Digital transformation (DX) is in full swing in many organizations, which are adopting more and more cloud solutions, enabling more mobile connections, activating a much broader swath of Internet-of-Things (IoT) devices, and embracing DevOps. With security as a critical linchpin in DX, the role of the CISO is quickly changing. No longer is the CISO seen as a technologist who oversees a tactical swath of security technologies in the back office. Instead, the CISO must be a business enabler—ensuring that their cybersecurity deployments enable rather than inhibit all of these DX initiatives.
The CISO must be a business enabler—ensuring that their cybersecurity deployments enable rather than inhibit DX initiatives.
As salary and outcomes often coincide, it is not a big surprise that Robert Half finds that those organizations paying their CISOs at higher rates than peer organizations deliver better business performance. And salaries are not static; CISO salaries have increased 33% since 2015, which tops that of every other technology executive—CIOs, CTOs, et al. In just the past year, CISO salaries increased over 12%.
Other sources even substantiate that CISOs are taking home far more, with some salaries eclipsing the sky-high earnings of formidable CEOs! For example, Joyce Brocaglia, the CEO of boutique cybersecurity recruiting firm Alta Associates and founder of the Executive Women’s Forum, notes, “I know a handful of CISOs who are breaking the million dollar mark in terms of total compensation, and the majority of our searches for CISOs are for between $300,000 to $500,000.”
A 2017 IT salary survey study by Computerworld corroborates Brocaglia’s claim, pegging CISO salaries somewhere between $200,000 and $500,000.
Some might find this massive increase as well as the large variance between minimum and maximum salaries confounding. But Brocaglia, who has been placing CISOs since she helped Citigroup build their first-ever cybersecurity team after the 1994 Russian hack, chalks it all up to a confluence of factors, chief among them the nature of the role itself in terms of scope and responsibilities and maturity of that function. She explains:
“What we see today in terms of salaries for CISOs is that the salaries vary almost as much as the roles themselves. Some companies are hiring first-time CISOs who need to be able to roll up their sleeves and build a team; others are looking for a new CISO who will be elevated as compared to the last in terms of executive presence, the ability to put together a stronger strategy, and the know-how to ratchet up the security program; and then there are very established organizations with massive cybersecurity departments looking to backfill a role.”
Geography, as is the case with almost every other sphere, also affects earnings. A report by Security Current found that CISOs in the western U.S. earn the most out of the four primary geographical regions in the U.S. (an average salary of $290,750), while those in the southern U.S. earned the least (an average salary of $199,975).
Similarly, company size and industry can inflate projected income immensely. For example, ransomware attacks that incapacitate a high-stakes healthcare business not only compromise the data integrity of patient records but also put lives in danger (as was the case with a successful attack in 2016). And the financial sector, which must withstand 65% more attacks than any other industry, shoulders significantly more risk than the manufacturing or hospitality industries. Accordingly, organizations in these verticals will likely have more budget allocation for a high CISO salary than, say, a retail entity.
Finally, and arguably the primary change agent ballooning CISO compensation and stretching out the salary band, is the fact that CISOs are more and more often directly reporting to senior leadership—specifically, the CEO or the board of directors. This translates to 36% higher salaries on average, compared with those who report directly to chiefs in finance, operations, information, and technology.
One of the outcomes of this transformation in reporting structure is that, as noted above, the CISO is no longer seen as a technologist but rather as a business enabler. Fortinet found in an analysis of CISO hard and soft skills that employers are increasingly writing job descriptions that delineate business (or soft) skills versus technology experience.
Brocaglia comments: “When we began recruiting, we used to search for the most technical person. But now we find ourselves replacing those people with the leaders who have a much broader sense of cybersecurity, risk, and privacy.”
Whereas CISO responsibilities in the past—as evidenced in job ads—were primarily tagged to endpoint protection, basic firewalling, and threat detection, many of those today are much more strategic—risk management, incident response and event management, and measurements in language that makes sense to the business.
CISOs also no longer have a well-defined “swim lane” with limited interactions across and between different departments. And these conversations are in the lingua franca of the business, not that of technology. Thus, for example, rather than speaking about the number of endpoints covered and attacks blocked, the CISO must speak about tangible risk outcomes, the ROI of security investments, and the potential financial and brand implications of vulnerabilities.
In addition to the business transformation challenges facing the CISO, the threat landscape presents similar challenges. A forthcoming State of the CISO Report by Fortinet finds that 81% of organizations experienced at least one successful intrusion in the past year, with over half indicating they had three or more. Almost half said these resulted in operational outages that impacted productivity, with 44% noting brand degradation and 41% saying it affected revenue. A concerning 32% indicated the intrusion put the safety of employees and others at risk.
In response, governments and industries have responded by passing new regulations such as the European Union’s General Data Protection Regulation (GDPR) while ratcheting up existing regulation. Boards of directors and CEOs are also mandating adherence to security standards such as the National Institute of Standards and Technology (NIST) and regular tracking and reporting of security measures based on those.
All of these factors are helping to drive CISO compensation northward. Legacy CISOs, including the traditional development funnel for them, is based almost exclusively on security technology. But what many organizations seek in a CISO today are not those skill sets—at least in terms of primary requirements—but rather business skills and acumen. As the pool of CISO talent with these skills and experience is limited, the ramification of supply-and-demand is activated.
For those business and cybersecurity leaders who think this scenario only applies to the Fortune 500, they are mistaken. More and more companies are putting higher gravitas into the CISO role and expecting to pay more as a result.
There is a higher demand for CISOs as well. For example, just two years ago, only half of medium-sized and large enterprises reported having a CISO executive role. Today, that number has grown to 65%. And considering that the CISO role was largely nonexistent 15 or 20 years ago, this is a huge accomplishment. This contributes to great difficulties in finding and hiring qualified CISOs. In a survey we conducted during a recent webinar, the audience—43% of respondents, comprised of cybersecurity professionals—revealed that it takes an average of more than 80 days for them to fill a cybersecurity opening—and over 60% say it takes 40-plus days.
There is more demand to fill a role where success is increasingly challenging to achieve.
Thus, it is not a surprise to find that two-thirds of organizations say they do not have a sufficient number of workers to cover all of their cybersecurity requirements. And the same study predicts a cybersecurity workforce shortage of 1.8 million by 2022.
So, for CISOs seeking to leverage this supply-and-demand scenario to their advantage, what are some of the strategies they can employ to land themselves a great compensation package?
A critical starting point is to understand that many of the skills often cited in the past as critical to the CISO role likely do not carry as much weight today. Notably, while the skills and requirements associated with lower-level cybersecurity roles have experienced a gradual evolutionary change, the capabilities companies expect from the CISO have undergone a more revolutionary shift.
“It’s no longer just a technical job; it’s really a business job,” Brocaglia emphasizes. "Senior leaders now need to understand the impact their work has on the bottom line and the stock price of the corporation.”
Robert Half Technology Executive Director Jeffrey Weber seconds this notion, explaining that, “The CISO has to demonstrate the technical savvy needed to address security requirements as well as the executive presence needed to convey the business impact and drive enterprise decision making.”
That means that while preventing, detecting, and responding to cybersecurity threats, in addition to ensuring compliance with government and industry regulations, are still essential CISO activities, other activities are also important. Thus, for example, a CISO in this new realm of security must be able to reach across business functions to align security initiatives with business priorities, translate security vulnerabilities and risk into language the board of directors and C-suite understand, and educate and engage nonsecurity and IT stakeholders on security matters.
These new business-centric expectations require CISOs to break down silos and act as a bridge, areas of ability that are often touted as soft skills. For example, in the aforementioned skills gap study, half of the top 10 skills most often cited by employers are soft skills.
Figure 2. Derived from "The CISO Ascends From Technologist to Strategic Business Enabler," Understanding the Cybersecurity Skill Shortage: An Analysis of Employer and Job Seeker Skills and Occupational Demographics, Fortinet, August 2018.
From a hard skills perspective, risk management is far and away the most desired skill, followed by capabilities related to policy, training, compliance, and incidents. On the other hand, leadership tops the soft skills list, which is unsurprising given the marked strategic emphasis now attached to the CISO role. Collaboration, communication, and planning were also included on more than 50% of job ads.
Brocaglia, who chuckles at the notion that these types of skills are viewed as softer, recommends that current and aspiring CISOs who want to secure a higher salary do some serious internal questioning along the lines of “how good are my skills, where are my weaknesses, and where can I improve?”
And if CISOs find they are too technically focused and there is a need to increase emotional intelligence and the ability to present at the executive level, then she advises finding a mentor, sponsor, or executive coach who can help develop these now integral abilities.
For CISOs who do embody the highly desirable technologist-business strategist combination, they should not assume that their skill set will automatically beget an equally desirable package.
However, and as Weber emphasizes, “CISOs who can demonstrate both the technical and business experience can drive total compensation discussions.” He recommends that CISOs negotiate variable compensation in their package based upon achievement of business results and goals as strong security processes enable growth and opportunity for the enterprise.
Brocaglia also cites annual performance bonuses, tied both to individual and company achievement, as a common CISO package inclusion. She also suggests sign-on bonuses, restricted stock units that vest over a three-year period, and buyout for any money left on the table in case the CISO leaves a company mid-year to join another.
Most importantly though, it is essential to be both realistic and creative when negotiating at the executive level. Some of the compensation areas that CISOs may want to negotiate include:
Regarding the former, CISOs need to understand the factors detailed previously in this article that affect CISO salary and use that information as well as financial reports and projections to pinpoint the competitive market value of a position of interest. Plus, as Brocaglia notes, CISOs (and any professionals for that matter) need to know that certain laws forbid organizations to inquire about earnings history. This can be a double-edged sword for CISOs. While CISOs are no longer shackled to their previous salaries in negotiations, they must also come prepared to justify their worth with documented evidence.
As far as being creative, if a company has a rigid salary band that does not align with market value, CISOs should investigate where they do have flexibility and try to find value in those areas. Some other common out-of-the-box, executive-level perks include membership access, air and car travel, legal services, supplemental insurance, and even interest-free loans for a home purchase.
And finally, as any career coach would encourage even the most junior-level employee to do, CISOs should not be afraid to ask for something additional. The CISO salary band is wide and growing as the importance of the CISO rises and the demands of the position increase. Indubitably, in today’s ever more insidious threat landscape, the role is only going to become more complex—and those up for the challenge should be able to reap the rewards.