What matter most is to whom a Chief Information Security Officer (CISO) reports — the CEO or “anyone other than the CEO”.
Who the boss is can make up to a 36% difference.
Certifications don’t really move the needle (only up to 8.7%), but advanced degrees do (up to 35%).
Thankfully, the infosec gender gap in pay (5.5%) is well below the national average across professions (23%).
Emphasis in red added by me.
Brian Wood, VP Marketing
CISOs raking in top dollar
It pays to work in information security–at least at the top level.
According to new research from the Ponemon Institute, chief information security officers are earning salaries that are often on par with other chief-level executives. The biggest differentiator may be which other chief executive you report to.
The Ponemon Institute surveyed information security professionals in more than 130 large organizations. The survey was sponsored by SecureWorld. The most significant takeaway: “much higher salaries for those individuals than expected,” notes Next Gov.
Ponemon finds that the median salary range for chief information security officers is now between $250,000 and $300,000. But the research firm encounters examples of salaries exceeding $1 million. Good work, if you can get it, for sure.
“There was quite a bit of variance,” Ponemon is quoted by Network World as saying with regard to CISO payrates. At the low end salaries are about $188,000 and at the high end hits $1.2 million.
It is probably a good thing that info security chiefs are reaping good salaries: they also feel they are among the most critical workers in the organization. In fact, 43 percent of survey respondents say their job is the most difficult of all.
The study found that the most significant factor for compensation rates for info security chiefs is the reporting structure in the company. CISOs that report directly to the CEO report salaries 36 percent higher than the average for the job role. Few CISOs actually report to CEOs, however. Instead, they are more likely to report to the CIO (cited by 46 percent), the CFO or COO.
Another factor impacting salaries is the level of business savvy and understanding of the organization that the individual brings to the job.
“That’s not to say that the technical isn’t important, but you have to have both,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
The study also looks at advancement opportunities for cybersecurity professionals, including barriers to success.
More than half (56 percent) cite a lack of funding as the biggest barrier, followed by IT complexity (cited by 42 percent) and lack of qualified personnel (cited by 41 percent).
Cybersecurity pros also tend to work in small groups, the study finds. Only 8 percent of the respondents say they work in groups of 20 or more full time security professionals. The majority say they are part of teams comprised of between 6 to 15 info security pros.
Despite the strong salaries at the top of the information security org chart, the number one reason that rank and file info security professionals leave their jobs is over compensation, the study reveals. That may be tied to the complaint over lack of funding for that area of IT in general.
“Not only this study but other Ponemon studies show that there is a very high vacancy rate in organizations including government organizations in the areas of IT security,” Ponemon says. “There’s a real need for people with this skill set, experience and expertise, so finding these people and then not being able to compensate them well can be a real problem.”
Top Info Security Execs Earn as Much as Other Chiefs
There’s good news for chief information security officers: Your salaries are often on par with other chief-level executives across an organization, though it may depend on which of those chiefs you call your boss.
A recent survey of cybersecurity professionals in more than 130 large commercial organizations by the Ponemon Insitute and SecureWorld Insight found much higher salaries for those professionals than expected, with the top job of CISO earning an average annual base salary equivalent to the compensation of other C-level executives for 50 percent of respondents. The survey found similar trends extending beyond the C-suite to all other levels.
Yet despite receiving pay similar or equal to their counterparts in other parts of the organization, 43 percent of cybersecurity professionals rated their position as the most difficult in the organization, the study found.
In addition, compensation for cybersecurity workers varied widely based on a number of factors, the most significant being the channel through which a CISO reported. CISOs reporting directly to CEOs, for example, enjoyed 36 percent higher salaries on average, followed by direct lines to chiefs in finance, operations, information and technology. Few actually report to CEOs, however, with the majority (46 percent) reporting to the CIO.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said Thursday that higher salary premiums are often seen for CISOs who have not only the technical training but also the business savvy and understanding of an organization. “That’s not to say that the technical isn’t important, but you have to have both,” Ponemon said. “Many who aren’t making it to higher salary levels are seeing their roles as tactical and technical rather than strategic.”
Cybersecurity professionals also cited several barriers to team success. More than half (56 percent) cited lack of adequate funding as their biggest barrier, followed by IT complexity (42 percent) and lack of qualified personnel (41 percent). Only 8 percent reported having cybersecurity teams of more than 20 full-time employees, with the majority operating with just 6 to 15 full-time employees, the study found.
Meanwhile, cybersecurity professionals holding certifications earn only slightly higher salaries than their non-certified counterparts, earning just 8.7 percent more. Advanced degrees seemed to ensure a higher salary premium, with those professionals demanding up to 35 percent more in salary, the study found.
The wage gap between male and female cybersecurity executives also was less pronounced than the nationwide wage gap of 23 percent for all full-time, year-round career fields, as measured by the U.S. Census Bureau. Male cybersecurity executives earned just 5.5 percent more than their female counterparts, the survey found.
The data also confirmed that the number one reason cybersecurity staff leave an organization is compensation. This trend indicates that an organization’s biggest vulnerability may be its own security team, in large part due to unfilled jobs and lack of funding, the report states.
“Not only this study but other Ponemon studies show that there is a very high vacancy rate in organizations including government organizations in the areas of IT security,” Ponemon said. “There’s a real need for people with this skill set, experience and expertise, so finding those people and then not being able to compensate them well can be a real problem and often puts the government at a disadvantage.”
The government’s strong cybersecurity mission, however, may help to offset some of its disadvantage in compensation, Ponemon added. “A lot of people who are CISOs in the federal government have commercial experience and are willing to take a lower salary because they have a sense of service to country,” he said.