CISO salaries: 20% earning over $700,000; GRC backgrounds get less

"We’re seeing CISOs getting elevated in the business, taking on a larger scope and being exposed to increased liability."

A fifth of Chief Information Security Officers (CISOs) are earning over $700,000 per year according to a new survey – which also showed that the number of CISOs seeking a new role nearly halved in 2023. Financial services firms were among the highest payers, it revealed.

IANS Research, a Boston-based cybersecurity research and advisory firm, published its 2023 CISO Compensation Benchmark Report this week based on interviews with 660 CISOs (600 in the US and Canada.)

Credit: IANS Research and Artico.

“At a macro level, CISOs had a good year as significant compensation increases continued despite a challenging economic environment,” said  Nick Kakolowski, Senior Research Director at IANS, this week. 

He added: “On closer inspection, we’re seeing CISOs getting elevated in the business, taking on a larger scope and being exposed to increased liability. Commensurate compensation increases aren’t extending into the middle and lower quartiles of the market. We expect CISOs to seek change as a result – something evidenced in 75% of respondents saying they are considering a job change in the next 12 months….”

CISO salaries: Highest pay goes to… 

Credit: IANS Research and Artico

Perhaps unsurprisingly, those on these generous salaries are typically working for firms that boast annual revenues exceeding $10 billion; have security teams that comprise more than 100 staff members and operate on budgets exceeding $10 million, IANS Research emphasised.

They are also more likely to have technical chops: CISOs with a tech-leaning background earn about 15% higher total compensation than those with a more GRC-leaning background and the highest-paying combination of proven skills is a background that includes product security or app security, the survey determined.

“More than one-third of security budgets are typically dedicated to staff compensation, so when budgets are tightened, it has an effect on CISO compensation. Though we’re still seeing an overall increase in CISO pay, the trends we saw in recent years of high retention packages and large-scale market-adjusted bumps in pay are becoming less common,” stated Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice; the company supported the research.

 “Additionally, with less movement in the market, we’re seeing fewer CISOs landing large-scale pay increases by changing companies. Until the market opens up with more options, we recommend that CISOs work on their marketability by strengthening their personal brand, elevating their competence in business acumen and their executive presence to position themselves strongly with prospective employers.”

See also: CISOs, unis, investors turn to richer metrics as security training evolves