Some CISOs See Bigger Salaries, Budgets and a Direct Line to the CEO
Nearly every facet of corporate life has gone digital. But many public-company boards remain stuck in analog mode.
Apparently, a truly great CISO is still hard to find. In an increasingly competitive market, the best security talent stands to benefit from more pay, bigger budgets and, in some cases, a direct line to the CEO, an executive recruiter tells CIO Journal.
Given the onslaught of data breaches, including the latest at Home Depot Inc., “everybody is re- risk adjusting, trying to figure out how big the problem is,” said Matt Comyns, global co-head of cybersecurity practice at search firm Russell Reynolds Associates.
Part of that process includes better compensation packages for top talent. In the upper echelons of CISO-land, at large global companies where executives are given a complex laundry list of responsibilities, “that’s $500,000 or $600,000 right there. That’s the market for that,” he said. And of course, that number can be negotiated higher. Earlier this year, Mr. Comyns told CIO Journal that overall CISO salaries are moving to an average minimum of $300,000 and above.
The market for top-quality CISOs is also leading to bigger budgets. He mentioned an energy company that was just approved to spend $90 million over six years, and a health-care CIO that just got a $100 million increase in information security budget. In the coming years that CIO’s firm will be spending north of $1 billion a year, Mr. Comyns said. That’s not the norm, but there’s an opportunity for new CISOs to raise the question during the interview process, Mr. Comyns said. “When my reputation’s on the line, what’s the deal? How serious are you, what’s the budget, what am I dealing with?”
As boards pay more attention to security needs, some companies are willing to change their reporting structure. Mr. Comyns says he soon will go to a pitch for a large financial services firm where the chief information security officer is expected to report directly to the CEO. “I’ve never seen a big company like that have that be the case,” he said. Especially when a massive breach could be a “headshot” – the massive cyberattack on Target Corp. contributed to the ouster of its CEO – a CISO reporting directly to the chief executive could, at least optically, allow a CEO to cover himself or herself.
For those eyeing the CISO spot, he recommended an executive coach to help develop board-level gravitas, leadership and communications skills that many would-be executives otherwise lack. “You have to demonstrate that you have a vision for it, that you can articulate a strategy, lay out a roadmap and hire effectively.” A key task includes training and motivating qualified staff who will stay, as the competitive landscape makes ping-ponging from job to job fairly easy to do.
It also means being able to show a history of strong hires, the kinds of conferences you attend, the trade associations you belong to for information sharing, the kind of technology you like to work with, and the network of people you rely on for important information, including VCs and vendors. “You have to be telling a pretty good story.”