January 4, 2022 – Cyber breaches at SolarWinds and Colonial Pipeline have underscored the importance of putting the right chief information security officers (CISO) in place. That, in turn, has led to intense competition to recruit top cybersecurity leadership who have seen their market values and salaries soar, according to just-released compensation data from IANS Research and Artico Search. This increase in demand has led to turbulent market conditions and CISOs’ eagerness to understand their market value and how their compensation compares to that of their peers.
The CISO Compensation Benchmark report offers objective and comprehensive data from 458 chief information security officers (CISOs). It combines survey data with insights from executives at Artico Search, in particular Mercedes Chatfield-Taylor, co-founder and CEO; Matt Comyns, co-founder and president; and Steve Martano, partner in Artico Search’s cyber practice. This combination of data and insights provides a thorough view into CISO compensation across the U.S. and Canada.
“Combining our executive recruiters’ many years of security hiring and relationship-building with IANS’ depth in research, data and analytics, we are able to generate real-time data for the security function,” said Mr. Martano. “With so much misinformation available, we went straight to the sources for accurate and timely security function compensation and budget data, which enabled us to extract interesting trends and comparative analysis across sectors.”
“What matters to the CISO matters to IANS. Our clients constantly tell us that the ability to benchmark against peers is critical,” said Nick Kakolowski, senior research director of IANS. “We’re thrilled to deliver this research – it was especially interesting to learn that female CISOs earn seven percent more than male CISOs. We still have a ton of work to do to build a more gender-inclusive industry – just 45 of our respondents identified as female – but it’s great to see progress on the compensation side.”
The CISO Compensation Gap Runs Wide
The distribution curve for total annual compensation shows a wide gap between top and bottom, with a $463,000 average and a $342,000 median. The broad range in the total compensation reflects diversity in the market. It includes CISOs at small firms in sectors with relatively immature cyber programs, as well as those at Fortune 500 multinationals in highly regulated sectors and an established cybersecurity program.
Which market trends contribute to the wide distribution in CISO pay? “Business continuity has become front and center in the last 18 months,” Mr. Martano said. “COVID-19, combined with the vast increase in widely publicized cyber breaches and ransomware attacks, forced organizations to rethink and reprioritize their security programs. Some companies built out first-time programs, while others enhanced existing programs that were lacking in visibility and resourcing.”
“Prior to 2021, cybersecurity was increasingly a pressing topic in most board rooms,” said Mr. Martano. “The advanced attacks and costly public breaches and ransomware events over the last 12 to 18 months have increased the frequency and depth of those discussions. COVID-19 and the work-from-home trend have accelerated the visibility of the CISO and the security apparatus, as endpoint security and vulnerability management became front and center due to the prevalence of remote work.”
Former Caldwell executive recruiters Mercedes Chatfield-Taylor and Matt Comyns have teamed up to launch Artico Search, a fast-growing search firm that plays off their respective strengths leading teams that help build and scale technology companies and keep them safe from cyber attacks. Serving some of the hottest sectors in the search industry, Artico is starting at full speed. Let’s go inside this important new launch.
Public breaches such as SolarWinds and Colonial Pipeline raised the CISO profile even further, as boards asked questions about preparedness and risk profile for similar threat event. “This heightened attention to cybersecurity broadly led sophisticated companies to attempt to retain their existing CISOs to ensure continuity in their security programs or upgrade programs and/or leaders to keep up with an increasingly complex threat environment,” said Mr. Martano. “Amidst a challenging talent market where demand still far outweighs supply, companies boosted incentives including massive counteroffers and retention packages to keep security leaders they trust. Nearly 75 percent of companies preparing CISO offers are contending against one or more competing offers and/ or strong counteroffers from candidates’ current employers.”
CISO Compensation Dissected
CISO compensation varies greatly by industry. In the survey sample, financial services CISOs average the highest total compensation at $535,000, followed by CISOs in the tech and manufacturing sectors. Financial services is a tightly regulated industry and its organizations typically have a low-risk profile. While the $274,000 base salary isn’t far above the overall average, its large target bonus and equity incentive structures mean total compensation for this industry tops the others.
Tech firms are highly digital and susceptible to disruptions. What’s more, subsectors like communications are considered critical infrastructure. These are all factors that increase CISO compensation. The above-average total compensation of $509,000 for the sample reflects that. It is also worth noting that tech sector executives are often incentivized with lucrative long term equity packages that pay out upon a successful exit, such as with an initial public offering.
Manufacturing includes large defense firms, critical infrastructure and pharmaceutical firms, and others with high-stakes security operations, particularly related to supply chain, the internet of things and operational technology. The average $505,000 total compensation is the third highest in the sample.
Canada Lags Behind All U.S. Regions in Total Compensation
The report found that U.S. West-based CISOs benefit from the highest total compensation. The latter is roughly 20 percent higher than the average for the U.S. Southeast region. Compensation at tech firms in the West region drive up the average. More than a quarter of the U.S. West-based CISOs in the sample work in the tech sector.
The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
With technology has come the insatiable – and merciless – need for talent. Having the right leaders and teams in place is now more critical than ever. Cyber technology leaders appear in various forms: chief information security officer (CISO), chief information risk officer, chief security officer (CSO), VP information security, chief trust officer, chief information officer (CIO), chief technology officer (CTO) and many others.
These executives are vital, front line leaders facing down increasingly numerous and sophisticated threats. Their job is to secure both the enterprise and its external products and solutions. They report to boards of directors and management committees on a regular basis, are considered strategic assets to be leveraged, and increasingly give organizations their competitive advantage. The cost of hiring one is rising – and that is good news to the scores of executive recruiters who hunt them down for clients around the globe. Read now >>
U.S. Northeast CISOs are not far behind those in the U.S. West in terms of total compensation, with one out of three respondents in this region working in the financial services sector, whose total compensation is on par with that of U.S. West-based CISOs. The averages for the Northeast region are pulled down by CISOs from lower paid sector.
U.S. Southeast CISOs average the lowest total compensation of the four regions in the U.S. A closer look reveals that a third of our sample CISOs in this region is in Texas—a state in which CISOs command pay similar to those of the U.S. West region. Other states in this region, like Alabama, Arkansas, Tennessee and South Carolina, pull down the average for the Southeast region.
Canada lags U.S. regions when it comes to compensation. The average total compensation is about $300,000 lower than the top compensated region in the U.S. Canadian CISOs who work in financial services are an exception in the Canadian region. While a small number in the sample, they report compensation figures much closer to their peers in the financial services sector who work in the U.S. Northeast region.
Females Who Break Through at the CISO Level Command a Market Premium
Filtering the compensation data by gender reveals female CISOs out earning their male peers by five percent for base compensation and seven percent for total compensation. What explains that difference? Males still dominate the security function, as evident by our 88 percent males in our sample size: 338 males vs. 45 female CISOs
“This gender gap is not unique to CISOs, as there are fewer women across the entire tech leadership suite,” said Ms. Chatfield-Taylor. “The gap is most apparent in some of the most transformative tech functions including security, product and engineering. Female leaders who break through in these functions command a premium in compensation, as nearly every company requires diversity in their slate of candidates—CISO searches being no exception. This creates optionality and opportunity for female CISOs to increase their compensation by taking on new roles.”
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media