CISOs have a huge amount to consider when trying to align their plans with those of the broader organisation if they hope to hang on to their top talent.
To keep pace, according to a survey released today by security analysis firm IANS and headhunting firm Artico, recommend keeping compensation at the high end of the range — the top 25 per cent of earners tend to be perceived as the top performers in their roles.
Across the various specialities — including SecOps and governance, risk, and compliance (GRC) — that top 25 per cent averages around US$523,000 per year in cash compensation and US$640,000 in total compensation with equity.
The “floor” of the top 25 per cent varies by speciality, from US$360,000 in total compensation for identity and access management leaders, up to $465,000 for a deputy CISO and US$447,000 for a product security department head.
The report also found that businesses’ cybersecurity organizations generally divide themselves into three broad structures, based mostly on the size of the company at the time. Fortune firms, which the study classifies as those with more than US$6 billion in annual revenue, generally have four organizational layers beneath the CISO and more specialist executives than smaller companies — about half have deputy CISOs and a quarter have a “global” CISO who handles worldwide security issues.
“Large enterprise,” according to the IANS and Artico report, runs from US$6 billion in revenue down to US$400 million. They tend to have two to three layers of support staff under the CISO, and tend to feature specialist leadership in particular subject matter areas. Finally, “midsize” companies cover the US$400 million to US$50 million per year bracket of annual revenue and are characterised by smaller teams where each member has multiple responsibilities.
The presence of various sub-specialists tends to scale with the size of the company, according to the survey, which polled 1,195 CISOs and cybersecurity staff members. At roughly the US$1 billion annual revenue mark, the SecOps head becomes more common than not, with GRC, architecture and engineering, and identity and access management, becoming more commonplace as revenue rises and the number of full-time employees on the security team increases.
The total number of people on staff also scales relatively well with revenue, according to the report. At the US$100 million mark, most companies have between one and nine full-time security workers, while businesses in the study’s “Fortune” tier tend to have at least 20, and up to 50 or 100 at the largest firms.
Aligning the cybersecurity team with the company’s needs is a critical consideration for CISOs, the report said.
“The data indicates that, across sectors, roughly 15 per cent are at or approaching a revenue milestone that warrants the addition of a head of SecOps to their security organisations, based on what is typical for their peer group,” the study said. “For 15 per cent of CISOs, the head of AppSec is a likely or critical hire, followed by 13 per cent for a head of IAM.”