight percentage points from 67 percent in 2022 to 75 percent in 2023. The flip side is that, while in 2022 a third of respondents said they are definitely not looking, this year, only a fourth of respondents ruled out a change of employers.
Compensation is not the only driving factor, because across each of the quartiles, the share of CISOs looking to make a change is more than 40 percent. For highly paid CISOs, reasons for a change vary from lack of opportunities for advancement and an unsustainable work-life balance.
“Most CISOs are looking for another opportunity, yet most are staying put at their current jobs because they’re simply not seeing the interesting opportunities that were available a year or two ago,” said Mr. Comyns.
To read the full report click here.
Contributed by Scott A. Scanlon, Editor-in-Chief; and Dale M. Zupsansky, Managing Editor – Hunt Scanlon Media