Information Security Director Compensation Survey Results

Welcome to Hitch Partner’s Inaugural Report on Information Security (InfoSec) compensation for senior positions that report directly within the CISO organization.  Since we began producing our Annual CISO Security Leadership Survey Results in 2018, we have received significant demand from the community to create an additional report, highlighting compensation data for key functional leaders within the CISO organization.  

As with our Annual CISO Survey, we have built this report to serve the community and provide a valuable insightful tool for practitioners.  This inaugural report concentrates primarily on four (4) functional areas.  We anticipate the opportunity to provide further analysis and deeper trend data in subsequent reports.  As always, we value input from the community and appreciate any suggestions you may have for future versions.

Hitch Partners is a retained leadership search firm, primarily focused on the information security and physical security practitioner. We focus on security leadership placements (CISO / CSO) as well as senior positions within the security organization.  

Hitch Methodology: We received survey participation from 150+ U.S.-based Senior Functional Security Leaders from a variety of companies, agencies, and associations to compile the results within this report.  Hitch Partners defines a Security Functional Leader as the individual at a company who reports to the CISO and is responsible for leading a specific area within a security program or operation.  We have detailed each functional area at the bottom of the page.

Average Annual Compensation

Note: Equity is an estimated annual value measured at the time of survey submission.

Sign-On Bonus

Note: Overall 47% of respondents had a sign-on bonus as part of their employment package.

Average Team Size

Note: Hitch did not receive survey participant responses at companies with < 250 employees who reported having the SecOps function within their organization.

Security Director Roles Defined

Hitch Partners defines the Security Functional Leader as the individual at a company who reports to the CISO and is responsible for leading the security program and teams within the functional areas specified below:

ProdSec (Product Security) / AppSec (Application Security)

According to the SANS Institute, a ProdSec / AppSec leader is primarily responsible for effectively embedding security best practices into the Software Development Life Cycle (SDLC) for companies that develop a systems and/or software product or service (cloud native / hybrid cloud).  Our research shows the following areas of responsibilities fall under the ProdSec/AppSec leadership scope:

  • Threat Modeling

  • Penetration Testing

  • Vulnerability Assessments and Management

  • SDLC Validations

  • Software Security Automations

  • Application Security Monitoring **Note some elements of product security and offensive security functions can blend into this role/team on occasion

GRC (Governance, Risk, and Compliance)

According to NIST, the Governance leader is responsible for ensuring adherence to the Entity’s Board of Director’s operational guidelines.  The Risk Management leader is responsible for framing, assessing, responding to, and monitoring risk to acceptable levels as agreed upon by the BoD. The Compliance leader is responsible for ensuring processes are in place to support compliance of cybersecurity activities with applicable privacy laws, regulations, and Constitutional requirements.  Our research shows the following areas of responsibilities fall under the GRC leadership scope:

  • Security Policy

  • Compliance framework (ISO, SOC, SOC2T2, HIPAA, SOX etc.)

  • Risk Identification, Assessment, Mitigation & Management

  • External Auditor Liaison

  • Third-Party Vendor Reviews

  • Some elements of Privacy

CorpSec (Corporate Security)

According to the SANS Institute, The Corporate Security leader is tasked with defending and protecting the enterprise against security threats. Our research shows the following areas of responsibilities fall under the CorpSec leadership scope:

  • Identity & Access Management (IaM)

  • Data Protection (Third party application security > MSFT Office365, Slack, SFDC, Zoom, etc.)

  • Network Security (IT systems, Data Center & Infrastructure Security)

  • Vulnerability Management. (Abuse Protection, Red Team Investigations)

  • Business Continuity

  • Security Awareness & Training

  • Incident Detection, Response (in conjunction with SecOps)

SecOps (Security Operations or Cyber Operations)

According to the NIST Framework, the SecOps team is primarily responsible for operating the entity’s SOC (Security Operations Center) which primarily identifies security threats and coordinates the response, recovery, and remediation to rectify the incidents.  Our research shows the following areas of responsibilities fall under the SecOps leadership scope:

  • 24x7 Monitoring & Management (SOC)

  • Incident Detection, Response & Remediation (including Forensics & Root Cause Analysis)

  • Threat Intelligence / Threat Hunting / Defensive Tooling

  • MDR Vendor Relations

  • Compliance / Infrastructure Management