Key Drivers of CISO Compensation

June 14, 2022 | By IANS Faculty

Last year, more than 500 CISOs participated in our CISO Compensation and Budget Study. This annual survey, developed in partnership with executive cyber recruiters at Artico Search, provides security and business leaders with a cross-industry overview of CISO compensation. 

In exchange for their time, participants in the survey received a series of benchmarking reports that featured detailed data sets and expert insights on CISO compensation and job satisfaction, along with key security staff compensation, security budgets and other organizational factors. 

This piece examines key trends we found in last year’s reports, along with guidance for how current and aspiring CISOs can earn higher salaries. 

CISO Compensation Benchmark Study Trends   

1. CISO Compensation Ran Wide

In 2021, survey responses showed a broad range of total compensation, reflecting diversity in the CISO market. This included CISOs at small firms in sectors with relatively immature cyber programs, as well as those at Fortune 500 multinationals in highly regulated sectors with established cybersecurity programs. 

Distribution curves for total annual CISO compensation showed a wide gap between top and bottom, with a small share of high earners’ total compensation reaching more than $1.5 million. 

On average the CISO total compensation package was $463,000, with a median of $342,000. However, the top 1% of CISOs earn 20 times more than the bottom 1%.  

2. Market Disruptions Contributed to the Compensation Gap 

Which market trends contributed to the wide distribution in CISO pay?  

Business continuity became front and center following the pandemic, and a number of widely publicized cyber events forced organizations to rethink and reprioritize their security programs. Some companies built out first-time programs, while others enhanced existing programs that were lacking in visibility and resourcing. 

Prior to 2021, cybersecurity was becoming a pressing topic in most board rooms. However, costly public breaches and ransomware events only increased the frequency and depth of those discussions. 

Remote and hybrid working environments have also accelerated the visibility of the CISO and the security apparatus, as endpoint security and vulnerability management became increasingly critical due to the prevalence of remote work. 

Major, high-profile breaches raised the CISO profile even further, as boards asked questions about preparedness and risk profiles for similar threat events. This heightened attention to cybersecurity broadly led sophisticated companies to attempt to retain their existing CISOs to ensure continuity in their security programs or upgrade programs and leaders to keep up with an increasingly complex threat environment. 

Amid a challenging talent market where demand still far outweighs supply, companies boosted incentives such as massive counteroffers and retention packages to keep security leaders they trust. Nearly 75% of companies that prepared CISO offers contended against one or more competing offers and/or strong counteroffers from candidates’ current employers. 

3.  Company Size and CISO Compensation Were Positively Correlated 

Firms with a market capitalization over $50 billion had total compensation averages that were more than double the average for privately held companies or for firms with a market cap of less than $50 billion (see Figure 1). Increased company size typically creates greater complexity within the security program.  

Graph showing Larger Firms by Market Cap Pay More than Smaller Ones

Steve Martano, a partner at Artico Search, said, “Increased company size typically begets greater complexity within the security program. Understandably, larger-scale firms typically have more organizational layers in security, a wider scope of responsibilities and, consequently, larger budgets and teams.” 

4. Female CISOs Commanded a Market Premium 

Filtering the compensation data by gender revealed female CISOs out-earned their male peers by 5% for base compensation and 7% for total compensation (see Figure 2). What explained that difference? Males still dominated the security function, as evident by our respondent base, which was 88% male: 338 males versus 45 female CISOs. 

Graph showing Females CISOs Command a Market Premium

However, many companies require and/or strive to achieve diversity in their slate of candidates—CISO searches being no exception. This created more choices for female CISOs as well as opportunities to increase their compensation by taking on new roles. 

5. How CISOs Can Move to Higher Salary Levels 

What leadership traits and experience are required to move into higher levels at larger organizations?  

CISOs must have broad experience across multiple information security functions to move up into large organizations and roles. The journey to the CISO role takes time and different career tracks. High-level CISOs spent, on average, 14 years in information security, including eight in the CISO role. CISOs in the retail, healthcare, manufacturing and financial services sectors are generally more experienced than those in other sectors.  

Higher-level CISOs oversee more than just information security. CISOs at senior executive levels oversee multiple security and risk domains, including tech risk and compliance and product security.  

Prior to assuming the top security job, CISOs spend formative security years acquiring broad functional experience, typically coming up through the ranks in one of two prominent CISO career tracks. The first is the tech track, which is rooted in SecOps and often supplemented with IAM and application security. The other is a business risk track that starts with governance, risk management and compliance (GRC), and then converges with SecOps as the security leader continues to develop their career.  

Finally, leadership skills, relationship-building and business acumen, combined with the ability to communicate the security agenda clearly, is critical to CISO career advancement. 

 

Take the 2022 CISO Compensation and Budget Survey


2022 CISO Salary Data 

Will female CISOs continue to tip the pay scales above their male counterparts? Will the top-to-bottom CISO salary spread gap remain as wide? Join hundreds of your fellow CISOs across the U.S. and Canada and take this year’s Compensation & Budget Survey.

Survey respondents will receive a series of in-depth reports featuring new takeaways, uncover a wealth of insights and find valuable leadership guidance to fine-tune your current role, department and career path. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2021 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.