The ongoing economic challenges are severely impacting CISOs, many of whom are struggling to get any salary hikes at all while new job postings for the role are on a decline, according to an IANS study.
The IANS study, evaluating data between April 2023 to August 2023, surveyed a total of 660 CISOs, with 600 of them participating from the US and Canada.
Combined with another IANS study published last month that found CISOs struggling with limited cybersecurity budgets, the observations paint a rather unsettling picture for the top security deck.
“Amidst economic uncertainty, rising inflation, increased cost of borrowing money and reduced valuations of 2021 and 2022, companies dialed back their security budgets in 2023,” IANS said in a statement on the study. “Funding for cyber talent also took a hit.”
Compensation increases albeit poorly
The average increase in compensation rose at a modest 11%, down from 14% last cycle, with one out of five CISOs receiving no increase in compensation at all.
The study also noted a tightened market for the CISO role as it observed fewer companies initiating a CISO search in the said period. Twelve percent of CISOs changed employers versus 20% last year, with only 8% receiving large pay bumps associated with movement against 20% last year.
Jeffrey Wheatman, senior vice president at Cyber Risk Evangelist, believes the pullback is due to three key drivers — general economic conditions, a backlash from the rapid growth over the last few years in CISO and cybersecurity compensation, and companies playing the supply and demand game with labor market cooling off.
“I would also add that I have seen a lot more CISO job postings on boards and LinkedIn that seem to be very under-comped…well down in the bottom quartile,” Wheatman said.
Tech CISOs found well-compensated
The study revealed that compensation distribution among CISOs followed a rather disparate curve with the majority lying either below $450,000 (52%) or above $700,000 (20%), leaving a gaping middle.
Additionally, the study noted an appreciation for the CISOs with tech backgrounds, with the lot bagging a higher 15% compensation over the governance, risk, and compliance (GRC) leaning CISOs.
Wheatman remained concerned with this trend as he believes way too many CISOs concentrate on the tools and technologies and not nearly enough on process and people. “They (CISOs) incorrectly think their job is to protect the organization from itself, and unfortunately tend to talk down to business executives,” Wheatman said. “This leads to lack of trust, lack of business alignment, and future decisions made in and around cybersecurity being largely indefensible.”
Finance and tech firms were found to have compensated their CISOs well. “Finance CISOs have a total average comp of $728,000, of which $548,000 (75%) is cash compensation,” IANS said. “Tech CISO total comp is not far behind at $678,000, but cash comp comprises just 58% of total comp.” CISOs in legal, healthcare, and manufacturing had total comp well below the overall average.
CSO and CISO, Salaries
