Benchmark Report Preview: InfoSec Org Design

December 20, 2022 | By IANS Research

CISOs recognize the need to keep pace as their organizations grow because, with expansion comes greater complexity and a need to scale the security team.  Challenges around organizational structure and design – what functional leaders to hire and when – are common among CISOs at fast-growing companies. 

In this piece, we're highlighting findings from our 2022 Security Organization and Compensation Benchmark Report around security org design across different revenue milestones to help CISOs make more informed decisions about hiring for key functional leadership roles.

This edition of the annual survey, jointly fielded with Artico Search, featured objective data from over 520 CISOs on org design and compensation for seven—dedicated and full-time—security functional leader roles, one level down from the CISO.

 

NEW FOR 2023: Security Organization & Compensation Benchmark Report

 

Best Practices in Security Org Design 

As changes occurred within the organization CISOs adjusted security teams accordingly to add key security positions. CISO survey respondents provided data on how they have designed their security leadership roles along with their organization’s revenue.  We analyzed this data at six different revenue milestones.

Steve Martano, co-founder at Artico Search recommends how CISOs should leverage the org designs in the report.  “While we recognize that not every organization creates the same leadership positions at the same milestones as their industry peers, we identified the 75% threshold as a reasonable guideline for best-practice org design. In other words, when 75% or more of CISOs in the sample indicate they have a dedicated functional leadership position in their org chart, CISOs should consider that to be industry standard.”

Security Org Design by Company Revenue 

Our data found that the first leadership roles that emerge in security orgs are typically the head of SecOps and the head of GRC. As companies pass the various revenue milestones, a growing share of CISOs have these two roles in their org.

The next most common role is the head of architecture and engineering. At the $5 billion revenue milestone, more than half but less than 75% of companies in our sample have this role. 

The head of Product and/or AppSec is a newer function and more common in tech companies. It is only at the $10 billion revenue mark that more than half the CISOs report having this function in their org. 

Deputy CISOs roles are found in mostly in large companies. At the $5 billion revenue stage and beyond, up to 49% of CISOs have a Deputy CISO complementing the rest of the CISO leadership suite. In contrast, less than 25% of CISOs have this role at the $100 million to $1 billion revenue milestones. (See Figure 1).

Figure 1

Figure displaying Security Org Design at Revenue Milestones

Security Org Design Recommendations 

CISOs are encouraged to compare their org designs against those in the report and assess when they should consider adding new leadership recs, given the revenue growth trajectory of their company, as well as their company’s security posture.

Our data does not consider security leaders with responsibilities over multiple functional domains, such as an individual who leads both SecOps and architecture and engineering. 

Steve Martano advises that: “Assigning responsibilities over multiple security functions to a leader is a recipe for dissatisfaction. If an org that has one individual leading multiple pillars of security, such as architecture and engineering and an in-house security operations function, then that individual will likely get overwhelmed, feel they are not positioned for success, and become ripe for poaching by competing firms prepared to offer a more focused set of responsibilities and, likely, a bigger paycheck.”

Research-backed data like this is not only helpful for CISOs to use it as input into their org design decisions but also in benchmarking how their security org structure compares to their industry peers. 

CISO Compensation & Security Budget Benchmark Reports 

Each year, IANS, in partnership with Artico Search, conducts a survey of CISOs across the U.S. and Canadas on CISO compensation, security budgets, key security staff compensation and job satisfaction. 

The findings from this survey are published in a series of in-depth reports that feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, department and career path.

Download our 2022 Security Organization and Compensation Benchmark Report – the third in our 2022 series of reports – for additional insights and data for functional leaders within the security organization. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

State of the CISO, 2023–2024 Benchmark Summary Report

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.