2024 Global Chief Information Security Officer Organization and Compensation Survey

Welcome to our fifth annual 2024 Global Chief Information Security Officer Organization and Compensation Survey, our fourth annual examination of both organizational structure and compensation for this critical enterprise leadership role. 

For this report, Heidrick & Struggles compiled organizational and compensation data from a survey fielded in summer 2024 of 416 CISOs around the world. Most carried the title of chief information security officer, but respondents also included chief security officers and other senior information security executives. This report includes organizational and compensation data from respondents in the United States, Europe, Asia Pacific, and the Middle East. 

We hope you enjoy reading the report, which is now widely recognized as the most authoritative and broadly disseminated survey of its kind. As always, suggestions are welcome, so please feel free to contact us—or your Heidrick & Struggles representative—with questions and comments.

Introduction

This year’s survey of chief information security officers (CISOs) shows a maturing function with a wide range of risks upon which to focus. More of these leaders now report directly to the CEO or outside of the technology function (such as the CIO or CTO), signaling this role’s movement closer to the center of the business and a shift to more enterprise risk responsibilities.  Across all industries, respondents cited similar, ongoing threats to organizational cybersecurity as they did in last year, including advancements in artificial intelligence and machine learning and cyberattacks, which include nation-state attacks.

Slightly less than half of respondents do not have an internal successor in place in the event the CISO leaves unexpectedly. This can be quite costly given the competitiveness in the market for top cybersecurity talent and the premium companies pay for top talent.

Organizations and leaders must look to the future of the function, ensuring success and continued organizational sustainability with a robust succession plan, expanded cybersecurity expertise and leadership development, and competitive compensation packages. 

Key findings

Organizational structure and risks

• In terms of reporting structure, 14% of respondents report directly to the CEO, up from 5% in 2023. By region, a notable 35% of respondents from Hong Kong and Singapore report to the CEO, while only 9% of US respondents say the same.
• Overall, there was decrease in the share of respondents who report to the top technology executive (such as the CIO or CTO): from 54% in 2023 to 48% in 2024. 
• Of those who do report to the CEO, US respondents most often said they are a member of the executive leadership team at their company. 
• Sixty-three percent of respondents said they have been in their role for at least three years. This is notably higher than last year’s survey, in which just over half of respondents said the same. We believe that this reflects improved performance in the role. 
• We asked again this year about the risks, both personal and professional, that CISOs face in their role. Unsurprisingly, the most often cited cybersecurity risk was ransomware, followed by geopolitical risks, such as nation-state actors, and then followed by AI. 
• By region, respondents in the United Kingdom most often cited ransomware as a top threat, and least often cited nation-state actors. 
• Respondents in India least often cited ransomware as a top threat, and most often cited AI.
• Looking to the future, respondents most often chose AI, machine learning, and data analytics and product and application security as the most important areas to build or maintain expertise in over the next five years. 
• Looking ahead, just over half, 53%, of respondents agreed that they have an internal successor in place who is just as good as or better than the external market can present.

Compensation

• US average total compensation, including cash base, bonus, and equity, was reported to be $1,648,000 in 2023.
• Average 2023 total compensation for respondents in Europe, including the United Kingdom, was $595,000.
• Average 2023 total compensation for respondents in Australia was $414,000.
• In Australia, Europe, and the United States, respondents at financial services firms generally reported the highest average compensation. While compensation data is not available this year for those respondents in Hong Kong and Singapore, India, and the Middle East, we hope to include those regions in future reports.

For more, download the full report.

About the authors

Matt Aiello (maiello@heidrick.com) is a partner in Heidrick & Struggles' San Francisco office and leads the global Cybersecurity Practice. He is also a member of the global Technology & Services and Information Technology Officers practices.

Marie McGinnis (mmcginnis@heidrick.com) is a principal in Heidrick & Struggles’ San Francisco office and a member of the global Technology & Services Practice.

Max Randria (mrandria@heidrick.com) is a partner in Heidrick & Struggles’ Melbourne office and a member of the global Technology & Services Practice.

Camilla Reventlow (creventlow@heidrick.com) is a partner in Heidrick & Struggles’ Amsterdam office and the leader of the Technology & Services Practice for the Benelux region.

Scott Thompson (sthompson@heidrick.com) is a partner in Heidrick & Struggles’ New York office and a member of the Financial Services Practice.

Karthik Vedagiri (kvedagiri@heidrick.com) is a partner in Heidrick & Struggles’ Bangalore office and a member of the global Technology & Services Practice.