If CISOs want to retain top talent, they need to consider a great deal when aligning their plans with those of the organization as a whole.
To keep pace, a study released today by security analytics firm IANS and headhunting firm Artico recommends keeping compensation at the high end of the range. In other words, the top 25% of earners tend to be perceived as top performers in their roles.
Across a variety of specializations, including SecOps and Governance, Risk, and Compliance (GRC), the average cash compensation for the top 25% is approximately $523,000 per year, with total stock compensation of $640,000.
The “floor” for the top 25% varies by specialty, with total compensation for identity and access management leaders at $360,000, up to $465,000 for CISO subdivisions, and $447,000 for heads of product security.
The report also found that corporate cybersecurity organizations are commonly divided into three major organizations, based primarily on company size at the time. Fortune companies, which the study classifies as companies with more than $6 billion in annual revenue, typically have four organizational levels below the CISO, more professional executives than smaller companies, and about half have a deputy CISO, and a quarter have a “global” CISO. Address security issues around the world.
According to a report by IANS and Artico, a “large company” is defined as one with revenue between $6 billion and $400 million. They tend to have two to three tiers of support staff below the CISO and tend to feature expert leadership in specific subject areas. Finally, “medium-sized” companies have annual revenues in the range of $400 million to $50 million and are characterized by small teams, each member of which has multiple responsibilities.
The survey of 1,195 CISOs and cybersecurity staff found that the presence of different subspecialists tends to grow with the size of a company. With annual revenue reaching roughly $1 billion, her SecOps lead for GRC, architecture and engineering, and identity and access management expects revenue to increase and security to increase the number of full-time employees on his team. As time goes by, it becomes more common. .
The total number of staff also correlates relatively well with revenue, according to the report. At the $100 million level, most companies have one to nine full-time security personnel, while the Fortune tier companies surveyed have at least 20 and the largest companies have up to 50. They tend to have 100 people.
Aligning cybersecurity teams to the needs of the company is an important consideration for CISOs, the report says.
“Our data shows that approximately 15% across the sector have reached or are at a revenue milestone that justifies adding a SecOps officer to their security organization based on prevailing conditions in their peer group. “We show that we are getting closer,” the study says. “For 15% of CISOs, the head of AppSec is the most likely or important person to hire, followed by his or her head of IAM for 13%.”