Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Last year, more than 500 CISOs participated in our CISO Compensation and Budget Study. This annual survey, developed
in partnership with executive cyber recruiters at Artico Search, provides security and business leaders with a cross-industry overview of CISO compensation.
In exchange for their time, participants in the survey received a series of benchmarking reports that featured detailed data sets and expert insights on CISO compensation and job satisfaction, along with key security staff compensation, security budgets and other organizational factors.
This piece examines key trends we found in last year’s reports, along with guidance for how current and aspiring CISOs can earn higher salaries.
In 2021, survey responses showed a broad range of total compensation, reflecting diversity in the CISO market. This included CISOs at small firms in sectors with relatively immature cyber programs, as well as those at Fortune 500 multinationals in highly
regulated sectors with established cybersecurity programs.
Distribution curves for total annual CISO compensation showed a wide gap between top and bottom, with a small share of high earners’ total compensation reaching more than $1.5 million.
On average the CISO total compensation package was $463,000, with a median of $342,000. However, the top 1% of CISOs earn 20 times more than the bottom 1%.
Which market trends contributed to the wide distribution in CISO pay?
Business continuity became front and center following the pandemic, and a number of widely publicized cyber events forced organizations to rethink and reprioritize their security programs. Some companies built out first-time programs, while others enhanced
existing programs that were lacking in visibility and resourcing.
Prior to 2021, cybersecurity was becoming a pressing topic in most board rooms. However, costly public breaches and ransomware events only increased the frequency and depth of those discussions.
Remote and hybrid working environments have also accelerated the visibility of the CISO and the security apparatus, as endpoint security and vulnerability management became increasingly critical due to the prevalence of remote work.
Major, high-profile breaches raised the CISO profile even further, as boards asked questions about preparedness and risk profiles for similar threat events. This heightened attention to cybersecurity broadly led sophisticated companies to attempt to retain
their existing CISOs to ensure continuity in their security programs or upgrade programs and leaders to keep up with an increasingly complex threat environment.
Amid a challenging talent market where demand still far outweighs supply, companies boosted incentives such as massive counteroffers and retention packages to keep security leaders they trust. Nearly 75% of companies that prepared CISO offers contended
against one or more competing offers and/or strong counteroffers from candidates’ current employers.
Firms with a market capitalization over $50 billion had total compensation averages that were more than double the average for privately held companies or for firms with a market cap of less than $50 billion (see Figure 1). Increased company size typically
creates greater complexity within the security program.
Steve Martano, a partner at Artico Search, said, “Increased company size typically begets greater complexity within the security program. Understandably, larger-scale firms typically have more organizational layers in security, a wider scope of
responsibilities and, consequently, larger budgets and teams.”
Filtering the compensation data by gender revealed female CISOs out-earned their male peers by 5% for base compensation and 7% for total compensation (see Figure 2). What explained that difference? Males still dominated the security function, as evident
by our respondent base, which was 88% male: 338 males versus 45 female CISOs.
However, many companies require and/or strive to achieve diversity in their slate of candidates—CISO searches being no exception. This created more choices for female CISOs as well as opportunities to increase their compensation by taking on new
What leadership traits and experience are required to move into higher levels at larger organizations?
CISOs must have broad experience across multiple information security functions to move up into large organizations and roles. The journey to the CISO role takes time and different career tracks. High-level CISOs spent, on average, 14 years in information
security, including eight in the CISO role. CISOs in the retail, healthcare, manufacturing and financial services sectors are generally more experienced than those in other sectors.
Higher-level CISOs oversee more than just information security. CISOs at senior executive levels oversee multiple security and risk domains, including tech risk and compliance and product security.
Prior to assuming the top security job, CISOs spend formative security years acquiring broad functional experience, typically coming up through the ranks in one of two prominent CISO career tracks. The first is the tech track, which is rooted in SecOps
and often supplemented with IAM and application security. The other is a business risk track that starts with governance, risk management and compliance (GRC), and then converges with SecOps as the security leader continues to develop their career.
Finally, leadership skills, relationship-building and business acumen, combined with the ability to communicate the security agenda clearly, is critical to CISO career advancement.
Take Our Annual CISO Compensation Survey
Will female CISOs continue to tip the pay scales above their male counterparts? Will the top-to-bottom CISO salary spread gap remain as wide? Join hundreds of your fellow CISOs across the U.S. and Canada and take this year’s Compensation & Budget
Survey respondents will receive a series of in-depth reports featuring new takeaways, uncover a wealth of insights and find valuable leadership guidance to fine-tune your current role, department and career path.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.