October 20, 2022 – Market and economic instability over the past year has added pressures on the chief information security officer (CISO) role, both in terms of hitting cyber objectives and in building out security teams. Concerns over retaliatory Russian cyberattacks, large-scale exploitations of vulnerabilities and increasing global ransomware threats have all exacerbated an already dynamic threat environment. The labor market, meanwhile, also showed turbulence, as fluctuating financial valuations called job security and wage increases into question. On the other hand, inflation and talent shortages, especially the talent gap in cyber, strengthened CISOs’ position at the negotiating table.
In a newly released study, the 2022 CISO Compensation Benchmark Report, IANS Research and Artico Search reveal how these forces have played out. The report combines data from 550 cybersecurity executives and 507 CISOs [every survey participant leads the infosec program at their company] surveyed this spring with insights from executives at Artico Search, in particular Matt Comyns, co-founder and president, and Steve Martano, partner in Artico Search’s cyber practice.
The result is a thorough view into CISO compensation across the U.S. and Canada. Among the more eye-catching details, the report, now in its third year, reveals that total annual compensation for CISOs rose 15 percent over the last year to an average of nearly $500,000 annually. “Outliers exist on both sides,” said the study. “Lower-level CISOs at small companies with relatively immature cyber programs and those working in lower-paying regions like Canada have total earnings of around $250,000. Compensation for the top one percent exceeds $2 million per year. They are more likely to work at large companies in high-paying sectors like tech, financial services, or retail, and oversee vast security teams, often comprising 1,000 or more staff members.”
In this year’s sample, tech sector CISOs had the highest total compensation at $652,000, which is 32 percent above the overall average, said the report. Total cash compensation (base salary plus cash bonus) was highest in financial services and retail. This year, 55 percent of the CISOs surveyed worked mostly from home offices, compared with 71 percent last year. “While the respondent samples aren’t identical year-over-year, this decline follows the trend that a growing share of the workforce is returning to the office in a hybrid work situation,” said the report. “However, the market has yet to find an equilibrium between in-office, hybrid and 100 percent remote.”
Ratcheted Up Competition
The CISO talent war has ratcheted up competition, said IANS Research and Artico Search. One in five CISOs changed employers in the last year, yielding an average increase in total compensation of 37 percent. Current employers sought to deter such moves with counteroffers, proactive retention bonuses, and promotions, with the latter boosting CISO total compensation by an extra 26 percent on average. Respondents reported, on average, a 10 percent increase in base salary and a 15 percent increase in total compensation. “We see large differences across sectors and job levels,” said the report. “For instance, CISOs in utilities and government saw above-average salary increases—both sectors playing catch-up with other sectors, comp-wise. CISOs at the SVP level and above indicated above-average increases on top of already leading earnings.”
The U.S. West and Northeast regions topped others in cash compensation and total compensation. “While the 2021 sample compensation showed some variation across regions, this year the differences are more pronounced,” said the report. West-based CISOs benefitted from the highest equity percentage. Total compensation, averaging $636,000, was 25 percent higher than the average for all U.S. regions. Compensation at tech firms in the West region drove up the average.
None of this, however, was a surprise to Mr. Comyns. “Particular geographies and cities such as New York and San Francisco have always commanded a premium in terms of compensation,” he said. “The high cost of living combined with the close proximity of large-scale global firms competing for talent increases the comp profiles in these regions.”
The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
With technology has come the insatiable – and merciless – need for talent. Having the right leaders and teams in place is now more critical than ever. Cyber technology leaders appear in various forms: chief information security officer (CISO), chief information risk officer, chief security officer (CSO), VP information security, chief trust officer, chief information officer (CIO), chief technology officer (CTO) and many others.
These executives are vital, front line leaders facing down increasingly numerous and sophisticated threats. Their job is to secure both the enterprise and its external products and solutions. They report to boards of directors and management committees on a regular basis, are considered strategic assets to be leveraged, and increasingly give organizations their competitive advantage. The cost of hiring one is rising – and that is good news to the scores of executive recruiters who hunt them down for clients around the globe. Read now >>
Overall, the CISO compensation gap runs wide, said the report. The average cash compensation—defined as the base salary plus the annual target bonus—was $365,000 and a median of $309,000. The average total annual compensation—defined as cash compensation plus the annual equity value—was $495,000 and a median of $359,000.
“The gap between the average and median cash compensation is much smaller than that for total compensation,” said the report. “The reason is a small share of high earners with large annual equity grants—in some cases, as much as five times the base salary—that pull up the average total compensation of the entire sample but with a lower impact on the median value.”
For cash compensation, the share of high and low earners was more in balance, which brought the average and median values closer together. “For the top one percent of CISO earners, those in the $2 million-and-up comp range, the majority of compensation is made up of equity, rather than cash, looking akin to executive comp packages listed on a public company proxy, rather than typical vice president-or director-level packages,” said Mr. Martano.
“The distribution curve for total annual compensation shows this, too—the bulk of CISOs earning between $250,000 and $1 million in total compensation and a long tail of top-earners, maxing out at nearly $6 million,” said Mr. Martano. “Roughly a third of the sample has a total compensation below $300,000, a third falls between $300,000 and $500,000, and a third earns more than that. The top 10 percent earns at least $1 million in total annual compensation.”
The new report also showed that specialized skills and personal characteristics commanded compensation premiums. “A background rooted in technology is valued higher than one in business and technical risk, evidenced by a comp difference of more than $100,000,” said the study. “What’s more, CISOs with product and app security as formative experience have a 50 percent higher cash compensation than the overall CISO average and double the total compensation. Companies also pay premiums for CISOs who identify as female by an average of 44 percent for total compensation.”
Companies are engaged in a talent war over CISOs, pitching aggressive acquisition and retention incentives, said IANS Research and Artico Search. “CISOs in all sectors received pay rises—eight percent in the financially struggling transportation sector to as much as 22 percent in the tech sector,” the report said. “Moreover, a quarter of the CISOs in our sample indicated they received a retention incentive, 13 percent got an increase from a promotion and 10 percent a cost-of-living adjustment. Retention incentives added 19 percent to total comp, promotions raised comp by 26 percent. Twenty percent said their comp benefit from a change in companies boosted their earnings by an average of 37 percent.”
Compensation for Canadian-based CISOs, meanwhile, fell further behind. Compared with their U.S. peers, Canadian-based CISOs’ pay grew more modestly over the last year, with an average eight percent increase in total compensation, said IANS Research and Artico Search. Base salary and bonus and equity percentages for CISOs in Canada remain significantly behind those in the U.S. Canadian-based CISOs have an average annual cash compensation that is roughly half that of U.S.-based CISOs. Their total compensation is just 43 percent of their U.S. counterparts..
All this makes the Canadian CISO market ripe for an adjustment, the study said. Labor market conditions between the U.S. and Canada are clearly different. The Artico talent experts pointed to the less-mature cyber programs and overall cyber awareness as the biggest differences influencing compensation. “The result is compensation for CISOs working in Canada is roughly half that of those working in the U.S. Will it last? CISOs in Canada express significantly lower satisfaction with their comp than their peers in the U.S. These may be the underpinnings of changes ahead.”
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media