Chief information security officers land nearly $1 million pay packages

BY Sydney LakeAugust 26, 2022, 12:25 PM
Pedestrians on The Embarcadero Center in San Francisco, California, as seen in March 2022. (Photographer: David Paul Morris—Bloomberg/Getty Images)

As cyber threats become more prevalent, the demand for cybersecurity talent continues to rise. To land top cyber talent in the C-suite, companies must now be willing to fork over pay packages of nearly $1 million, according to a 2022 survey by Heidrick & Struggles of global chief information security officers (CISO).

Chief information security officers are typically the most senior-level cybersecurity professional or person responsible for protecting an organization’s data and assets. In 2022, 69% of CISOs in the U.S. indicated in the survey that the majority of their career had been spent in IT or cybersecurity.

U.S.-based CISOs reported median base compensation of $584,000, a 15% increase from last year. When taking into account bonuses and company equity, their total compensation rose to $971,000, up 4% from last year, according to the survey. By comparison, entry-level cybersecurity workers at top companies like Booz Allen Hamilton make about $150,000.

Compensation for CISOs continues to rise along with their value and importance to their organizations, Matt Aiello, Heidrick & Struggles’ global lead in its cybersecurity practice, tells Fortune. Heidrick & Struggles is an international executive search firm based in Chicago that also conducts market research.

“In just the last three years, the CISO role has evolved to be a more center-stage role with these leaders taking on a more holistic enterprise focus,” Aiello says. “CISOs are assuming more strategic and risk-related responsibilities, often interacting with the board, and providing a unique view of risk to help navigate cyber threats—a rising concern that has grown in priority.”

Additionally, CISOs who had been in their role for less than a year generally saw the highest increases in overall compensation, “no doubt reflecting the increased fight for top talent in all sectors and functions,” according to the study. 

The need for top cyber talent

Between 2013 and 2021, the number of unfilled cybersecurity jobs worldwide grew 350% to 3.5 million, according to Cybersecurity Ventures. Not only is there a need for entry-level workers, but company leadership must place more emphasis on cyber and information protection at the board and C-suite level, Steve Morgan, founder of Cybersecurity Ventures, previously told Fortune. CEOs at every Fortune 500 company and mid-size to large organizations should advocate to get cybersecurity experience on their board, he adds.

“That could be the CISO or an outside executive with real-world cybersecurity experience,” he says. “Do it now to protect your organization, not after a breach or hack to protect your reputation.”

Last year, only 17% of Fortune 500 companies had board members with this type of background. By 2025, however, Cybersecurity Ventures predicts that 35% of Fortune 500 companies will have board members with cybersecurity experience. 

“Every board needs to understand cybersecurity and the associated risks,” Aiello says. “Increasingly, boards are considering the value of having a seasoned CISO on the board or access to the expertise the board needs—through advisers—that can help ensure the board is thinking about cyber as part of the enterprise corporate strategy, not as an ad hoc concern.”

CISO burnout

Despite increasing pay packages, CISO burnout and stress affected many professionals surveyed by Heidrick & Struggles. In fact, 60% of respondents said stress related to their roles was the largest personal risk they face, with 53% saying the same about burnout. A lot of this stress has to do with regulatory pressures and potential for personal liability with cyber attacks, Aiello explains. 

In order for companies to attract and retain top CISO talent—beyond just high pay packages—they need to offer these workers directors and officers liability insurance to protect them from personal liability, Aiello says. 

“CISOs want to have the right severance protections, insurance protections, and level of reporting relationship to successfully complete and fulfill their duty, alleviating the risks associated with the role and personal liability,” he adds.

See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as the doctorate in education programs MBA programs (part-time, executive, full-time, and online).