Million-dollar Salaries, Board Influence Mark the CISO’s Rise
As the pandemic bore down in the early months of 2020 and the world went remote, all eyes turned to the CISO to keep businesses operating safely even as threats grew.
And there was much written about how the CISO finally had the ear of management, and, after many years of riding in steerage, had secured a seat at the table. Were CISOs finally getting their due? It seems so — at least at large enterprises — five years later, according to a study from IANS Research, which found that half of CISOs at enterprises with revenue of $20 billion or more now hold EVP- or SVP-level titles. What’s more, they have regular engagement with their companies’ boards — meeting with them quarterly.
Agnidipta Sarkar, vice president CISO advisory at ColorTokens, pegs regulations as “the actual triggers for the seismic shift of the CISO role” from something more technical to a position with “greater alignment towards business enablement through agile and collaborative cyber practices, balancing risks and opportunities.”
But Bruce Jenkins, CISO at Black Duck, says the upending of the sometimes reluctant evolution of the CISO role and the upending to the traditional paradigm stem in part “by all the ‘as a service’ solutions one can think of, opensource software use and a globally disbursed remote workforce, among other adjustments to business operations.”
At the biggest companies, CISOs are being compensated commensurate with their new status. Not surprisingly, the IANS Research study found security budgets scale up according to company size — ranging from the low millions to over $100 million. And so does CISO compensation. The average compensation across large enterprises might be $700,000, but at $20 billion-plus companies, CISOs pull down $1.1 million on average, with those at the very top averaging more than $1.4 million.
But to whom much is given, much is expected. Many CISOs at large enterprises find that responsibility for third-party risk, AI risk, and digital transformation initiatives fall squarely on their shoulders. They are less likely, though, to have ownership of business continuity, enterprise risk, IT remains and other, broader business objectives — in large part, the researchers contend, due to organizational specialization.
“It’s not just about tech anymore either; CISOs are expected to be risk managers, business strategists and boardroom communicators all rolled into one,” says Devin Ertel, CISO at Menlo Security. “This amplified responsibility, combined with a cybersecurity talent shortage, has elevated the value of experienced CISOs considerably.”
That “expanding and dynamic risk picture,” in addition to the changes in reporting structures, are creating “new conversations around the role of the CISO and the part they play in articulating software and cybersecurity risk management strategies to customers, partners and prospects,” says Jenkins. By instilling confidence that way, companies may gain a competitive advantage
Even as the CISO gains prominence — and draws bigger bucks — not all in the position reap the same gains or are satisfied with the resources they have. Only about a quarter (27%) of CISOs at $1 billion to $2 billion firms have the seniority or access to the board that their colleagues in larger companies have. Across all revenue bands, there is a dissatisfaction with budgets, though it is more pronounced among those in $1 billion to $2 billion companies and $5 billion to $20 billion firms.
Perhaps as businesses continue to realize their value, they will be persuaded to cough up additional budget dollars for security. “There is an opportunity to harness the strategic, analytical and problem-solving skills in addition and cross cross-functional relationships that a successful CISO will have developed,” says Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue.
But Lindahl-Wise, like other security experts, cautions that as the CISO rises, the basics should not be jeopardized.
“If a CISO spends most of their time as a cybersecurity figurehead, who is making day-to-day threat management decisions and formulating customer-focused incident response strategies?” asks Jenkins, noting that organizations can’t let public-facing obligations as a figurehead interfere with a CISO’s primary responsibility of defending against cyberthreats.
But Sarkar doesn’t believe that will happen. “Does this mean that CISOs will sacrifice their technical acumen? Certainly not,” he says. Instead, he expects technical capabilities to be leveraged “to make the CISOs own the cybersecurity baton of the business for digital resilience.”
As Sarkar says, it won’t be easy. “Many would struggle and cyberdefense evangelists will need to step in and help, but that confluence of technology, risk and business acumen is the future of CISOs.”
And the elevated role won’t be every CISO’s cup of tea. Those who view security as a vocation, the pinnacle of specialization, may find “the business of business” to be an energy drain, Lindahl-Wise says. Others will relish the role and, hopefully, put the team in place to support the fulfillment of their security obligations.
“The key thing is to scope out the match — it needs to work for both,” says Lindahl-Wise.
