This report looks at how the role of the CISO function is evolving, where CISOs report, and which next step in their careers many CISOs want to take. It also provides data on salary packages.
On CISO reporting lines & board reporting:
- Most CISOs report to the CIO (36% across geographies), followed by the CTO or COO. Very few CISOs report directly to the CEO, but that reporting line seems more prevalent in Europe compared to the US or Australia.
Source: Heidrick & Struggles’ Global Chief Information Security Officer (CISO) Survey, 2023
- Almost all CISOs (91%) present to the board in some way. 59% present to the full board, whereas 77% present to a subcommittee of the board.
- For those who present to the full board, most do so either annually (61%) or quarterly (30%). Most CISOs that report to a subcommittee do so quarterly (79%).
On personal and organisational risks:
- The biggest personal risk to the CISOs is stress related to their roles (71%) and burnout (54%). Almost a third of CISOs (29%) are concerned about losing their job after a data breach.
- Most CISOs think that cybersecurity risks will be different five years from now (58%). They currently see AI and machine learning (46%) and geopolitical risks (33%) as the top two risks their organisation faces.
On where CISOs want to go after their current role:
- Where do CISOs want to go after their current role? The majority (41%) want to be a chief security officer, while others want to be a private equity or venture capital executive (22%), a chief information officer (20%), chief technology officer (18%), or even start their own company (13%).
Source: Heidrick & Struggles’ Global Chief Information Security Officer (CISO) Survey, 2023
- 43% either agree or strongly agree that there are opportunities for growth within their current company, while 25% disagree or strongly disagree.
On CISOs on boards:
- The number of CISOs who sit on a corporate board is starting to rise - 30% in 2023 compared to 14% in 2022.
- 91% would like to, but at another company, while 21% would do so at their current company. This can bridge a glaring gap, as less than half of CISOs say the board can effectively respond to cybersecurity presentations. Generally, there is still a major lack of people with any cyber security experience sitting on boards - only 14% in the US and 3% in the UK. Increasing the number of CIOs, CTOs, and CISOs on boards is critical for combating emerging threats stemming from technologies such as AI and geopolitical threats.
On CISO compensation:
- In the US, median compensation has increased by 6% from $584k in 2022 to $620k in 2023. Considering annualised equity grants and long-term incentives, total compensation rose from $971k to $1.1m. Those in the financial services sector took in the biggest paychecks while those in industrial companies had the lowest, and newer hires with one or two years of tenure were likely to see more compensation than those who’d been in the same role for longer.
- In Europe, the average cash compensation was $457k, jumping to $552k when including equity and other incentives. Financial industry workers again had the highest compensation, while healthcare and life sciences were the lowest.
- Note: The report includes a detailed table with compensation across industry, geography, team size, and tenure.
