Boston, MA – October 10, 2023 – Today, IANS Research and Artico Search released their 2023 CISO Compensation Benchmark Report, an annual research study that analyzes detailed compensation data across industries and ownership structures. This year, over 600 Chief Information Security Officers (CISOs) and other security executives provided data.
Amidst a challenging macroeconomic environment, organizations are dialing back security budgets, with a moderate impact on CISO salaries. The most recent average CISO total compensation increase was 11%, down from 14% the previous year. This year, 20% of CISOs did not receive a raise, double that of a year ago, while the share of CISOs with bigger retention bonuses and equity packages also declined to 12% (from 21%) and to 8% (from 24%), respectively.
“At a macro level, CISOs had a good year as significant compensation increases continued despite a challenging economic environment,” stated Nick Kakolowski, Senior Research Director at IANS. “On closer inspection, we’re seeing CISOs getting elevated in the business, taking on a larger scope and being exposed to increased liability. Commensurate compensation increases aren’t extending into the middle and lower quartiles of the market. We expect CISOs to seek change as a result – something evidenced in 75% of respondents saying they are considering a job change in the next 12 months.”
For the last three years, financial services and technology firms have remained in the top-3 highest paying for total compensation. In 2023, financial services CISOs reported a total annual average compensation of $728,000, with technology CISOs reporting $678,000. Legal and manufacturing CISOs have the lowest total compensation, averaging $550,00. CISOs working on the US West Coast lead the country with $628,000 in total compensation due to their significantly higher equity packages.
Other key findings:
● A majority of CISOs earn below $400K or above $700K, with a minority in the middle. Only 6% of respondents earn between $500,000 - $600,00, with 8% between $600,000-$700,000. While 52% earn below $400,000 and 20% earn over $700,000.
●A strong technical background pays more than a business risk management background. CISOs with a tech-leaning background earn approximately 15% higher total compensation than those with a more GRC-leaning background. The highest-paying combination of proven skills is a technical background that includes product security or application security. These CISOs average total compensation of $700,000.
●With fewer job openings, there was less employment change. As companies tightened spending on recruiting and froze hiring, there was a steep decline in movement. Only 12% reported changing jobs in the last 12 months, compared to 21% in 2022.
“More than one-third of security budgets are typically dedicated to staff compensation, so when budgets are tightened, it has an effect on CISO compensation. Though we’re still seeing an overall increase in CISO pay, the trends we saw in recent years of high retention packages and large-scale market-adjusted bumps in pay are becoming less common,” stated Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice. “Additionally, with less movement in the market, we’re seeing fewer CISOs landing large-scale pay increases by changing companies. Until the market opens up with more options, we recommend that CISOs work on their marketability by strengthening their personal brand, elevating their competence in business acumen and their executive presence to position themselves strongly with prospective employers.”
For more insights, please download the summary report.
IANS Research and Artico Search fielded its fourth annual CISO Compensation and Budget survey in April 2023. From April until August, the organizations received survey respondents from more than 600 security executives from companies that varied by size, location, and industry in the US and Canada.
Founded in 2021, Artico Search’s team of executive recruiters focuses on a “grow and protect” model, recruiting senior go-to-market and security executives in growth venture, private equity, and public companies. Artico’s dedicated security practice delivers CISOs and other senior-level information security professionals for a diverse set of clients.