Being a Chief Information Security Officer (CISO) has always been one of the most stressful jobs in IT. That stress is getting worse as civil and criminal liability for security incidents continues to increase. A survey of 600 CISOs conducted by IANS Research and Artico Search finds just over half of CISOs earn less than $400,000. More than a few CISOs are wondering if the job is worth it.
Only 20% of CISOs make more than $700,00 a year. CISOs with a technical background earn an average of $700,000, approximately 15% higher total compensation than those with a more governance risk and compliance (GRC) background. Despite those hefty paydays, three-quarters of respondents (75%) said they are considering a job change in the next 12 months. However, only 12% reported they changed jobs in the last 12 months.
The average increase in total compensation among CISOs was 11%, a slight decline from 14% the previous year. The survey also notes that 20% of respondents did not get a raise last year.
Not every CISO, however, is a C-level executive. Only one in five CISOs is a C-level executive on par with a CIO or CFO. Another 17% are executive vice presidents (EVPs) or senior vice presidents (SVPs), while 22% are vice presidents.
The biggest challenge any CISO faces is aligning controls with the level of risk the business faces. All applications do not present the same level of risk, so a balance needs to be struck between security and the productivity of the end users accessing them. That’s typically much easier said than done. CISOs need to patiently explain what might go wrong to business executives who might still decide the potential reward for launching a new application outweighs the inherent risk.
Of course, the minute there is a major breach, the first person anyone looks to blame is often the CISO. This is unfortunate since blaming the cybersecurity team every time there is an incident is roughly akin to blaming the fire department every time there is a blaze. The fire department, much like the cybersecurity team, is responsible for containment. All either can do is provide a regular series of inspections that hopefully will reduce the number of alarms that might be sounded.
CISOs need to be a lot more circumspect about the advice they offer, especially if they work for a public company where the interests of the shareholders are always going to be paramount, regardless of the fact that a CEO or board of directors has the power to fire them. Many CISOs may simply opt to confine the number of organizations they are willing to work for to private companies that are not subject to as many regulations. Those who continue to work for public companies should regularly consult lawyers who are looking out for their best interests rather than the interests of the organizations that employ them.
Each CISO will need to decide for themselves what level of stress is worth the paycheck they receive, and there is no doubt many would like to chance to step into the role. The length of that tenure, however, may not be as long as many of them initially anticipate.