One of CISOs’ core responsibilities is designing a security organization that supports the needs of the business. The structure of the information security function broadly reflects where a company is in their security journey which,
in turn, is determined by a company’ size and complexity as well as their industry and corresponding cyber maturity.
NEW FOR 2023: Security Organization and Compensation Benchmark Summary Report
For CISOs, org design entails decisions about the formation and evolution of their leadership team and the acquisition and retention of leadership talent.
In this piece, we're highlighting findings from our 2022 Security Organization and Compensation Benchmark Report
around compensation to help CISOs in their organizational decisions and in talent recruitment.
This edition of the annual survey, jointly fielded with Artico Search, featured objective data from over 520 CISOs on compensation for seven—dedicated and full-time—security
functional leader roles, one level down from the CISO.
Total Compensation for Key CISO Staff Roles is over $300,000
Data from our CISO respondents found that for the seven leadership roles, the average cash compensation (base salary plus bonus) is $262,000 with a median of $226,000. The average annual total compensation (cash compensation plus equity value) is $301,000
with a median of $245,000.
The median amounts for both cash comp and total compensation are lower than the averages. The reason is a small share of high earners at the director level or above pull up the entire sample averaging 80% ahead of other staff. The Deputy CISO role has
the highest total annual compensation at $382,000, nearly 30% above average.
Steve Martano, partner at Artico Search, highlights the specifics of the Deputy CISO role and its high comp relative to other leader roles: “Above-average compensation for the Deputy CISO role stems from the fact that this is a succession planning
role. Further, it is more common at large firms, where compensation is higher than at small firms.”
Current State of Hiring in Cybersecurity
Effective security programs depend on having the right functional leaders in place to support the demands of the business. Hiring and retaining leaders is often linked to CISO compensation and performance bonuses. It follows that CISOs have not only a
personal incentive to hire and retain top staff but a financial one as well.
Matt Comyns, co-founder and president, and Steve Martano, partner in Artico Search, see four themes dominating the hiring of cyber leadership talent:
- Nearly all CISOs struggle with recruiting a complete leadership team: Filling vacant roles typically takes a painful two-to-four months, resulting in the CISO and team members working double-duty.
- Demand greatly outweighs talent supply: Current hiring market conditions are extremely challenging with candidates fielding multiple competitive offers which include signing bonuses and hefty equity grants.
- Attrition is high and tenures are low: High talent competition levels drive volatility and transience as CISOs often bring their key staff along when changing employers.
- CISOs are making moves for 30% to 50% increases: By changing employers, CISOs add an average 36% to their total compensation which continues one level below with staff increases around 40%.
Compensation Levels to Hire and Retain Top Cybersecurity Talent
We used respondent’s data, to compare the overall average with the top 25% and top 10% functional leadership compensation averages. The average top 25% annual cash compensation in the sample, is $426,000, roughly 60% above the $262,000 overall average.
Total compensation in the top 25% averages $540,000, nearly 80% higher than the $301,000 average for the entire sample.
To attract and keep top talent with the experience of leading mature cyber program functions, CISOs should focus on paying rates in the top quartile comp brackets to gain a recruiting and retention advantage.
Research-backed data like this is not only helpful for CISOs to retain and hire top staff but also in benchmarking how their security org structure compares their industry peers.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security budgets, key security staff compensation and job satisfaction.
These in-depth reports feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, department and career path.
Download our 2022 Security Organization and Compensation Benchmark Report– the third in
our series – for additional insights and data for functional leaders within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.