In this piece, we're highlighting findings from our 2023 Security Organization and Compensation Benchmark Report around functional leadership compensation to help CISOs in their organizational decisions and in talent recruitment.
This edition of the annual survey, jointly fielded with Artico Search, featured objective data from over 660 CISOs on compensation for seven—dedicated and full-time—security functional leader roles, one level down from the CISO.
CISOs’ Hiring Needs for Functional Leadership Roles
Data from our CISO respondents found that, across sectors, roughly 15% are at or approaching a revenue milestone that warrants the addition of a head of SecOps to their security organizations, based on what is typical for their peer group.
Another 4% of CISOs indicated they have the SecOps leader role in their org charts that is currently vacant with a critical need to fill. That makes for a total of 19% of CISOs looking for a head of SecOps in the immediate or near future.
For 15% of CISOs, a head of AppSec is a likely or critical hire, followed by 13% for a head of IAM. For the deputy CISO and product security leader, the share of CISOs with hiring needs is lower at 5% and 3%, respectively (see Figure 1).
Security Functional Leadership Total Comp Range Averages $523
CISOs’ hiring and retention strategies generally revolve around recruiting and keeping the best talent. For this, they focus on the top quartile comp, rather than the median or average market rates.
Median, top 25% and top 10% compensation range for cybersecurity leader roles in the U.S. were provided by survey respondents then calculated for analysis. Compensation packages were filtered out that did not include annual equity.
The top 25% range for total leadership comp starts at $407,000 and has an average of $523,000. The top 10% average is $640,000. For the deputy CISO, the head of product security and the head of A&E, the top 10% figures exceed $700,000.
The heads of SecOps, GRC and AppSec in the sample have top 25% averages for total compensation just shy of $500,000 (see Figure 2).
Matt Comyns, co-founder and president, in Artico Search provided advice for CISOs in hiring and retaining top leadership talent. "We recommend CISOs benchmark their leader’s comp against the market so when there is a vacancy, they know what pool of candidates fit the comp range."
Recommended Comp Levels to Hire and Retain Top Cybersecurity Talent
To attract and keep top talent with the experience of leading mature cyber program functions, CISOs should focus on paying rates in the top 25% comp brackets to gain a recruiting and retention advantage.
Fortune firm security orgs need leaders who are experienced with complexity and scale. The market rates for these leadership roles are higher than for those in large enterprises and midsize companies. What’s more, the top 25% has an overall comp that averages about $200,000 more than the median comp.
Be cost-aware in hiring and prioritizing Infosec Talent
To optimize resource allocation, CISOs should recognize that not all roles have the same cost to fill. It’s recommended that CISOs strategically allocate their budget by prioritizing roles based on their cost and importance.
Research-backed data like this is not only helpful for CISOs to retain and hire top staff but also in benchmarking how their security org structure compares their industry peers.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security budgets, key security staff compensation and job satisfaction.
These in-depth reports feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, department and career path.
Download our 2023 Security Organization and Compensation Benchmark Report– the third in our series – for additional insights and data for functional leaders within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.