CISO salaries have long pointed upwards and may soon hit £1 million. New data has highlighted the central importance of the CISO to the enterprise, reflected in their ever increasing pay packets. At the very top end, CISOs can expect to earn between £597,000 and £878,000 a year and even within SMEs, where infosec budgets are often tighter, salaries average out at a plump £171,000 and go as high as £256,000.
To put this in some context, the average UK salary is around £27,000 per year and executive pay, according to PayScale, an online salary company, can reach £210,000.
The European figure still trails behind the US where CISOs can expect to earn US$273,000 (£209,000) annually, according to SecurityCurrent.
The global consultancy, DHR international, revealed the job market's current estimation of the position in a recent study.
Cindy Provin, chief strategy officer at Thales e-Security told SC Media UK that “these figures are evidence that the startling rise of cyber-attacks year-on-year has caused boardrooms to recognise the dangers of hacking for companies' bottom lines, reputation, customer retention and employee confidence.
It has long been a gripe of information security professionals that the boards of their companies treat them as a necessary burden, absorbing costs and adding little to the bottom line. This looks like it may be starting to change. A 2015 Harvey Nash survey placed the average base salary of a UK CISO at just over £130,000; this research paints a different picture.
That increasing weight placed on CISOs though the increasing cognisance of executives or the advent of information security regulation, is transforming the role into one of central importance within the enterprise. Trustwave's 2017 Security Pressures report, surveyed 1,600 IT decision makers, 53 percent of whom noted an increased pressure to secure their business, primarily from C-level executives.
Data breaches can now cost a chief executive his or her job and for a company, remediation can come with a large price tag. Ransomware, an increasingly popular weapon, can cost a company millions in lost work hours and revenue, as the victims of WannaCry have learnt over the last few weeks.
Even if that doesn't cause companies to re-appraise the value of their data and the security of their network, incoming European regulation soon will. The General Data Protection Regulation takes effect in May next year and will heavily penalise the non-compliant. Aggravated fines are set at up to €20 million or four percent of global turnover, whichever is higher.
New reports set the potential fines for FTSE 100 companies, the CISOs of whom can now expect pay packets close to £1 million, in the billions according to Oliver Wyman, the management company that conducted the research.
Moreover, there is not a great wealth of talent to fill those positions however high paying. Cyber-security has long been plagued by a yawning skills gap, and a drought of real world experience in the field. Gordon Morrison, director of government relations at McAfee told SC, that this may only intensify those effects: “as the price for cyber skills increases, many companies will be priced out of the top talent. For many public sector organisations, for instance, the choice to pay up to €1 million to their CISO may directly impact the services that they can offer in their locality.”
The news comes amid an increasing cognisance of the potential damage a successful cyber-attack can do. The WannaCry ransomware attacks of the last few weeks, which paralysed companies, government departments and public utilities in 150 countries around the world, have woken many up to the importance of infosecurity. Last week, the global onslaught pushed the share price of leading cyber-security companies even further upwards. Over a few days, shares in Mimecast rose by 11 percent, Sophos rose by seven percent (only to fall later), FireEye rose by eight percent and Proofpoint, which was involved in finding ‘the kill switch' for WannaCry, by 7.3 percent.