Jeffrey Wheatman, senior vice president at Cyber Risk Evangelist, believes the pullback is due to three key drivers — general economic conditions, a backlash from the rapid growth over the last few years in CISO and cybersecurity compensation, and companies playing the supply and demand game with labor market cooling off.
“I would also add that I have seen a lot more CISO job postings on boards and LinkedIn that seem to be very under-comped…well down in the bottom quartile,” Wheatman said.
Tech CISOs found well-compensated
The study revealed that compensation distribution among CISOs followed a rather disparate curve with the majority lying either below $450,000 (52%) or above $700,000 (20%), leaving a gaping middle.
Additionally, the study noted an appreciation for the CISOs with tech backgrounds, with the lot bagging a higher 15% compensation over the governance, risk, and compliance (GRC) leaning CISOs.
Wheatman remained concerned with this trend as he believes way too many CISOs concentrate on the tools and technologies and not nearly enough on process and people. “They (CISOs) incorrectly think their job is to protect the organization from itself, and unfortunately tend to talk down to business executives,” Wheatman said. “This leads to lack of trust, lack of business alignment, and future decisions made in and around cybersecurity being largely indefensible.”
Finance and tech firms were found to have compensated their CISOs well. “Finance CISOs have a total average comp of $728,000, of which $548,000 (75%) is cash compensation,” IANS said. “Tech CISO total comp is not far behind at $678,000, but cash comp comprises just 58% of total comp.” CISOs in legal, healthcare, and manufacturing had total comp well below the overall average.