Infosec leaders have been facing a talent shortage for years. Growing financial demands and mounting responsibilities force CISOs to do more with less, making hiring and retention a critical topic.
Feedback from CISOs centers on a common theme: Typical corporate bands and role categorizations often do not align with the infosec talent market. Comprehensive, infosec-specific compensation data is critical for benchmarking, as recruiting in security
often requires specialized compensation packages to compete for talent and minimize attrition.
To provide first-hand insight into staff compensation, IANS and Artico Search, fielded a new Staff Compensation and Career survey which captured responses from 563 cybersecurity staff
across a range of industries and company types in the U.S. and Canada. This report presents insights from the survey, including staff compensation data, staff diversity, work-from-home expectations and job satisfaction.
In this piece, we're highlighting findings from our 2023-2024 Cybersecurity Staff Compensation Benchmark Report around infosec staff compensation to help CISOs compare current and planned staff roles along with guidance to embark on their talent search.
Cybersecurity Staff Support Multiple Functions
Among survey respondents, 42% have responsibilities that span multiple cybersecurity domains. Certain disciplines naturally complement each other, such as AppSec, product security and IAM. As shown in Figure 1, among AppSec staff, 74% also contribute
to product security and 67% are involved in IAM. Within product security, 63% of staff also support IAM. Figure 1 illustrates the results.
On the other hand, GRC exhibits weaker ties with other roles. About 37% of GRC staff also take on A&E responsibilities, and just 25% are engaged in AppSec work.
IANS Faculty member and Artico Search partner, Steve Martano elaborates on these figures:
We see a clear difference between the technical track within security and the governance track. Depending on the regulatory requirements and product needs of an organization, these positions are staffed at different times in a company’s security
journey.
Factors That Impact Staff Comp
We analyzed a range of criteria and their impact on pay. These include personal experience and education levels, gender, location and employer size. To analyze these differences, we utilized aggregate comp data. Figure 2 shows the results.
Experience and education: As expected, experience and level of education contribute favorably to compensation levels. Experienced staff with at least 12 years of relevant experience can have an annual cash comp as much as 22% above the
baseline. For those with advanced degrees, the impact on cash comp is a positive 12%.
Company size and type: Fortune-size companies—those with annual revenues exceeding $10 billion—tend to pay above-market rates. Many of them are publicly listed companies, a criterion that is also associated with higher pay
averages.
Gender: Our data suggests a gender pay gap of about 7%. The gender gap is more pronounced among staff with 12-plus years of experience for whom we see double-digit pay gap between male and females.
Matt Comyns co-founder and president, in Artico Search comments on the pay premiums for technically specialized roles:
One of the reasons we see earlier-career cyber analysis-shattering pay bands is due to the lack of supply in security engineering, architecture and cloud security. These technical roles are competitive and are among the highest-paid entry-level roles
available to recent graduates. Consequently, these positions are often misaligned with corporate pay bands.
Recommendations for CISOs to Attract and Retain Staff
We recommend CISOs utilize the data presented in the report to evaluate the compensation packages across staff roles against market averages, including bonus and equity programs. When assessing individual compensation packages, they should consider factors
that tend to enhance compensation such as years of experience, educational qualifications, specialization or company size.
Additionally, we advise CISOs review the responsibilities and functional overlap of roles within their organization to determine how they align with those of other companies.
Research-backed data like this is not only helpful for CISOs to retain and hire top staff but also in benchmarking how their current and planned staff roles compare their industry peers.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security budgets, key security staff compensation and job satisfaction.
These in-depth reports feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, department and career path.
Download our 2023-2024 Cybersecurity Staff Compensation Benchmark Report – the fifth in our series – for additional insights and data for hiring and retaining staff within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.