12 Aug Pink Slips To Million Dollar Salaries: Are CISOs Underappreciated Or Overpaid?
Recruiting Fortune 500 Chief Information Security Officers
–Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Aug. 10, 2020
Chief information security officers may have been best known for being thrown under the bus in the aftermath of a data breach. Now they’re making a reputation for themselves as tech’s most wanted, and highest paid. And rightfully so.
Cybercrime Magazine recently caught up with Jeremy King, president and founder at Benchmark Executive Search, for a discussion about CISOs at the world’s largest companies.
It used to be that a cyberattack was a CISO’s worst nightmare, and a sure-fire sign that a pink slip would follow.
In 2020, it’s a fact that every company has been hacked (or will be). Major corporations globally, with the help of law enforcement and private sector cyber defenders, have come to the realization that it’s not the CISO’s fault, and ousting one will only open up another can of worms — namely recruiting a replacement in a highly competitive market that is suffering through a severe workforce shortage.
Instead, CISOs are being heralded for their ability to plan for the worst, and to react calmly, legally, methodically, and swiftly, in response to cyber intrusions.
Cybercrime Radio: Jeremy King on Fortune 500 CISO Compensation
Strategies for recruiting and retaining security leaders
“Money, of course, is something that every CISO wants to hear about,” says King, a serial connector in the cybersecurity space, and a board member for several non-profit organizations related to our field.
Some Fortune 500 and Global 2000 corporations are giving their information security head honchos — oftentimes those with military backgrounds — seven-figure pay packages.
One company paid a $3.89 million annual salary to fill its CISO position. The Los Angeles Times reports that big companies are paying big bucks to its top cyber fighters.
Another company paid a $650,000 salary to fill its CISO role in 2012, and last year they bumped the pay up to $2.5 million for a new recruit in the same position.
In 2016, annual CISO compensation in the largest U.S. cities was topping out at between $380,000 and $420,000. Cybersecurity Ventures has observed a gradual uptick of those figures, and we expect to see an increase in the number of organizations that will move the needle to the $500,000 to $1 million range over the next five years.
If a $1 billion company suffers a breach resulting in a $700 million post-hack market valuation, then how much less is their CISO worth?
What about a CISO who prevents such cyber catastrophes from happening in the first place — how much more is she or he worth?
These are the types of questions that King asks, and that C-suite executives and HR chiefs are well-advised to be answering for themselves.
King believes that over the next several years we’ll be seeing more large organizations dishing out 7-figure pay packages to “A-players” who get A-results. Now even boardroom executives and shareholders are concerned with the possibility of a cyber intrusion that can lead to a plummeting stock price.
Cybersecurity Ventures forecasts that 100 percent of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by the end of 2021 (up from 70 percent in 2018), although many of them will be unfilled due to a lack of experienced candidates.
“We may see the CISO position mandated,” says King. If that comes to pass, then the big concern is placing unqualified candidates into the positions. Every big company wants the best CISO, but there’s not enough of even the mediocre players to go around.
There’s also the issue of who should be taking attendance of the CISOs. King points out that there is no clear-cut place for security leaders on the org chart. Who they report to varies by company and it can be the chief compliance officer, the chief information officer (CIO), or the chief legal officer.
While the idea of elevating the CISO role to new heights and rebranding them as chief risk officers or chief resilience officers (CROs) who report directly to the CEO is a nice one, the market doesn’t seem ready for it. King, however, is eagerly awaiting the emergence of these new executive roles, and he fully expects it to happen at one point.
“A lot of large enterprise CISOs come from the (U.S.) military. They have a longer track record of protecting data, or the new oil,” says King, referring to a statement from IBM’s former chairman and CEO Ginni Rometty:
“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true — even inevitable — then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
A recent study by Cybersecurity Ventures calculated 13 percent of Fortune 500 CISOs served in the U.S. military. Altogether, 66 alumni of the United States Armed Forces currently serve as CISOs for the largest companies in the U.S.
If data becomes so important that it’s the lifeblood of an organization, then companies will spare no expense in hiring the best person for the CISO job. Cybersecurity Ventures expects this will lead to an uptick in the number of security professionals with military backgrounds being placed as Fortune 500 and Global 2000 CISOs.
King notes that military personnel with substantial cybersecurity experience will see a 2X to as much as 5X bump in pay when they switch over to the private sector. But, it’s not about the money for these women and men. “It’s about the mission of protecting companies related to national security — there’s a passion that never leaves them — it’s in their blood,” he says.
Turnover is rampant when it comes to chief information security officers at the largest companies in the U.S.
The average tenure for CISOs has been estimated at 18 to 26 months by various sources. By comparison, The average tenure for a CIO at the top 1,000 U.S. companies is 54 months, according to Korn Ferry.
What explains the CISO merry-go-round at large enterprises?
“The demand is so high and the job is so darn tough,” says King. “The stress level is off the roof because a CISO can be right 99 out of 100 times, and a cybercriminal only has to be right once.” And when the cybercriminal is right, it can be front-page news.
Being in the news is not good for a CISO’s career, or resume. At least not if they’re captaining the ship when their organization suffers a high profile cyberattack or data breach.
If you’re a security leader who gets the budget, invests it, and still has the same persistent threats, then it’s going to be a very stressful job. “When they (CISOs) quit for no apparent reason, it’s usually personal,” says King.
It’s predicted that there will be 3.5 million unfilled cybersecurity jobs by 2021 — enough to fill 50 NFL stadiums. This is up from a previous estimate of 1 million cybersecurity openings in 2014.
The broader labor crunch aside, it’s the smaller number of unfilled CISO positions that pose the greatest cyber risk. And the talent supply is so thin that deputy CISOs — the number twos as King calls them — are being lured away by headhunters in order to fill the number one positions.
CISOs also have their own teams to recruit and retain, which is perhaps their most difficult challenge of all.
Whether you think CISOs are underappreciated or overpaid, the times are a-changin’, and it’s a good time to be one.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.
Sponsored by Benchmark Executive Search
Benchmark Executive Search is a boutique executive search firm with over seventy years of CxO, VP, GM and Board level executive search experience working with companies providing technology (hardware, software, infrastructure and services), cybersecurity, systems engineering and scientific products and services to the federal and commercial markets.
We specialize in working with startup, emerging-growth and mid-cap companies interested in entering or expanding their presence in the federal market with game-changing technologies and innovative services. With a deep understanding of the government acquisition process and a collaborative approach to networking, our clients trust us with their most sensitive, confidential and mission-critical searches and benefit from our unique access to an elite talent pool.