Cybersecurity professionals holding the position of chief information security officers (CISOs) are seeing moderate increases in pay, although not as steep as two years ago and not necessarily keeping pace with the evolving nature of their roles. According to the “2024 CISO Compensation Report” by IANS Research published on Oct. 2, the average annual compensation for CISOs now stands at $403,000, which includes salary, bonuses tied to specific objectives, and equity like stock options. This represents a 6.4% rise over the last 12 months. However, the constantly shifting threat landscape is placing business operations at risk, with CISOs bearing the brunt of the responsibility, particularly following SEC regulations that mandate CISOs to determine whether a breach is material within four days of discovery.
Despite their increased responsibilities, CISOs often find themselves lacking the necessary resources to effectively carry out their duties. This puts them in a precarious legal position, as they are expected to safeguard their organizations from cyber threats without adequate support. Fred Kwong, Vice President and CISO at DeVry University, explains the dilemma faced by many CISOs. On one hand, they are commended for their ability to manage and mitigate threats effectively, but on the other hand, they face scrutiny when requesting additional resources or budget allocations. This paradoxical situation leaves CISOs in a difficult position, where their success in thwarting cyber threats may lead to budget constraints due to a lack of perceived necessity for more resources.
Kwong, who oversees a team of five cybersecurity professionals, is struggling to secure approval for hiring a sixth member, as the organization is hesitant to add another full-time employee. This scenario reflects the broader trend in the cybersecurity landscape, where CISOs are facing challenges in obtaining the necessary support and resources to combat evolving cyber threats effectively.
In the aftermath of the pandemic-driven surge in remote work, companies have intensified their focus on securing their operational infrastructure, leading to an increased demand for CISOs. However, as cybercriminals escalate their activities, such as infecting systems with ransomware, the pressure on CISOs has mounted. While CISOs experienced significant compensation increases towards the end of the pandemic, with 44% either changing roles or receiving retention bonuses in 2022, the demand has stabilized in 2024, with only 11% opting for similar moves, according to Nick Kakolowski, Senior Research Director at IANS Research.
The prevailing macroeconomic conditions have led to a conservative approach among businesses regarding hiring decisions, resulting in CISOs staying put in their current roles rather than taking on new challenges. This shift underscores the challenges faced by CISOs in navigating a dynamic and demanding environment where cybersecurity threats continue to evolve.
The pressure on CISOs is further compounded in the public sector, where cybersecurity professionals grapple with unique challenges. State-level CISOs, in particular, face difficulties in finding and retaining cybersecurity talent, managing sophisticated cyber threats, and working within tight budget constraints. Despite the critical nature of their roles in safeguarding government systems, these professionals often do not prioritize compensation as a key factor in their job satisfaction. The increasing frequency and severity of cyberattacks, coupled with heightened scrutiny from the public and government stakeholders, place immense pressure on state-level CISOs.
In the private sector, CISOs face a different set of challenges, with factors like compliance and leveraging technology for security playing key roles in their responsibilities. Daniel Schwalbe, a former security professional at the University of Washington, transitioned from the public to the private sector to address career progression limitations. His experience highlights the ongoing struggle for professionals in finding the right career path in the cybersecurity field.
As the role of AI in cybersecurity evolves, CISOs are confronted with new challenges in managing AI-related risks. The complexity of AI technology requires CISOs to possess a diverse skill set encompassing technical, governance, privacy, and data science capabilities. However, many CISOs lack the requisite expertise to fully grasp and address AI risks, underscoring the need for collaboration and specialized knowledge in addressing emerging threats in this domain.
Overall, the evolving cybersecurity landscape presents a complex and demanding environment for CISOs, who must navigate a spectrum of challenges ranging from resource constraints to technological advancements. By adapting to these evolving conditions and fostering collaboration across sectors, CISOs can better position themselves to address the ever-changing cybersecurity threats facing organizations today.