The role of the chief information security officer (CISO) is undergoing a tectonic shift.
The first generation of CISOs were high-performing technical professionals promoted to senior leadership. They largely reported to CIOs, and had limited authority in business decisions.
Today’s most progressive CISOs are business-savvy, strategic drivers of growth. They’re responsible for reporting to CEOs or even directly to the Board, and they’re shaping cyber policy across entire organizations.
While the median CISO salary may be just under $200k, the average CISO salary at Fortune 500 companies is likely much higher. Unfortunately, CISO salaries rarely appear in proxy statements, so they’re not readily available, even for publicly traded companies.
However, there is some information available on Fortune 500 CIO salaries, which range from just above $200k to over $700k before bonuses, stocks, and options. Because CISOs still tend to fall beneath CIOs in the org chart, we can assume their salaries will likely be in the low to middle part of that range on average.
Of course, industry, location, and level of experience will all affect a cybersecurity executive’s salary.
CISO salary factors to consider
So there’s a pretty wide range of CISO salaries. Because the role is actively shifting, there’s a pretty wide range of CISO job requirements too.
If you’re being offered a position or vying for a raise, how can you determine whether you should be in the low or high end of that range? In addition to obvious factors like experience and company size, there are a few external factors to consider.
One of the first questions a prospective CISO should ask is “Who will I report to?”
Because CISOs are relatively new entrants to the C-suite, many organizations are still figuring out exactly where they should sit in the org chart.
Across different organizations, CISOs may report directly to the CIO, the CFO, the chief risk officer (CRO), the CEO, or even straight to the Board.
In 2020, more CISOs will move away from reporting to the CIO, CFO, or CRO, which can limit their ability to effectively secure the organization, and start reporting directly to the CEO or Board, especially in heavily targeted industries like finance and healthcare.
Experts from financial services infosec organization FS-ISAC support this shift, stating that “free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making.”
Generally speaking, the higher up in the org chart the CISO sits, the higher their compensation should be. A CISO reporting to a CEO is likely to be responsible for much more strategic decision making than a CISO reporting to a CIO, and with that additional risk and responsibility should come additional reward.
Stress and burnout
CISOs and prospective CISOs should carefully consider job stress when entering salary negotiations.
The CISO position is notoriously stressful; a recent survey focusing on CISO stress found the following:
91% of CISOs say they suffer from moderate or high stress
88% work more than 40 hours per week
26.5% say job stress impacts their physical or mental health
Burnout is a very real phenomenon among CISOs, and without major changes, the stress of the job is likely to increase as the cyber risk landscape becomes more complicated.
CISO burnout is caused by a variety of factors, including a disconnect between the expectations of leadership and the requirements of the role. 86% of CISOs believe security breaches are inevitable, but many CISOs still take on an outsized responsibility for data breaches, and 33% of CISOs said they would be fired or disciplined if a significant breach occurred.
While the business community is (hopefully) moving toward more reasonable, realistic expectations for cybersecurity leaders, CISOs should still assess the risk to their health and wellness when determining whether a compensation package is fair.
An opportunity for growth
The CISO role has changed dramatically, but the transformation isn’t over yet. If history is any indicator, the CISO of the future is likely to be even more strategically focused, even more growth-driven, and have even more authority than even the most progressive CISOs in 2020.
So while there are downsides associated with CISO positions, there are also opportunities. CISOs who can deliver on the promise of cybersecurity transformation will be in the best position to seize these opportunities and multiply their success.