April 8, 2022 – With the ongoing evolution of cybersecurity, the role of the chief information security officer (CISO) continues to transform and mature. For the top security position, no two career paths are alike, and current CISOs are keen to understand how their roles compare to those of their peers, according to just-released report from IANS Research and Artico Search. Further, CISOs want to know how their satisfaction levels compare to those of their peers and what improvements contribute to an increase in satisfaction. The report, based on a 2021 survey, further includes insights from executive recruiters at Artico Search, in particular Matt Comyns, co-founder and president, and Steve Martano, a partner in the search firm’s cyber practice. This is the final publication in a series of four reports that covers CISO compensation, security budgets, key security staff compensation, and a deep dive into the role of the CISO.
IANS and Artico asked respondents about the functional areas in their formative security years, prior to becoming CISOs. The two most common functions reported were SecOps and governance, risk management and compliance (GRC), cited by 62 percent and 54 percent of respondents, respectively. Product security is less-customary in CISOs’ formative years—only 28 percent list this domain. This data indicates CISOs have broad experience across multiple information security functions.
Most CISOs Still Report Into IT
In the 2020 Compensation and Budget Survey, 66 percent of respondents said they reported to a technical function—a CIO, CTO. This share grew slightly year-over-year to 69 percent. Eighteen percent reported to the CEO or chief operating officer and only a small share had a chief risk officer, chief financial officer, or general counsel as their solid line manager.
“Because there can be an inherent conflict of interest between security and IT, for several years we have heard from organizations that security would break out of IT and become a separate function reporting to a business executive, but that has not really come to fruition yet,” said Mr. Martano. “For now, the CISO predominantly reports into the tech group, but we have seen it work in a variety of ways, depending on the organization and individual leaders in other functions.”
CISO Job Satisfaction Soared vs. Last Year
IANS and Artico found that the share of CISOs who indicated that they are satisfied in their job shot up from 45 percent in 2020 to 69 percent in 2021. They are mostly CISOs who moved from the “neutral” category to somewhat or strongly satisfied. Roughly one in five respondents was dissatisfied with their role and company.
“In 2021, companies were again reminded of the importance of robust information security programs and the leaders who run them,” said Mr. Martano. “Increased visibility of the function amidst endpoint challenges due to employees working from home and the continued publicity of security breaches caused firms to make more of an effort to gauge CISO satisfaction, providing proactive salary increases, bonus increases and retention packages.”
Considering a Change
A quarter of CISOs strongly agreed with the question, “Are you considering a job change in the next 12 months?” Another 22 percent agreed somewhat, and 20 percent were neutral. For Mr. Martano, these CISOs can all be enticed with a compelling story and an increase in compensation: “The notion that two-thirds of CISOs— many of whom say they are satisfied in their current role—are willing to change jobs is staggering,” he said. “Generally, though, CISOs are not willing to entertain a change in jobs for less than a 15 percent to 20 percent-plus increase in total comp.”
Real-Time Data for the Security Function
“Combining our executive recruiters’ many years of security hiring and relationship-building with IANS’ depth in research, data, and analytics, we are able to generate real-time data for the security function,” said Mr. Martano. “With so much misinformation available, we went straight to the sources for accurate and timely security function compensation and budget data, which enabled us to extract interesting trends and comparative analysis across sectors.”
“What matters to the CISO matters to IANS. Our clients constantly tell us that the ability to benchmark against peers is critical,” said Nick Kakolowski, senior research director of IANS. “We’re thrilled to deliver this research – it was especially interesting to learn that female CISOs earn seven percent more than male CISOs. We still have a ton of work to do to build a more gender-inclusive industry – just 45 of our respondents identified as female – but it’s great to see progress on the compensation side.”
The CISO Compensation Gap Runs Wide
In a separate report, IANS and Artico found that the distribution curve for total annual compensation shows a wide gap between top and bottom, with a $463,000 average and a $342,000 median. The broad range in the total compensation reflected diversity in the market. It included CISOs at small firms in sectors with relatively immature cyber programs, as well as those at Fortune 500 multinationals in highly regulated sectors and an established cybersecurity program.
Former Caldwell executive recruiters Mercedes Chatfield-Taylor and Matt Comyns have teamed up to launch Artico Search, a fast-growing search firm that plays off their respective strengths leading teams that help build and scale technology companies and keep them safe from cyberattacks. Serving some of the hottest sectors in the search industry, Artico is starting at full speed. Let’s go inside this important new launch.
Which market trends contribute to the wide distribution in CISO pay? “Business continuity has become front and center in the last 18 months,” Mr. Martano said. “COVID-19, combined with the vast increase in widely publicized cyber breaches and ransomware attacks, forced organizations to rethink and reprioritize their security programs. Some companies built out first-time programs, while others enhanced existing programs that were lacking in visibility and resourcing.”
“Prior to 2021, cybersecurity was increasingly a pressing topic in most board rooms,” said Mr. Martano. “The advanced attacks and costly public breaches and ransomware events over the last 12 to 18 months have increased the frequency and depth of those discussions. COVID-19 and the work-from-home trend have accelerated the visibility of the CISO and the security apparatus, as endpoint security and vulnerability management became front and center due to the prevalence of remote work.”
To read the full white paper, BENCHMARK INSIGHTS: State of the CISO Report, click here.
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media