Getty Images/iStockphoto
Reality check: CISO compensation packages run the gamut
A capable security executive is invaluable -- a fact organizations increasingly recognize. CISOs' salaries are generally trending up, but the range in compensation is wide.
Between the growing importance of the CISO role to the business and the ongoing cybersecurity talent shortage, today's top security leaders are in positions to command considerable salaries. That said, some of the available CISO compensation data warrants a closer look. Remember that the cybersecurity field is large, and pay can vary dramatically depending on a number of factors.
According to a frequently quoted 2022 survey of 327 CISOs by Heidrick & Struggles, a global executive search firm, the median CISO salary in the U.S. is $584,000, or $971,000 when counting additional compensation, such as bonuses and equity. Of the CISOs the firm surveyed, 5% reported making $4.4 million or more in total compensation per year.
I ran these numbers by a friend -- currently a CISO at one of the largest companies in the world -- and he acknowledged they looked reasonable to him. That said, I suspect the 327 CISOs Heidrick & Struggles polled are also from large companies.
In my experience, a typical CISO makes nowhere near that much money. At average midsize companies, even CEOs don't see such salaries. And, given the thousands of smaller companies that have security programs, it would be unfair to set the expectation that the typical CISO takes home more than $500,000 annually. As with any compensation statistics, it's important to weigh them against other sources and consider the context.
According to Salary.com, for example, which gets it data from employer surveys and third-party compensation consulting firms, the majority of CISOs can expect to make between $177,000 (10th percentile) and $303,000 (90th percentile) in base pay per year, with the median U.S. CISO salary landing around $234,000. In this data set, the median salary from the Heidrick & Struggles survey would sit well above the 95th percentile.
PayScale, which collects self-reported data from individual employees, reports base CISO compensation ranging from $109,000 (10th percentile) to $232,000 (90th percentile), with a median of $172,000. Similarly, according to Glassdoor, which collects data from workers and unspecified third-party sources, the median base CISO salary in the U.S. is $154,000.
Factors impacting CISO compensation
As you can see, the salary one can expect to receive as a CISO varies substantially. Not only does it depend on whom you ask -- and how you ask -- but also on the following key factors.
Location, location, location
Geographic location has a direct and substantial impact on CISO compensation. Executives in cities such as New York or San Francisco can command significant premiums compared to those in other regions of the country. Given the high cost of living in New York, for example, a CISO can reasonably expect to make 50% more than what someone might earn in the Midwest at a comparable job in a similarly sized company.
Experience and mobility
More experience usually correlates to more money, but where CISOs log that experience can also affect their pay. Unfortunately, someone who remains at the same company for years typically ends up in a worse financial position than someone who changes organizations during that same period.
People who stay in place tend to see their salaries increase at a rate of 3%-5% annually. When they move companies, however, they typically experience salary bumps of 10%-15%. The sad reality is a job at a new organization almost always gets you more money than a promotion from your current employer.
Degrees and certifications
A CISO with a master's degree generally commands a slightly higher salary than one without. But, anecdotally, and all other things being equal, I tend to see CISOs with the most prestigious cybersecurity certifications earning higher salaries than those with general advanced degrees.
(ISC)2's CISSP and EC-Council's Certified Chief Information Security Officer (CCISO) are the most lucrative certifications for CISOs. This is due to their excellent reputations, as well as the fact they specifically focus on cybersecurity leadership development.
Performance
CISO compensation can, of course, also reflect performance. For example, CISOs who have turned around companies with major security problems or who can measurably demonstrate that they prevented significant issues can turn that success into higher salaries.
Scope of responsibilities
The scope of a CISO's responsibilities is probably the single best predictor of pay. Consider the following:
- size of the company;
- industry sector and its sensitivity to cyber-risk;
- size of the CISO's budget; and
- number of staff reporting to the CISO.
These factors have direct bearing on CISOs' financial impact on their companies and, therefore, closely correlate to CISO salaries. Put another way, the largest companies with the most to lose in the event of a cyber incident are willing to pay whatever is necessary to land the most qualified candidates -- as reflected in the Heidrick & Struggles survey.
Some companies also see their CISOs as sacrificial lambs, ready to take the fall for any major security incidents. Such organizations might need to offer their CISOs dramatic salaries -- along with strong golden parachute clauses -- given that their tenures may be extremely limited.
4 tips for negotiating CISO compensation
While it is unlikely most CISOs will garner million-dollar packages, security executives can significantly increase their total compensation with some planning and research. Consider the following.
1. Tie bonuses to measurable security results
In addition to base salaries, CISOs should negotiate additional compensation contingent on concrete job performance. While the annual bonus is typically a percentage of salary, a CISO could suggest calculating incentives as a proportion of measurable performance outcomes -- for example, costs reduced or fines avoided. Even a small percentage, say 5%, can add up to a lot of money if the original figure is in the millions.
2. Know a paycheck isn't everything
While a big check every two weeks is great, many other types of benefits exist that can add tens of thousands of dollars in value. Think about other types of potential CISO compensation, such as the following:
- additional paid time off;
- coverage of education costs, including MBAs and CCISO certification training and testing;
- company car;
- professional organization membership fees; and
- conference attendance fees.
Such items often come from different budgets, and many executives and boards are willing to find creative ways to get and keep talented IT and security leaders on board.
Also, consider remote work as an emerging possible benefit. If someone with a big-city salary -- from an employer based somewhere like New York, for example -- can reside somewhere with a lower cost of living, then effective salary grows. Companies are increasingly willing to consider flexible work options to obtain and retain key talent.
3. Keep things professional
A word of caution: While your current or projected CISO salary might not come close to the stratospheric numbers some researchers cite, I don't recommend threatening to leave for greener pastures if your demands go unmet. It is always best to keep negotiations positive and professional. Better to position yourself as the team player working with the company rather than for yourself.
4. Quietly explore other opportunities
That said, if you do not get what you think you are worth, there is nothing wrong with continuing to do your job well while exploring other opportunities. Demand for outstanding security professionals is high; take the opportunity to assess and assert your worth.