CISOs are stressed, burned out, and…making bank.
The 2022 Global CISO Survey by Heidrick & Struggles found median cash compensation for US-based CISOs surged from $509,000 in 2021 to $584,000 in 2022—a $75,000 raise that works out to nearly 15%. At the same time, the 327 CISOs around the world who participated in the study reported high rates of stress (59%) and burnout (48%), with roughly a third reporting concerns over high staff turnover.
CISOs are likely to get big raises in large part because companies are quickly realizing how important the role is, said Scott Thompson, a partner at Heidrick & Struggles in the financial services practice who worked on the report. The job also puts them on the front lines of serious threats like ransomware, a top concern for 67% of respondents.
“The key findings in the report were that the CISO role continues to evolve. It continues to be an incredibly stressful and high-profile role, which leads to a lot of burnout, a lot of turnover,” Thompson told IT Brew. “What’s interesting about the CISO function, is they’re getting tens of thousands of bad actors or threats every single day. And they need to be right every single time, whereas a bad actor only needs to be right once for something bad to happen within the company.”
“CISOs are being compensated for the risk that they’re taking on,” he added. Median CISO compensation, including all sources of income like equity, grew at a slower pace, from $936,000 to $971,000, which might reflect many choosing hard cash now over stock in the uncertain economic environment.
The position of CISO also tends to be a static one—meaning that they rarely rise higher in an organization, according to the survey. Some 70% of the respondents said their prior job was also being a CISO or functionally filling that role, indicating they tend to be lateral hires. The survey also found that while CISOs often report directly to a board of directors and 56% of US respondents said their next ideal role was to sit on one, just 14% actually have a board seat.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
According to Thompson, that can be partially explained by the fact that CISOs have specific skill sets related to cyber operations or cybersecurity. While boards are also increasingly aware of the importance of breaches and other security risks, most of the time, that doesn’t translate into giving CISOs a permanent seat at the table, he added.
“What we’re seeing is that boards are just not ready yet for the cyber function to sit on the board,” Thompson said. “They’re still trying to get their heads around the complexity of the role. They’re still trying to understand how CISOs impact the business.”
Unfortunately, the survey also found diversity in the CISO community is increasing at a snail’s pace, with 87% of respondents identifying as male and 71% in the US identifying as white.
Thompson attributes disproportionately white and male CISOs in the US to the size of the industry compared to industry efforts to broaden the cybersecurity talent pool—a focus of many organizations, he said, but which still isn’t getting as much emphasis as it should.
“It’s really just the sheer magnitude of roles in the US and how many organizations [there are] and how large the cyber functions are within the US,” Thompson told IT Brew. “If you look at the survey this year, compared to the last two years, the number of respondents and the number of diverse CISOs is going up slightly, but we'd like to see much more of an increase.”