Group of business workers working together. Partners stressing one of them at the office
Image: Adobe Stock

As the CISO role continues evolving from a back office IT function to taking on a larger enterprise focus, CISOs are assuming more strategic and risk-related responsibilities. They are also facing a number of personal risks as the importance of the role continues to grow. A new study from executive search firm Heidrick & Struggles finds that stress (59%) and burnout (48%) are the largest personal risks respondents in the U.S. face.

However, job loss as a result of a breach was at 28%, suggesting many feel relatively secure in their roles, the company said.

“That is, in part, because the best CISOs are able to command executive-level protections (directors & officers insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk,’’ the report said.

The burnout and stress associated with this role “should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits,’’ the study said.

Where CISOs come from

CISOs most often had recent experience in the financial services and technology industries. In terms of functional background, most come from IT, though we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year, according to the report.

And, though 77% had been in their role for at least three years (up from 56% of last year’s respondents), almost two-thirds of those who have been in their role for less than a year came from a previous CISO role, while those who’ve been in their current role for five or more years were more likely to have come from a role other than CISO.

SEE: Hiring kit: Data scientist (TechRepublic Premium)

Diversity continues to lag

Most respondents were men and white, with little variation across regions. Globally, 18% of respondents were diverse in some way: either women, Black or African American or Hispanic or Latinx.

In the U.S. alone, the share of diverse respondents drops to 14%, although there was an increase in Hispanic or Latinx representation, up to 8% from 5% last year. Seventy-one percent of respondents in the U.S. characterized themselves as white.

CISO compensation continues to rise

Another notable finding was that in the U.S., reported median cash CISO compensation has risen to $584,000 this year, up 15% from $509,000 last year and 23% from $473,000 in 2020. Median total compensation also increased 4% year over year to $971,000 from $936,000.

CISOs with less than a year of experience generally saw the highest rises in overall compensation compared to those with additional years of experience, whereas those who saw the least benefit were those who’ve been in the role for five or more years, receiving only an increase in base compensation. 

SEE: The COVID-19 gender gap: Why women are leaving their jobs and how to get them back to work (free PDF) (TechRepublic)

CISOs have boardroom aspirations, but face hurdles

CISOs often report directly to an organization’s board, which is rare for many C-level roles who aren’t the CEO/CFO, and they provide the one view of risk that many companies did not previously have, noted Matt Aiello, global lead in the cybersecurity practice at Heidrick & Struggles.

Yet, while the majority of U.S. respondents said their ideal next role was to become a board member (56%), only 14% of all CISOs said they sit on a corporate board or both a corporate board and an advisory board.

Even though heightened cyber risks have prompted a need for cybersecurity experience on boards, many still frequently prefer having directors with prior board experience: 57% of seats in the U.S. had sat on a public company board before.

“Rather than recruiting a current CISO to fill a board seat, we found that boards are most often bringing their own CISOs into the boardroom for updates,’’ Aiello said. “In fact, 88% of CISOs we surveyed said they reported to the board at least once the past year, whether to the full board committee or the committee with oversight of cybersecurity, typically the audit, risk, or in some cases, a dedicated cybersecurity committee.”

Aiello speculated that as board seats are limited, organizations have competing goals that impact how to fill empty seats. Many boards frequently prefer that new members have previous board experience, and only 4% of CISOs in the U.S. fit this category, according to the report.

“Additionally, diversity on boards is a priority; the majority of CISOs are not diverse. Boards also tend to prefer executives with broad business backgrounds … which most CISOs don’t have,’’ he said. “The board-CISO landscape may change dramatically if the proposed SEC rules on cybersecurity reporting and expertise move forward, which would cause organizations to reevaluate their board makeup.”

Heidrick & Struggles said it compiled organizational and compensation data from a survey fielded in Spring 2022 of 327 CISOs around the world. More than two-thirds of the CISOs were at companies with annual revenue of $5 billion or more, and they worked across a range of industries, most often financial services and technology and telecoms, but followed closely by industrial, manufacturing, energy, consumer, retail and media.

Subscribe to the Executive Briefing Newsletter

Discover the secrets to IT leadership success with these tips on project management, budgets, and dealing with day-to-day challenges. Delivered Tuesdays and Thursdays

Subscribe to the Executive Briefing Newsletter

Discover the secrets to IT leadership success with these tips on project management, budgets, and dealing with day-to-day challenges. Delivered Tuesdays and Thursdays