For top cybersecurity talent, companies pay over $500,000: Report

CISOs have a huge amount to consider when trying to align their plans with those of the broader organization, if they hope to hang on to their top talent.

To keep pace, according to a survey released today by security analysis firm IANS and headhunting firm Artico, recommend keeping compensation at the high end of the range — the top 25% of earners tend to be perceived as the top performers in their roles.

Across the various specialties — including SecOps and governance, risk, and compliance (GRC) — that top 25% averages around $523,000 per year in cash compensation, and $640,000 in total compensation with equity.

The "floor" of the top 25% varies by specialty, from $360,000 in total compensation for identity and access management leaders, up to $465,000 for a deputy CISO and $447,000 for a product security department head.

The report also found that businesses' cybersecurity organizations generally divide themselves into three broad structures, based mostly on the size of the company at the time. Fortune firms, which the study classifies as those with more than $6 billion in annual revenue, generally have four organizational layers beneath the CISO and more specialist executives than smaller companies — about half have deputy CISOs and a quarter have a "global" CISO who handles worldwide security issues.

"Large enterprise," according to the IANS and Artico report, runs from $6 billion in revenue down to $400 million. They tend to have two to three layers of support staff under the CISO, and tend to feature specialist leadership in particular subject matter areas. Finally, "midsize" companies cover the $400 million to $50 million per year bracket of annual revenue, and are characterized by smaller teams where each member has multiple responsibilities.

The presence of various sub-specialists tends to scale with the size of the company, according to the survey, which polled 1,195 CISOs and cybersecurity staff members. At roughly the $1 billion annual revenue mark, the SecOps head becomes more common than not, with GRC, architecture and engineering, and identity and access management, becoming more commonplace as revenue rises and the number of full-time employees on the security team increases.

The total number of people on staff also scales relatively well with revenue, according to the report. At the $100 million mark, most companies have between one and nine full-time security workers, while businesses in the study's "Fortune" tier tend to have at least 20, and up to 50 or 100 at the largest firms.

Aligning the cybersecurity team with the company's needs is a critical consideration for CISOs, the report said.

"The data indicates that, across sectors, roughly 15% are at or approaching a revenue milestone that warrants the addition of a head of SecOps to their security organizations, based on what is typical for their peer group," the study said. "For 15% of CISOs, the head of AppSec is a likely or critical hire, followed by 13% for a head of IAM."