There’s good news for chief information security officers: Your salaries are often on par with other chief-level executives across an organization, though it may depend on which of those chiefs you call your boss.
A recent survey of cybersecurity professionals in more than 130 large commercial organizations by the Ponemon Insitute and SecureWorld Insight found much higher salaries for those professionals than expected, with the top job of CISO earning an average annual base salary equivalent to the compensation of other C-level executives for 50 percent of respondents. The survey found similar trends extending beyond the C-suite to all other levels.
Yet despite receiving pay similar or equal to their counterparts in other parts of the organization, 43 percent of cybersecurity professionals rated their position as the most difficult in the organization, the study found.
In addition, compensation for cybersecurity workers varied widely based on a number of factors, the most significant being the channel through which a CISO reported. CISOs reporting directly to CEOs, for example, enjoyed 36 percent higher salaries on average, followed by direct lines to chiefs in finance, operations, information and technology. Few actually report to CEOs, however, with the majority (46 percent) reporting to the CIO.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said Thursday that higher salary premiums are often seen for CISOs who have not only the technical training but also the business savvy and understanding of an organization. “That’s not to say that the technical isn’t important, but you have to have both,” Ponemon said. “Many who aren’t making it to higher salary levels are seeing their roles as tactical and technical rather than strategic.”
Cybersecurity professionals also cited several barriers to team success. More than half (56 percent) cited lack of adequate funding as their biggest barrier, followed by IT complexity (42 percent) and lack of qualified personnel (41 percent). Only 8 percent reported having cybersecurity teams of more than 20 full-time employees, with the majority operating with just 6 to 15 full-time employees, the study found.
Meanwhile, cybersecurity professionals holding certifications earn only slightly higher salaries than their non-certified counterparts, earning just 8.7 percent more. Advanced degrees seemed to ensure a higher salary premium, with those professionals demanding up to 35 percent more in salary, the study found.
The wage gap between male and female cybersecurity executives also was less pronounced than the nationwide wage gap of 23 percent for all full-time, year-round career fields, as measured by the U.S. Census Bureau. Male cybersecurity executives earned just 5.5 percent more than their female counterparts, the survey found.
The data also confirmed that the number one reason cybersecurity staff leave an organization is compensation. This trend indicates that an organization’s biggest vulnerability may be its own security team, in large part due to unfilled jobs and lack of funding, the report states.
“Not only this study but other Ponemon studies show that there is a very high vacancy rate in organizations including government organizations in the areas of IT security,” Ponemon said. “There’s a real need for people with this skill set, experience and expertise, so finding those people and then not being able to compensate them well can be a real problem and often puts the government at a disadvantage.”
The government’s strong cybersecurity mission, however, may help to offset some of its disadvantage in compensation, Ponemon added. “A lot of people who are CISOs in the federal government have commercial experience and are willing to take a lower salary because they have a sense of service to country,” he said.
Get the Nextgov iPhone app to keep up with government technology news.