2024 CISO Compensation, Responsibilities, and Organizational Structure Survey Results
INTRODUCTION
This 2024 CISO Survey Report, published by Hitch Partners, represents 2023 findings from our firm’s seventh survey. The intention is to capture trends for compensation, reporting structure, and executive protection within the Security Leadership Community.
Our data shows the role of the CISO strikes a strong balance between protecting information assets and narrating the company’s security posture. Our data shows the role of the CISO continues to evolve, requiring the development of critical communication skills.
With an increase in more advanced attacks against critical applications and infrastructure this past year, top-notch CISOs are more coveted and continue to be well compensated.
We are an executive search firm focused on creating advocacy as well as providing valuable, actionable insights to the CISO community we serve. We welcome your feedback on this data set, including recommendations on topics to cover in future surveys.
METHODOLOGY
We compiled the results contained within this report based upon survey participation from 340+ U.S.-based information security leaders, representing on average 20 years of security-related experience with a median current tenure of 35 months from various companies, agencies, and associations.
We define the “CISO” as the information security leader at an organization who is primarily accountable for the strategy, orchestration, execution, and deployment of the information security program. Common titles for these leaders include Chief Information Security Officer (CISO), Chief Security Officer (CSO), Head of Security, VP of Security, and VP of Information Security. For the purpose of this report, these titles will be referenced as “CISO”.
The data that follows is based on voluntary respondents and does not represent the entire population of CISOs in the market.
DATASET DISTRIBUTION
“The best way to educate senior leadership about the impact of security breaches is to facilitate engaging and interactive exercises that enable non-technical leadership to experience security's role in an incident.”
- CISO, Global Financials Services Company
Average Annual CISO Compensation
Similar to other members of the C-suite, compensation for the CISO is impacted by overall business success and sentiment. While recruiting top talent for the senior most security leader is vital to protecting the castle, an organization is bound by the resources it has access to. Equity is typically a significant portion of CISO compensation and its value fluctuates along with market valuation of companies.
Certain industries, particularly those associated with technology and finance, offer higher financial rewards, reflecting the demand for specialized skills and expertise in these fields where the protection of IP and personally identifiable information (PII) is critical.
CISOs within the Financial Services industry (banks, hedge funds, investment firms etc) are typically rewarded with heavy base salary and cash bonuses as opposed to equity grants.
Sign-On Bonus
Frequently, sign-on bonuses form a crucial component of the initial compensation package designed to draw in high-caliber candidates. They serve the dual purpose of narrowing the gap between yet-to-be-vested compensation in their current role and the potential benefits of the upcoming offer.
A sign-on bonus (aka “signing bonus”) is often a one-time payment made during the initial employment year and unrelated to an annual bonus. It may be paid out as a one-time lump sum or paid in installments within a calendar year. Many sign-on bonuses come with clawback provisions, requiring repayment of a portion or all of the bonus if the employee leaves the company before a set period. This period can range from a few months to several years.
Compensation Related Benefits & Protections
Over the last year, the role of Chief Information Security Officers (CISOs) has become increasingly challenging, including managing the SEC’s new data breach disclosure rules. CISOs now bear more responsibilities, with tangible legal implications tied to their position. D&O insurance empowers CISOs to navigate the complex cybersecurity landscape without fear of personal liabilities. It fosters a collaborative environment where CISOs and the C-suite can work together to build a more secure future for the organization
In light of the recent SEC ruling requiring material incident disclosures by public companies the Hitch team finds it alarming nearly half of public company CISOs are not currently covered under their company’s D&O Policy.
Having a pre-negotiated severance agreement rose slightly among private company CISOs (+2%), while public companies remained flat from last year’s survey of CISOs.
Security Teams - Substantial, Diverse, and Experienced
49.6% of private company CISOs and 52.4% of public company CISOs team size has increased YoY. Comparatively, a majority of public company CISOs are satisfied with their current team size (55.24%), while private company CISOs (45.6%) express notable dissatisfaction regarding their existing team sizes when queried about their current staffing structures. The discontent reflects a potential need for a budget increase to effectively address the evolving challenges of the threat landscape.
Security Spending
In 2022-2023 we saw an increase in volume and complexity within the Application and API attack surfaces thus there is no surprise that investing in defending the attack surface is seeing strong attention. As attackers shift from infrastructure to application based attacks we expect to see this number rise steadily. With the anticipation of the SEC Final Rule in place at the end of 2023 it is also not surprising to see an increased emphasis toward improving compliance and reviewing program plans. We also expect these areas to see greater attention in 2024 and beyond
Unfortunately, my experience shows that cyber/infosec investments are made only when absolutely necessary - typically after a significant breach (real or simulated) or a regulatory/legal mandate. Up to that point, cyber/infosec spending is reduced year over year until another crisis or significant event warrants it. So the hard part about being CISO/CSO is minimizing potential career-ending risks between events. If you’re lucky, you are able to build on what your predecessor was able to leave behind.
-CISO, Public, Technology Fortune 100
Reporting Structure
Reporting structure continues to be a tale of two sectors with Private companies seeing significantly higher reporting lines to the Engineering leader and CTO while flat on reporting lines to the CIO. Public companies continue to see an increase in reporting lines to the CIO while the consideration of reporting to an Engineering leader and/or CTO is happening more often. As cloud computing, remote infrastructure, and the complexity of AI within the attack surface continue to grow, so will the CISO-CIO convergence. Duties traditionally under the CIO are now rolling up under the CISO with the CISO’s scope continuing an upward trajectory.
Beyond reporting to the Board, the CISO also has a full plate of other responsibilities including managing other security-related functions.
“The Board and executive leadership want to know what the exposure is, in dollar amounts. What's an average breach going to cost us? What does a worst-case scenario look like? The Board and leadership will need to understand those numbers, from response, recovery, and containment costs, to the long tail of legal defense fees, to the opportunity cost and business velocity impact of potential remediation efforts.”
-CISO, Leading National Bank
CISOs in Private companies juggle more security functions (4.8) than their counterparts in Publicly traded companies (3.7). Technical areas like application, cloud, and product security typically fall under their scope, with Corporate Security and Risk Management often added. However, only 45% of CISOs manage Corporate Security, reflecting the 55% share owned by CIOs.
Nearly the majority of CISOs within both publicly traded and privately held companies, have managed the IT function since they began in their role. This indicates a likelihood that they were recruited in part due to their corporate security / IT acumen.
