Aligning cybersecurity organization models with business objectives enables talent retention and security program success, according to IANS and Artico Search.
CISOs’ role in organizational and staffing decisions
Fortune firms with annual revenues exceeding $6 billion generally operate large and specialized security organizations with four or more management layers, often with a global CISO overseeing the company-wide security organization.
At large enterprises with annual revenues between $400 million and $6 billion, the CISO is generally head of the cybersecurity team. At more than 75% of the firms, there is typically a management layer comprised of a head of Security Operations (SecOps), along with heads of Governance, Risk and Compliance (GRC), Architecture and Engineering (A&E), and Identity and Access Management (IAM).
Midsize companies with annual revenues between $50 million and $400 million typically feature leadership roles with multi-functional responsibilities, where staff, including analysts, architects, and engineers, wear multiple hats.
“The success of an organization’s security strategy depends on the proper sizing of the security organization, the quality of the talent of the team – especially the functional department leaders – and the right comp plans,” stated Nick Kakolowski, Senior Research Director at IANS Research. “CISOs must make organizational and staffing decisions in anticipation of the organization’s dynamic needs as they evolve according to market conditions, growth objectives, and regulatory requirements.”
Average compensation range
The study also found that successful hiring and retention of cyber leaders hinges on the right compensation plans.
For functional leaders, the top 25% compensation range averages $523,000 in total compensation. The top 10% compensation range averages $640,000. For the deputy CISO, the head of product security, and the head of A&E, the top 10% comp range exceeds $700,000.
Finance and healthcare firms have the highest median annual total compensation at $341,000. The top 25% and top 10% compensation range averages in finance exceed those of other sectors at $594,000 and $767,000 respectively.
Additionally, organizational design varies for functional leadership by stage of growth and industry.
Industry-agnostic cybersecurity management organizations at $100,000 in annual revenue report that between 25% and 50% of CISOs indicate they have leadership positions on their teams for one or more of the functions of SecOps, GRC, A&E, and product security.
At $500,000, the presence of leadership positions for SecOps, GRC, and A&E grows to between 50% and 74% of CISOs. The head of SecOps role appears to be standard at the $1 billion revenue level. At the $10 billion threshold, the same is true for GRC and A&E, and at $25 billion, most companies also have heads of AppSec and a deputy CISO.
Organization design varies by industry
The study also reported that organization design varies by industry, with large timing differences when functional leaders are added to the team.
In finance firms, cybersecurity leadership teams appoint a SecOps leader earlier than average, especially at the $100 million revenue milestone. Technology cybersecurity leadership teams are more comprehensive at earlier milestones than average. At $100 million in revenue, between 50% and 74% of tech CISOs have heads of SecOps, GRC, and/or A&E.
Healthcare cybersecurity leadership teams are rounded out at later revenue milestones than average. At $100 million, $500 million, and $1 billion milestones, fewer than 50% of healthcare CISOs have appointed leaders for GRC, A&E, and IAM.
In manufacturing, cybersecurity leaders are added at higher revenue thresholds than average. None of the leadership roles see 75% or higher penetration rates at the $1 billion or $5 billion revenue thresholds.
“Despite security leadership being largely industry-agnostic, when it comes to budget allocation for staffing, industry-specific needs play a crucial role,” stated Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice.
“For tech firms, products and AppSec are central to their security org design, leading to technical hires earlier in a company’s lifecycle, while manufacturing companies design fuller programs later in terms of revenue. The banking sector was the first mover in designing cutting-edge security operations centers, and that trend continues in the sector. Financial services firms typically design a more robust in-house SecOps program rather than outsource it compared to other sectors,” added Martano.