CISOs' salary growth slows – with pay gap widening

The gap between the top and bottom-earning CISOs is growing wider, with the highest-paid execs having their salaries increased at three times the rate of those at the lower echelons.

That's according to the latest results of IANS' survey of 600 US-based CISOs, which also found that most people working in the role are either earning below $400,000 or above $700,000 a year.

The majority (52 percent) are earning less than $400,000 annually, and most in this bracket (30 percent) are earning less than $300,000. One in five of all CISOs earn above $700,000 and half of these corporate rockstars are paid more than $1 million a year.

CISOs fell into the middle ranges at a less frequent rate – 14 percent earn $400,000-500,000, only 6 percent earn $500,000-600,000, and the other 8 percent earn $600,000-700,000.

Total compensation in this case is calculated by combining base salary, annual target bonus, and annual equity value.

Overall, CISO compensation grew 11 percent year-on-year, but the growth rate has slowed from last year's 14 percent.

The growth rate of those receiving bigger retention bonuses and equity packages has also fallen year-on-year, despite rising overall, to 12 percent (from 21 percent) and to 8 percent (from 24 percent) respectively.

The same proportion of CISOs that earn above $700,000 annually (20 percent) also didn't receive a pay rise at all this year – double the number whose earnings didn't increase last year.

Even workers at tech giant Microsoft have been told they won't escape pay freezes this year, The Register revealed in May, despite the company recently reporting tens of billions in profits, albeit at a slight year-on-year decline.

CISOs looking to become a member of the top-earner club should target roles in the top-three sectors, the only ones on average to pay above the median package of $500,000.

Finance unsurprisingly took the top spot with an average total compensation package of $728,000, with tech coming in second with $678,000. The general business services sector also pays above average at $569,000.

CISOs in the legal sector earned on average less than those in other industries with a $333,000 total package, although nearly all of this was cash rather than a combined total including equity value.

• MGM Resorts attackers hit personal data jackpot, but house lost $100M
• AWS stirs the MadPot – busting bot baddies and eastern espionage
• Meatbag mishaps more menacing than malware? CISOs think so
• Crooks pwned your servers? You've got four days to tell us, SEC tells public companies

Healthcare was the only other industry to offer a package that was both below the average total comp and total cash comp.

Heading for the door

Compensation packages are among the reasons why an increasing number of CISOs are looking for opportunities at other companies.

Three-quarters of the 600 surveyed CISOs say they're either "definitely" or "maybe" looking for a new role – an increase of 8 percent compared to last year.

The report noted that while compensation was an influencing factor in this, especially among the lower earners, those earning in the top quartiles were also looking elsewhere, mainly citing issues with job progression and work-life balance as their reasons.

Macroeconomic trends were cited as one of the main factors behind the decline in compensation growth this year.

Steve Martano of recruitment company Artico Search said security budgets are being scaled back in 2023 after two years of heavy spending in 2021 and 2022.

Gartner's latest data, however, shows that most areas of cybersecurity spending saw a year-on-year increase in 2023, although some grew less than in 2022. It's an upward trend the analyst house expects to continue into 2024 too.

"At a macro level, CISOs had a good year as significant compensation increases continued despite a challenging economic environment," said Nick Kakolowski, senior research director at IANS.

"On closer inspection, we're seeing CISOs getting elevated in the business, taking on a larger scope and being exposed to increased liability. Commensurate compensation increases aren't extending into the middle and lower quartiles of the market. We expect CISOs to seek change as a result – something evidenced in 75 percent of respondents saying they are considering a job change in the next 12 months." ®