Chief information security officers are enjoying a heightened profile and surging pay in the wake of the coronavirus pandemic, but they still have little to no presence on most corporate boards, according to a new survey of 354 CISOs conducted by executive recruiting firm Heidrick and Struggles.
If CISOs are becoming more important to some businesses over the past two years, the coronavirus pandemic likely played a significant factor in that evolution. As companies sent their workers home from offices, underwent digital transformations and set up the infrastructure to facilitate mass telework, the CIO and CISO fast became key figures in the board room and more integral to the sales and continuity plans for other executives and parts of the company.
“CISOs were among the many IT professionals who scrambled early in 2020 and made significant contributions to the success of their companies through the pandemic,” the report notes.
Security, risk and trust are roles that CISOs fill at many organizations. Heidrick and Struggles classifies two different types of security executives based on the data: Specialized CISOs who only focus on one or two of those areas (about 55%) and Everything CISOs (45%) who do all three. Specialist CISOs are significantly more likely to come from a strictly IT background, while Everything CISOs tend to come from a more diverse range of other disciplines.
And they’re making more money. The median salary for a CISO across six industry sectors (consumer, financial services, health care, industrial, technology and telecoms, and other) was $326,000. But with bonuses and equity, the total compensation jumps higher, between $500,000 and $1.1 million a year. The median Everything CISO makes $50,000 more in salary per year than Specialist CISOs, and more than $400,000 a year in total compensation.
Still, despite real improvements in budget, authority and reporting structure, they’re still virtually absent from high level corporate discussions. Nearly half said they aspired to sit on a corporate board. Today, just 4% to 8% of CISOs do so, though a significantly larger portion do serve on advisory board. Just 12% say they want to become a CIO.
“The wide range of next roles CISOs are interested in highlights that this is an evolving role, one where the next move isn’t clear,” the report surmised. “Everything CISOs may be able to develop more options to move up in their current company, since they more often report to business leaders, which gives them more exposure to their companies’ broader strategic interests.”
Most of the CISOs who responded were from the U.S. and had an IT or financial services background. Almost half worked at large enterprises, with yearly revenues of $5 billion or more. That last point could be a reflection of how the CISO position making more inroads within large, multi-national companies and private infrastructure compared to many small or medium sized businesses where your top security person is likely wearing multiple hats. Some of the findings around staffing reflect a similar feast or famine dynamic defined by haves and have-nots. At least 38% of security executives are operating with a staff of 25 or fewer supporting them, while nearly 30% said they had 100 direct reports or more.
The authors indicated that the last year has seen some improvements on hiring diversity for CISOs and other C-Suite executives, but the respondents in the survey still reflects longstanding disparities: 84% were white and 87% were men.
One eye-raising finding: despite an onslaught of high-profile ransomware attacks, data breaches and exposures, CISOs in the U.S. were the least likely group to prioritize data security, with fewer than 1 out of 3 saying it was an issue of focus for them. Business Email Compromise and hacks targeting cloud accounts were the top risks cited in a recent CISO survey published by Proofpoint in June.