CISO compensation levels are growing more slowly than recent years. Security budget increases are even more deflated this year.
The details are provided in a new survey provided by information security advisory specialist IANS Research and high-level recruitment firm Artico Search. In April 2023, more than 600 US and Canadian security executives were queried for the fourth annual CISO Compensation and Budget survey (PDF summary). The companies concerned varied in size, sector, and location.
The headline takeaways from this survey are: the average CISO total compensation increase was at 11% (down from 14% in the previous year); 20% of CISOs did not receive a raise (double that of the previous year); and retention and equity packages were received by only 12% (down from 21%) and 8% (down from 24%) of CISOs respectively.
Nick Kakolowski, Senior Research Director at IANS, comments, “Commensurate compensation increases aren’t extending into the middle and lower quartiles of the market. We expect CISOs to seek change as a result – something evidenced in 75% of respondents saying they are considering a job change in the next 12 months.” It is worth noting, however, that compensation is only one of several causes that lead CISOs to change jobs (something SecurityWeek calls The CISO Carousel). It’s a stretch to link this carousel directly and solely to compensation.
It is further worth considering the 2023 Security Budget Benchmark Report that was produced by IANS/Artico partnership and compiled in September 2023. According to this report, security budgets have increased by 6% “following double-digit increases in 2020 and 2021”. In greater detail, more than one-third of CISOs (37%), “reported flat or declining security budgets, year-over-year.”
“More than one-third of security budgets are typically dedicated to staff compensation, so when budgets are tightened, it has an effect on CISO compensation,” says Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice. This partly explains the lower than usual compensation increases. He adds, “Until the market opens up with more options, we recommend that CISOs work on their marketability by strengthening their personal brand, elevating their competence in business acumen and their executive presence to position themselves strongly with prospective employers.”
But the reality of the situation is that while CISO compensation is not increasing as fast as in previous years, it is still increasing at a faster rate than the overall security budget – and that same compensation package is taking even more out of the security budget.
Rather than “strengthening their personal brand”, most CISOs are likely more concerned with a well-known CISO problem: how to accomplish more with less.
SecurityWeek has some concerns with the overall validity of surveys in general (see Can You Trust Security Vendor Surveys?). For example, areas not well covered in this survey include the compensation difference between small-firm and large-firm CISOs, and the relationship with additional responsibilities.
Does a CISO who is also a board member receive higher compensation? Does a combined CISO/CTO, or CISO/CIO, or a Field CISO receive different compensation? The respondents to this survey are described as ‘security executives’ – does this include CSOs? CSOs are sometimes also responsible for elements of physical security as well as cybersecurity, and the additional responsibility could, or perhaps should, be reflected in the compensation received. It is not clear whether different CISO job descriptions affect differences in compensation increases.
Such concerns do not negate the survey itself — but we urge all security people to not immediately take surveys at full face value. Our own preference is to talk to individual CISOs about their role and responsibilities — and the huge difference between different types of CISO can be seen in SecurityWeek’s CISO Conversations series.
Related: The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
Related: Mismanagement Driving Cybersecurity Skills Gap: Research
Related: Why Some CISOs Fail
Related: CISO Conversations Series