Chief information security officers (CISOs) face increasing stress as the responsibilities associated with these leadership positions grow. These pressures are multifaceted: sophisticated cyber threats, government regulations, budget constraints, business considerations and understanding how newer technologies impact security.
The confluence of additional responsibilities and ongoing threats has led to well-documented cases of stress and burnout among CISOs. In some studies, 75 percent of these cybersecurity leaders reportedly want to change jobs to reduce their responsibilities.
As CISO responsibilities increase, however, so do their pay packages and compensation. IANS and Artico Search recently released their fifth annual CISO Compensation and Budget Research Study, which found the average total compensation for U.S.-based CISOs is now $565,000, with a median yearly pay package of $403,000.
The report also noted that the top 10 percent of security leaders receive compensation packages of more than $1 million, and the top 1 percent start at $3 million in total annual earnings.
The study, based on responses from 755 CISOs working in the U.S., Canada and other countries, also found that high-tech and financial services tend to pay their CISOs more than other industries.
In addition, the survey showed that as the responsibilities of CISOs increase, organizations now offer more compensation to security leaders: “Additionally, the share of dissatisfied CISOs who got a pay bump because their scope of responsibilities changed is considerably higher than that of other pay increase situations.”
For those in the CISO seat, the increase in compensation reflects the additional responsibilities these executives are taking on, with businesses and other organizations understanding the risks they face and how data breaches or an attack that compromises the network affects the bottom line.
“Cyberattacks are getting riskier and more frequent, putting CISOs squarely in the hot seat to keep companies safe. It's not just about tech anymore either—CISOs are expected to be risk managers, business strategists, and boardroom communicators all rolled into one,” Devin Ertel, CISO at Menlo Security, told Dice. “This increased responsibility, coupled with a cybersecurity talent shortage, has elevated the value of experienced CISOs considerably.”
Changing Nature of CISO Responsibilities
The IANS and Artico Search report makes clear that the CISO's responsibilities now exceed overseeing cybersecurity defenses and responses to cyber incidents involving the organization. The researchers find there is an ongoing convergence between IT and cyber, with the CISO seated in the middle of all these changes.
“Anecdotally, we have seen a convergence of IT and security in recent years, with CISOs increasingly assigned ownership over one or more IT functions. In our sample, this is the case for 220 CISOs, roughly 30 [percent] of the sample,” according to the report, which added that the most common areas for security leaders to oversee are compliance, IT infrastructure, architecture, networking and operations.
Indeed, the increasing use of cloud computing, Internet of Things (IoT) devices, and artificial intelligence (AI), coupled with remote and hybrid work, has complicated the security landscape, making the role of the CISO more critical while adding additional responsibilities to the job, said George Jones, CISO at Critical Start.
“Companies need leaders who can not only protect systems but also anticipate new threats and create long-term security strategies. The rise in sophisticated cyberattacks makes cybersecurity leaders indispensable,” Jones told Dice. “Threat actors are using AI-based tactics to increase these attacks, including ransomware and state-sponsored hacking. Additionally, the increase in successful data breaches drives the need for well-qualified CISOs.”
The demand for CISOs—along with pay—will remain high due to the increasing number of cyber threats organizations face, whether it’s ransomware or supply chain attacks. Additionally, regulations such as the EU’s General Data Protection Regulation (GDPR), as well as upcoming rules that will shape AI development, mean that organizations are now facing greater government scrutiny over how they collect, store and protect data.
As businesses transform digitally, cybersecurity has become a board-level concern, requiring strategic leaders who can not only protect but also align security efforts with business objectives, said Dan Anconina, CISO at XM Cyber.
“The role of the CISO has evolved to include risk management, governance, compliance oversight, managing multiple operation teams that are responsible for bringing innovation, and consuming and maintaining security controls across all cyberspace as well as monitor and response,” Anconina told Dice. “Which is why companies are willing to pay a premium for those who can effectively navigate this complex landscape. Additionally, for organizations that already have a CISO in place, maintaining leadership continuity is crucial to ensuring that long-term strategies are executed effectively.”
The combination of CISOs’ tech leadership, risk, and importance to the enterprise is driving greater pay packages. “As cybersecurity is now seen as a critical part of business strategy rather than a purely technical function, the role of the CISO has grown to include risk management, legal, and operational responsibilities,” Jones said. “This broader role justifies premium compensation.”
A Primer for Up-and-Coming CISOs
With increasing pay packages and opportunities to craft policies within the organization, younger tech and security professionals who want to work their way up the leadership ladder into a CISO seat want to start planning now.
For those experts who have already made the climb, gaining valuable skills now can help as competition for these high-level positions becomes more intense. As XM Cyber’s Anconina noted, there are three specific paths younger tech and security pros can follow as they look to move up. These include:
- Work at cybersecurity consulting firms: Consulting firms typically serve clients across many industries, allowing tech pros to gain exposure to a variety of cybersecurity risks and challenges. This experience can help aspiring CISOs understand how different sectors operate and the unique threats they face, all while remaining in one role.
- Join a cybersecurity vendor serving multiple industries: Working for a cybersecurity company that provides products or services to clients across diverse sectors can give tech pros broad exposure to numerous security requirements. In such roles, tech and security pros help customers address threats that span many industries, allowing them to see the commonalities and differences in how each one manages security risks.
- Leverage common threats across industries: Although industries may differ, many cyber threats, such as data privacy breaches and information leakage, are increasingly universal as businesses become more digital. Understanding these common threats and how they apply across various sectors can enhance tech pros’ expertise without requiring changing industries.
“Ultimately, the decision comes down to balancing financial rewards, career satisfaction and personal priorities,” Anconina added. “Whether you’re seeking higher compensation through job changes or career progression and stability in your current role, it’s important to weigh all these factors carefully.”
Other experts also encourage tech and security professionals seeking a leadership career track to the CISO position to broaden their view of cybersecurity by working in various industries and looking for positions that expose them to broad aspects of any business.
“Cybersecurity professionals should seek consulting or contracting opportunities that allow them to work in different industries or verticals, gaining a better understanding of varied regulatory environments and business models, which significantly boosts their marketability and earning power,” Critical Start’s Jones said. “Aiming for roles in risk management, IT governance, or compliance can provide a broader perspective on corporate security, making a CISO more adaptable and better suited for higher-level roles. Gaining advanced certifications and staying updated with emerging technologies, such as A.I.-driven security solutions or cloud security, allows a CISO to stand out from peers.”
As the CISO role focuses more on the business side, security leaders see value in learning business skills and working on developing so-called soft skills such as sound writing capabilities to help better communicate up and down the organization.
“The technical skills will probably differ depending on the industry and technology usage of the company, but the softer skills are likely to be common,” Gareth Lindahl-Wise, CISO at Ontinue, told Dice. “Communication, collaboration and influencing skills are critical. When combined with strategic thinking and problem-solving, you have a powerful executive.”