2022 Global Chief Information Security Officer (CISO) Survey

Compensation Trends

2022 Global Chief Information Security Officer (CISO) Survey

Our third annual survey of global chief information security officers provides a deep look into organizational and compensation data from CISOs around the world and further insights into those in the United States, United Kingdom, and Germany.

Methodology

In an online survey, we asked participants to provide information on how their role is structured, to whom they report and who reports to them, and data on compensation including current base salary, bonus for the most recent fiscal year, and annualized equity or long-term incentive pay, as well as joining bonuses. All data collected was self-reported by information security professionals and has been aggregated.

On confidentiality

The global chief information security officer survey, 2022, has been conducted on an anonymous basis. All data is reported anonymously and in aggregate.

Welcome to our 2022 Global Chief Information Security Officer (CISO) Survey, which examines both organizational structure and compensation for this increasingly critical role.

For this report, Heidrick & Struggles compiled organizational and compensation data from a survey fielded in Spring 2022 of 327 CISOs around the world. Most carried the title of chief information security officer, but respondents also include chief security officers and senior information security executives.

The numbers of respondents varied significantly in different countries. This report includes organizational data from respondents in the United States, Europe, and Asia Pacific, and compensation data for respondents in the United States, the United Kingdom, and, for the first time, Germany. We expect to be able to report more fully on additional countries in future years.

We hope you enjoy reading the report, which remains the only one of its kind. As always, suggestions are welcome, so please feel free to contact us—or your Heidrick & Struggles representative—with questions and comments.

Key findings from the report include:

  • CISO compensation continues to rise.
    • United States: Reported median cash CISO compensation has risen to $584,000 this year, up 15% from $509,000 last year and 23% from $473,000 in 2020.
    • United Kingdom: Reported median cash compensation has risen 4% to £318,000 this year, up from £306,000 last year.
  • For the first time, we asked CISOs about the personal risks they face in the role. Burnout and stress are the top two risks:
    • United States: Respondents shared that stress related to their roles (60%) and burnout (53%) were the largest personal risks they face. However, job loss as a result of a breach was a concern for only 28%, suggesting many feel relatively secure in their roles.
    • Europe: Respondents shared that stress related to the role (54%), burnout (35%), and a dynamic hiring market that is both leading to a higher than usual turnover (34%) and causing distraction within teams (30%) were of concern.
  • Diversity continues to lag: Most respondents were men and white. In the United States, the share of diverse respondents was only 14%, although there was an increase in Hispanic/Latinx representation, up to 8% from 5% last year.
  • CISOs have boardroom aspirations but face hurdles: 56% of US and 40% of European respondents said their ideal next role was a board member. However, in the United States, only 14% of all CISOs said they sit on a corporate board or both a corporate board and an advisory board. Many boards still frequently prefer having directors with prior board experience: 57% of seats in the United States had sat on a public company board before. This comes as cybersecurity experience is desperately needed in boardrooms amid heightened cyber risks.

Where are the CISOs?

The CISOs who responded to the survey came predominantly from the United States. Australia, Belgium, France, Germany, the Netherlands, Singapore, South Korea, and the United Kingdom were also represented.

More than two-thirds of the CISOs were at companies with annual revenue of $5 billion or more, and they worked across a range of industries, most often financial services and technology and telecoms, but followed closely by industrial, manufacturing, and energy and consumer, retail, and media.

The career path to the CISO roles

In terms of experience, we once again see that CISOs most often had recent experience in the financial services and technology industries. In terms of functional background, most come from IT, though we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year.

Notably, prior to their current role, more than half of the respondents were in another CISO role. This reflects a broader trend that CISO roles are often terminal—the career path forward for CISOs is most often to another CISO role. If we include executives who were functioning as the CISO without that title, 70% of the CISOs moved laterally into their current role.

And, though 77% had been in their role for at least three years (up from 56% of last year’s respondents), almost two-thirds of those who have been in their role for less than a year came from a previous CISO role, while those who’ve been in their current role for five or more years were more likely to have come from a role other than CISO. It’s notable that regional CISOs are showing low representation, pointing to the still largely US-centric nature of cyber protection, even for global companies.

Most respondents were men and white, with little variation across regions. Globally, 18% of respondents were women, Black or African American, or Hispanic or Latinx. In the United States alone, the share of diverse respondents drops to 14%, although there was an increase in Hispanic or Latinx representation, up to 8% from 5% last year.

Heidrick & Struggles’ experience recruiting CISOs so far in 2022 reflects an increasing need for diverse talent. We are seeing companies increasingly think outside the traditional industry- and IT-specific criteria for CISOs to find the best executives for the role, including people who are diverse in terms of gender and race or ethnicity, as well as industry and functional expertise.

Heidrick & Struggles’ experience recruiting CISOs so far in 2022 reflects an increasing need for diverse talent. We are seeing companies increasingly think outside the traditional industry- and IT-specific criteria for CISOs to find the best executives for the role, including people who are diverse in terms of gender and race or ethnicity, as well as industry and functional expertise.

What CISOs do all day

The five functions that most CISOs say report to them have remained the same year over year. The strong presence of application/product security as a regular part of the CISOs mandate was a new development in 2021 and has clearly maintained priority this year.

Those areas of responsibility are aligned with the most significant threats CISOs say their companies are facing. We are seeing cybersecurity becoming more and more embedded in core software development and business processes, with the most sophisticated cyber programs getting ahead of threats and taking a “security by design” approach across the board.

Most of the CISOs who responded to our survey, 87%, were in global roles (ranging from a high of 100% in Asia Pacific and the Middle East to a low of 84% in Europe).

Team size on the whole grew compared with last year. The share of CISOs with the very smallest teams dropped from 38% to 31%, and the share with the largest teams rose from 18% to 21%. Growing team sizes reflect the increased investment this role has from the board-level and shows the need to recruit world-class talent and bench strength for the CISO. Larger teams may, over time, reduce burnout—a key concern among CISOs.

Looking upward, nearly two-thirds of CISOs report to someone other than the CIO, the same share as last year. Only 8% report directly to the CEO, a decrease from last year’s 11%. However, reporting lines vary markedly by region and, in our experience, industry. For example, in financial services, the CISO still largely reports into CIO or CTO, but in many cases the CISO, or parts of the cyber organization, reports to the risk organization or “second line.” In many instances, we are seeing creative solutions that involve CISOs having both hard and soft line reporting relationships, to the audit committee, for example.

CISOs have significant visibility with the board: 88% said they report to the full board or a committee, just about the same as last year. Sixty-one percent report to the full board, 69% to a committee, and 43% to both. Regionally, US CISOs most often present to the full board while CISOs in APAC and the Middle East most often present to a committee. Reporting to the audit committee is typically more frequent.

A range of personal risks for CISOs

The importance of the role of the CISO continues to grow as digital technologies become even more prevalent, hybrid working remains the norm in many industries, and concern about cyberattacks, specifically ransomware, rises. In that context, we asked for the first time this year about the personal risks CISOs face in their role. Our survey responses here tell a few different stories. One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits.  The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.

What’s next for CISOs?

In the context of so many CISOs coming to their current role from a former CISO role, we are increasingly interested in the question of where CISOs want to go next. A majority want to be something other than a CISO. More than half want to be board members, though the shares vary regionally, from a high of 56% in the United States to a low of 40% in Europe.

Cybersecurity experience is sorely needed on boards, given the risks companies face. In Europe, our Board Monitor Europe 2022 report shows, only 5% of seats filled on boards in 2021 were filled by people with cybersecurity experience of any kind. In the United Kingdom and the United States, the figures were 10% and 17% respectively. (For more, see Board Monitor UK 2022 and Board Monitor US 2022.)

Yet there’s a wrinkle for CISOs. The same reports show that many boards still frequently prefer board members with prior board experience: 57% of board directors appointed in 2021 in the United States and in Europe had sat on a public company board before; the figure rises to 64% in the United Kingdom.  However, even though almost half of all CISOs said they sit on an advisory board, only 14% said they sit on a corporate board or both a corporate board and an advisory board.

Despite an increased focus and investment in cybersecurity, as evidenced by growing compensation and team size and evolving reporting relationships, we are seeing that that interest is still not resulting in board memberships for those experts. In the future, we expect more companies to consider adding CISOs to their boards.

Outside of board roles, CISO career progression remains tricky. Though 38% of CISOs globally report to the CIO today, only 13% see that as an ideal next role. The wide range of next steps CISOs are interested in highlights that this is an evolving role, one where the next move still isn’t clear.

For more, including full compensation breakdowns of respondents in the United States, United Kingdom, and Germany, download the full report.


About the authors

Matt Aiello (maiello@heidrick.com) is a partner in Heidrick & Struggles' San Francisco office and leads the global Cybersecurity Practice. He is also a member of the global Technology & Services and Information Technology Officers practices.

Scott Thompson (sthompson@heidrick.com) is a partner in Heidrick & Struggles’ New York office and a member of the Financial Services Practice.

Max Phillipe Randria (mrandria@heidrick.com) is a partner in Heidrick & Struggles’ Melbourne office and a member of the global Technology & Services Practice.

Camilla Reventlow (creventlow@heidrick.com) is a partner in Heidrick & Struggles’ Amsterdam office and the leader of the Technology & Services Practice for Benelux.

Guy Shaul (gshaul@heidrick.com) is a principal in Heidrick & Struggles’ London office and a member of the global Technology & Services Practice. He co-leads the Crypto & Digital Assets and Cybersecurity sectors in Europe & Africa.

Adam Vaughan (avaughan@heidrick.com) is a partner in Heidrick & Struggles' London office and a member of the global Financial Services Practice. He also leads the Fintech Sector across Europe & Africa.

Stay connected

Stay connected to our expert insights, thought leadership, and event information.

Leadership Podcast

Explore the latest episodes of The Heidrick & Struggles Leadership Podcast