CISO pay has gone up, according to a recent report, but don’t spike the laptop in celebration just yet. Responsibilities are rising, too, which can lead to elevation—or frustration—of someone in the role.
“CISO compensation is increasing and growing, but the scope of the CISO role and the expectations on the CISO are expanding at a rate that is still faster than compensation can keep up, and we’re getting toward a tipping point in the industry where the pressure on the CISO is in some ways exceeding the reward system,” Nick Kakolowski, senior research director at IANS Research, told IT Brew.
- Compensation: According to a survey from IANS and Artico Search—one that polled 755 security executives (mostly from US and Canada) between April and August 2024—US-based CISOs on average earned a median of $403,000. That’s a bit more moola than last year’s numbers, when IANS reported a median of $388,000.
Eight in 10 respondents reported increased compensation, and 38% of respondents said compensation rose by 6% or more.
- Scope: The report also saw CISOs increasingly taking on IT functions. For 220 CISOs, the most common assigned IT responsibilities included IT compliance (69% of CISOs with IT responsibilities), infrastructure (61%), architecture (58%), networking (58%), and operations (58%).
And 14% oversee all IT functions.
“CISOs are just being put in the middle of all those groups trying to figure it out,” even being asked to deal with emerging priorities like AI risk and traditionally IT-specific ones like identity and access management (IAM), Kakolowski said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Disclosing details of material cyber incidents—SEC rules adopted in July 2023—have also placed additional responsibilities on many CISOs, who already may have to contend with emerging privacy laws and compliance frameworks like SOC 2.
Let’s get down to business. A better group for a maturing CISO to be “in the middle of,” according to Kakolowski: other executives.
“As CISOs have matured and evolved, when they’re actually operating in the business, they are getting so strong as problem-solvers and at connecting the dots between business units,” Kakolowski said. “Their skill set crosses some of those boundaries between business risk and digital risk and technology that they’re just becoming invaluable to the business.”
Take Pete Nicoletti, global CISO at Check Point Software Technologies, who has increasingly had to put his business degree to use, referring to concepts like quantitative risk analysis when discussing budgets with execs. “Now the business recognizes that security is a critical function, and they’re involving the CISO into more business discussions earlier, and it’s actually elevating the role,” Nicoletti said.
Security and IT budgets are growing, and IANS sees companies looking to hire CISOs soon. The group offered advice for aspiring CISOs to “increase their value”: Align the security program with business objectives, and build relationships with leadership and the board of directors.
“Regularly engage with them to understand their priorities, communicate security strategies in business terms, and provide clear insights into how security supports the organization’s goals.”