U.S. CISOs Out-Earning Other Countries
What security chiefs across the globe are earning.
By David Braue
Even before COVID-19 dialed the cybersecurity threat up to eleven — and surging demand made it the third highest-earning job of any role in the UK — the role of chief information security officer (CISO) was defined by a curious paradox: despite extremely healthy salaries, CISOs also have some of the shortest tenures of any IT-related job.
Interview: Strategies for recruiting and retaining security leaders
Cybercrime Radio: Jeremy King on Fortune 500 CISO Compensation
“The demand is so high and the job is so darn tough,” says Jeremy King, president and founder at Benchmark Executive Search. “The stress level is off the roof because a CISO can be right 99 out of 100 times, and a cybercriminal only has to be right once. And when the cybercriminal is right, it can be front-page news.”
Corroborating a growing body of research suggesting that the average CISO stays in their role for 26 months or less, a recent Cybersecurity Ventures study found that 24 percent of Fortune 500 CISOs have been in their roles for an average of just one year, with a further 16 percent working as CISOs for an average of two years.
That’s rapid turnover for a role that, in an era of unprecedented digital transformation, has become fundamental to ensuring the integrity of the entire business. But with high stress levels, poor work-life balance, board pressure to perform and other issues tainting the role, it seems many CISOs may be coming for the money — but leaving to protect their own well-being.
With cybersecurity attackers unrelenting, many of today’s high CISO salaries are effectively a form of danger pay. For CISOs willing to take on the challenge, however, they will find companies all but begging them to join — and the compensation they can command ranges from generous to truly eye-watering.
Top-echelon CISOs were already making up to $421,000 per year back in 2016, by some accounts — making them better paid than the president of the United States. More recent reports suggest that seven-figure pay packages have begun appearing within Fortune 500 and Global 2000 Corporations where getting the right CISO has become bloodsport.
Companies that have suffered major cybersecurity incidents are being particularly profligate as they seek to right the ship: Equifax, which recruited a new CISO in the wake of a major hack in 2017, shelled out $3.89 million to bring new CISO Jamil Farschchi onside.
The median salary among U.S. CISOs was sitting at $223,854 on March 29, according to recent Salary.com figures that also put the 90th percentile at $290,114 and 10th percentile at $169,621.
This increased significantly in larger cities, with New York City-based CISOs earning a median of $269,296 and the 90th percentile wage rising to $349,007. By contrast, San Francisco roles pay a median salary of $279,817 and the 90th percentile roles — typically reflecting rarefied salaries in the largest companies and most complex security environments — were earning $362,642 per year.
Yet while roles in major cities attract a premium, even companies in smaller metropolitan areas are stumping up to attract strong CISO talent: the median CISO salary in St. Louis, Missouri is $220,406 while Salt Lake City CISOs earn a median of $212,731.
Factor in the relative cost of living, however, and smaller-city CISOs may actually come out ahead: given that living in St. Louis costs just 66 percent as much as in New York City, for example, the effective CISO salary there is nearly $334,000 in NYC dollars.
El Paso, Texas has the lowest relative cost of living of U.S. metropolitan areas — at 55.75 percent of NYC prices — which means those earning its median CISO salary of $195,798 will have as much buying power in that city as they would if they were earning over $351,000 in NYC.
Global demand means high salaries – usually
The individual terms of each job — such as bonuses, vacation time, 401(k) contributions and so on — are likely to add further nuance to any discussion about CISO pay, but on the whole American CISOs are generally being compensated better than their colleagues in other countries.
Across the Atlantic, UK-based CISOs are earning an average of just $79,213 (£56,831), according to recent Quadrotech research that put their average salaries just behind those of architects (£58,363) and lawyers (£57,701), and slightly ahead of doctors (£54,024).
Payscale’s results were a little more generous, pegging the average UK CISO salary at $129,627 (£93,000) while Payscale reports that French CISOs earn a median salary of $117,972 (€98,000) and Australian CISOs bring in a median of $153,000 ($A198,000) and a 90th percentile figure of $234,233 ($A303,000).
Companies in major financial centers are also paying premiums for the right CISO talent, with Hong Kong’s median of $234,471 ($HK1.82m) outshining Singapore ($169,075/$SG224,640) and Dubai ($133,409/AED490,090).
There are as many profiles of CISO salaries as places to look for them, but the common thread is clear: CISOs can make good coin no matter where they’re working.
Yet, perhaps more than most senior-level positions, the real trick when weighing up CISO salary packages is to consider what the job really entails. Do your research carefully, both into the company’s technical and management history and into issues such as its board and C-level attitudes towards cybersecurity.
After all, no amount of money will be worth it if it means spending your days mopping up from a breach caused by your predecessor’s sloppiness — or desperately trying to convince the captain to slow down before it hits the data-breach iceberg rather than afterwards.
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.