New benchmark study finds that aligning cybersecurity organization models with business objectives enables talent retention and security program success
Boston, MA – November 15, 2023 – Today, IANS Research and Artico Search released their
2023 Security Organization and Compensation Benchmark Report,
an annual research study that analyzes security organization planning across revenue segments and industries. This year, a total of 1,195 Chief Information Security Officers (CISOs), functional department leaders, and other staff provided survey data
that demonstrated a positive correlation between revenue and a security organization’s size and complexity. The report found:
- Fortune firms with annual revenues exceeding $6B generally operate large and specialized security organizations with four or more management layers, often with a global CISO overseeing the company-wide security organization.
- At large enterprises with annual revenues between $400M and $6B, the CISO is generally head of the cybersecurity team. At more than 75% of the firms, there is typically a management layer comprised of a head of Security Operations (SecOps), along
with heads of Governance, Risk and Compliance (GRC), Architecture and Engineering (A&E), and Identity and Access Management (IAM).
- Midsize companies with annual revenues between $50M and $400M typically feature leadership roles with multi-functional responsibilities, where staff, including analysts, architects, and engineers, wear multiple hats.
"The success of an organization’s security strategy depends on the proper sizing of the security organization, the quality of the talent of the team – especially the functional department leaders – and the right comp plans,”
stated Nick Kakolowski, Senior Research Director at IANS Research. “CISOs must make organizational and staffing decisions in anticipation of the organization’s dynamic needs as they evolve according to market conditions, growth objectives,
and regulatory requirements."
The study also found that successful hiring and retention of cyber leaders hinges on the right compensation plans. Specifically:
- For functional leaders, the top 25% compensation range averages $523K in total compensation.
- The top 10% compensation range averages $640K. For the deputy CISO, the head of product security, and the head of A&E, the top 10% comp range exceeds $700K.
- Finance and healthcare firms have the highest median annual total compensation at $341K. The top 25% and top 10% compensation range averages in finance exceed those of other sectors at $594K and $767K respectively.
Additionally, organizational design varies for functional leadership by stage of growth and industry:
- Industry-agnostic cybersecurity management organizations at $100M in annual revenue report that between 25% and 50% of CISOs indicate they have leadership positions on their teams for one or more of the functions of SecOps, GRC, A&E, and product
security.
- At $500M, the presence of leadership positions for SecOps, GRC, and A&E grows to between 50% and 74% of CISOs.
- The head of SecOps role appears to be standard at the $1B revenue level. At the $10B threshold, the same is true for GRC and A&E, and at $25B, most companies also have heads of AppSec and a deputy CISO.
The study also reported that organization design varies by industry, with large timing differences when functional leaders are added to the team:
- In finance firms, cybersecurity leadership teams appoint a SecOps leader earlier than average, especially at the $100M revenue milestone.
- Technology cybersecurity leadership teams are more comprehensive at earlier milestones than average. At $100M in revenue, between 50% and 74% of tech CISOs have heads of SecOps, GRC, and/or A&E.
- Healthcare cybersecurity leadership teams are rounded out at later revenue milestones than average. At $100M, $500M, and $1B milestones, fewer than 50% of healthcare CISOs have appointed leaders for GRC, A&E, and IAM.
- In manufacturing, cybersecurity leaders are added at higher revenue thresholds than average. None of the leadership roles see 75% or higher penetration rates at the $1B or $5B revenue thresholds.
“Despite security leadership being largely industry-agnostic, when it comes to budget allocation for staffing, industry-specific needs play a crucial role,” stated Steve Martano, a partner and executive recruiter in Artico Search's cyber practice.
“For tech firms, products and AppSec are central to their security org design, leading to technical hires earlier in a company’s lifecycle, while manufacturing companies design fuller programs later in terms of revenue. The banking sector
was the first mover in designing cutting-edge security operations centers, and that trend continues in the sector. Financial services firms typically design a more robust in-house SecOps program rather than outsource it compared to other sectors.”
For more insights, please download the summary report.
Survey Methodology
IANS and Artico Search fielded its annual CISO Compensation and Budget survey in April 2023. This year, they expanded the survey to include a dedicated set of questions for staff, including analysts, architects, engineers, managers, experts, and functional
leaders. From April until August, they received survey responses from 663 CISOs and 532 staff from companies that varied by size, location, and industry.
The organizations combined the data from both groups to determine the decisions made for the security organizations at small and midsize companies (with annual revenues of between $50 million and $400 million), large enterprises (with an annual revenue
ranging between $400 million and $6 billion), and very large and global enterprises (with annual revenues exceeding $6 billion).
Artico Search
Founded in 2021, Artico Search’s team of executive recruiters focuses on a “grow and protect” model, recruiting senior go-to-market and security executives in growth venture, private equity, and public companies. Artico’s dedicated
security practice delivers CISOs and other senior-level information security professionals for a diverse set of clients.