As companies face growing hacking risks, corporate cybersecurity chiefs are earning more money compared with last year, but in many cases are still reporting to IT leaders.
Many companies that previously didn’t have chief information security officers have hired one in the past few years, driving the need for professionals with experience, technical skills and business knowledge, experts say. Security leaders with these qualifications can be difficult to find, which has pushed salaries higher.
CISOs in the U.S. earned a median salary of $509,000 this year, compared with $473,000 in 2020, according to a new survey of 354 CISOs, published Thursday by executive search firm
Total compensation, including equity grants and bonuses, rose to $936,000 from $784,000 in 2020. Last year’s survey included responses from 372 CISOs.
“There’s a lot more demand and the supply hasn’t exactly increased,” said Omar Khawaja, CISO at Pittsburgh-based Highmark Health. Mr. Khawaja said he has seen several community colleges, local banks and other companies create a CISO position in recent years.
High-profile ransomware attacks have caused corporate executives and boards to focus more on cybersecurity, Mr. Khawaja said. “There’s a very tangible and direct business disruption. It’s hard to ignore,” he said.
Competition to hire a limited pool of experienced cybersecurity professionals means that smaller businesses may have to compromise, hiring someone at a lower salary without all the experience desired, said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center a nonprofit group that shares information about cybersecurity threats between healthcare companies.
“We’ve got so many unfilled positions out there, it’s just not possible to find that experienced CISO,” he said.
Cyberattacks on hospitals and healthcare companies increased during the coronavirus pandemic, adding pressure and security-budget demands at a time when staff were already struggling.
Thirty-eight percent of CISOs report to their companies’ chief information officer, making it the most common reporting relationship, according to the Heidrick & Struggles survey. However, some companies are moving away from cybersecurity leaders reporting to their chief information officer, said Matt Aiello, partner and leader of the global cybersecurity practice at Heidrick & Struggles. In two recent hiring searches, for example, companies initially wanted to recruit a CISO who would report one level away from the CEO but ended up hiring someone who will report directly to the CEO, Mr. Aiello said. At both companies, the boards of directors wanted the CISO to report to the CEO, he added.
Raj Badhwar, CISO at
Voya FInancial Inc.
reports to the company’s CIO, and runs his own engineering teams. He also presents frequently to Voya’s board about cyber threats such as ransomware attacks. As cyberattacks become more prominent, Mr. Bhadwar said he thinks CISOs will work more closely with CEOs.
CISOs at publicly traded companies are much more likely to report to the CIO compared with their counterparts at privately held firms, according to a survey published in March by cybersecurity-focused recruiting firm Hitch Partners. There can be tension between the two roles if cybersecurity requirements slow down or impede a technology project overseen by the CIO, said Michael Piacente, co-founder and managing partner at Hitch Partners.
Many candidates for CISO positions aren’t interested in a job reporting to a CIO, Mr. Piacente said. “The CISO needs to be able to say this is not the way to secure our enterprise. They can’t have the CIO be influential in any way,” he said.
Write to Catherine Stupp at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8