2020 North American Chief Information Security Officer (CISO) Compensation Survey

Welcome to our 2020 North American Chief Information Security Officer (CISO) Compensation Survey, which examines both organizational structure and compensation for this increasingly critical role.

For this report, Heidrick & Struggles compiled compensation data from a survey fielded in April and May of this year of 372 CISOs in North America. While most carried the title of chief information security officer, the survey group also included deputy chief information security officers, as well as chief security officers and senior information security executives. (See sidebar, “Methodology”).

The widening role of the chief information security officer

The chief information security officer (CISO) has become a position of critical importance to companies large and small, in technology and in nearly every other industry. As we noted in a report last fall, all companies must now worry about the vulnerability of their data and other critical information assets. (See “Upending tradition: Modeling tomorrow’s cybersecurity organization.”) Companies must secure systems from attack while simultaneously managing increased regulatory scrutiny of the security and use of the data these systems contain.

These are the foundational elements of every CISO role, and while those who take it on must have a wide range of skills, there is, as yet, no single approach to structuring the position or to its place in the corporate reporting hierarchy. CISOs that once used to focus on network security, firewalls, security policies, and governance now also find themselves tasked with securing connected devices, devising identity and access management systems, implementing artificial intelligence and machine learning, as well as risk management, privacy, investigations, and physical security, among other issues. And they are doing so while managing ever larger teams.

Varied role structure, varied compensation

Our research has identified three distinct types of CISOs today. Two are specialists—the traditional Security leader and a Risk/Trust leader—while the third, which we call CISO Plus, has an ever-expanding remit that takes in varying parts of the other two areas (see the following chart) and is most often found at midsize tech companies.¹ The security group included security operations and architecture, as well as penetration testing and product/app security. The risk group included governance, risk, and compliance, as well as business continuity planning, disaster recovery, and privacy. The trust group included physical security, trust and safety, fraud, and enterprise crisis management.

Perhaps because they have a broader portfolio, people with the CISO Plus role tend to be more highly compensated than other CISOs, our data shows. It’s particularly notable that among the subset of people in the CISO Plus role with the most functions reporting to them—an average of eight—median total annual compensation rises to $1,026,000.

Anecdotally, we have found very little gender or racial/ethnic diversity in the CISO role, and, as a result, diverse CISOs are, in our experience, able to command bidding wars that also raise compensation.

Different industries, different CISO focuses

CISO backgrounds and required expertise vary by industry. Financial services firms, for example, often have two information security leaders, one more technical (“first line”) and another more oriented towards information risk, governance, and compliance (“second line”). And those firms, along with healthcare, energy, and telecom companies, will usually require some experience working in a highly regulated environment. CISOs at companies that sell connected products must be able to concentrate on the security of those products and understand the security risks of both normal wear and tear and planned obsolescence. In large industries such as auto manufacturing, there may be multiple CISOs, to focus on security not only at the corporate level but also within business units and at the product and manufacturing levels. This is understandable because each of these areas has different needs that require different expertise to address.

Reporting structure—not just the CIO anymore

An important theme has emerged in the past several years: the movement of the CISO role away from reporting to the CIO. Once viewed as an “IT function” alongside applications and infrastructure, security is moving more into the area of risk management and board accountability, closer to the role of internal audit. Our data reflects this—61% of all CISOs we surveyed report somewhere other than the CIO. Instead, they have a range of other reporting pathways: CEO, CTO, chief risk officer (CRO), chief operating officer (COO), or general counsel, among others. More regulated industries such as healthcare may skew the role towards risk and audit, while SaaS/cloud/tech companies orient the role around engineering leadership/CTO or COO.

Yet when the CISOs are broken out into their three distinct types, some interesting patterns appear. Sixteen percent of all those in the CISO Plus role report to the CEO, compared with 6% of Security CISOs and 3% of Risk/Trust CISOs. Among those who report to the CIO, 46% are Security, compared with 35% of CISO Plus and 26% of Risk/Trust. This latter group has the most diffuse reporting, with 16% reporting to the CRO or senior regulatory executive and 32% not reporting to any of the main positions we defined.

Other notable findings

Many information security teams are small, with 32% of all CISOs surveyed having 25 or fewer people reporting to them. Yet another 32% said they had 101 or more direct reports. And they have high visibility: 85% present directly to their company’s board and/or audit committee.

Compensation

Annual compensation overall and by type of CISO role

As we have noted, people in the CISO Plus role tend to be more highly compensated than other CISOs, with a median cash base, cash bonus, and annual equity of $892,590, compared to $784,003 for all CISOs.² And the subset of the CISO Plus group with the highest number of functions reporting to them report median total annual compensation of $1,026,000.

Median base salaries fell within a narrow range of $326,000 for CISOs at companies with revenues of $5 billion or less, to $376,000 for companies with revenues above $20 billion. Median bonuses were substantially larger in this latter group: $206,690, compared with $95,753 for those in the former group. Equity and other long-term incentives were also higher for those with more direct reports.

Forty percent of CISOs surveyed reported median annual equity or long-term-incentive (LTI) compensation of less than $200,000, while 36% reported such compensation between $200,000 and $500,000, and 24% reported more. For 35%, the annual equity/LTI came in the form of restricted stock units (RSUs), while 34% reported this compensation as a mix of RSUs, performance share units (PSUs), and options.

Joining bonuses

CISOs also reported receiving joining bonuses in cash and equity, which can be substantial. While the median cash bonus reported was $50,000, the average was $134,050 (a few respondents reported receiving very high joining bonuses). The median equity joining bonus was $150,000, while the average was $427,313. Sign-on equity most often came in the form of RSUs. Interestingly, newer CISOs reported higher median signing bonuses than longer-tenured ones, suggesting increasing competition for the most talented CISOs.

Those in the CISO Plus role reported receiving a median bonus of $148,103, compared to $125,353 for their Security counterparts and just $80,053 for Risk/Trust CISOs. Equity and long-term incentives were also the highest for those in the CISO Plus role.

Geographic comparisons

The largest companies in the Northeast are, on the whole, paying CISOs the most cash. The median total cash compensation was $610,428 at companies with revenues between $5.1 billion and $20 billion in the Northeast, and $700,528 at companies in the region with revenues above $20 billion. That compares with $404,678 and $508,803, respectively, at large West Coast companies, and $473,603 and $630,840, respectively, at companies elsewhere.

Median equity/LTI is higher on the West Coast, ranging from $326,000 at companies with revenues under $5 billion to $551,000 at companies above $20 billion in revenue. That compares with $226,000 and $276,000 at similarly sized companies in the Northeast.

Our survey found that median signing bonuses are also higher at smaller West Coast companies, likely because such companies there generally have a lower base and bonus and will often add joining bonuses to bridge compensation gaps. Also, in our experience, most West Coasters are joining from a company where they had unvested equity, so there is a cash flow gap that companies seek to address.

About the authors

Matt Aiello (maiello@heidrick.com) is the leader of Heidrick & Struggles’ Global Cybersecurity Practice and a member of the Global Technology & Services and Technology Officers practices; he is based in the San Francisco office.

Scott Thompson (sthompson@heidrick.com) is a principal in the New York office and a member of the Financial Services and Technology Officers practices.

Acknowledgments

The authors wish to thank Mohd Arsalan for his contributions to this report.

References

¹  The analysis was based on which functions CISOs said most often reported to them and which were most often chosen together.

² To calculate total cash compensation, we totaled base and bonus for each individual and found the median. For total compensation including LTI/equity, we totaled base, bonus, and LTI/equity for each individual and then found the median. As a result, the total cash compensation and total compensation figures may not equal the sum of the individual median base, median bonus, and median LTI/equity shown in the charts.