For CISOs, building and refining the cybersecurity organization is an ongoing responsibility and includes the timing of new functional leadership hires of the caliber befitting of their security agenda. Challenges are common for CISOs making org and staffing
decisions for a dynamic organization influenced by market conditions, growth objectives, acquisition strategies and regulatory changes.
In this piece, we're highlighting findings from our 2023 Security Organization and Compensation Benchmark Report around security org design across different revenue milestones to help CISOs make more informed decisions about hiring for key functional leadership roles.
This edition of the annual survey, jointly fielded with Artico Search, featured objective data from over 660 CISOs on org design and compensation for seven—dedicated and full-time—security
functional leader roles, one level down from the CISO.
Security Org Design Characteristics Across Three Revenue Segments
In general, there is a positive correlation between revenue size of the overall organization and size and complexity of the cybersecurity organization.
Survey respondents were grouped by the size of their company which identified common elements of their security teams and org structure. That resulted in three distinct org designs, each with a corresponding annual revenue range, as laid out in Figure
1.
Org Design Differences by Revenue
Differences in organizational design appear at various stages of growth—measured in annual revenue and focused on the management layer of the cybersecurity organization that reports to the CISO. The org charts below are based on survey responses
from 660 CISOs about leadership positions in their management teams (see Figure 2).
An industry-agnostic cybersecurity management org chart shows that:
- At $100 million in annual revenue, between a quarter and half of CISOs indicate they have leadership positions in their org for one or more of the functions SecOps, GRC, A&E and product security.
- At the next revenue milestone, $500 million, the presence of leadership positions for SecOps, GRC and A&E grows to between 50% and 74% of CISOs.
- The head of SecOps role is the first role that’s a standard fixture, generally at the $1 billion revenue milestone. At the $10 billion threshold, the same is true for GRC and A&E.
- At $25 billion, most companies also have a head of AppSec and a deputy CISO.
Security Org Design Recommendations
Understand what top security talent costs vs. your budget
We encourage CISOs to use the combination of org designs and comp benchmarks so that as they identify key roles they need to fill as their organization matures, they can quickly assess budget implications.
Steve Martano, partner in Artico Search advises that: "When going to market to fill a key leadership position, CISOs should know how much highly regarded top talent costs. They can then make informed decisions regarding trade-offs between comp and experience/skill
set."
Understand the company’s strategic direction
In addition, CISOs need to be forward-thinking in considering the strategic direction of the wider organization. This includes discussions in the boardroom and having a pulse on leadership’s strategy related to company organic growth plans and acquisitions.
Research-backed data like this is not only helpful for CISOs to use it as input into their org design and hiring decisions but also in benchmarking how their security org structure compares to their industry peers.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, conducts a survey of CISOs across the U.S. and Canadas on CISO compensation, security budgets, key security staff compensation and job satisfaction.
The findings from this survey are published in a series of in-depth reports that feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, budget, department and career path.
Download our 2023 Security Organization and Compensation Benchmark Report - the third in our 2023 series of reports – for additional insights and data for functional leaders within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.