Despite overall generous salaries, a lack of raises and falling cybersecurity budgets are leading to dissatisfaction among chief information security officers (CISOs) when it comes to compensation.

These were among the chief results of a survey of 660 CISOs conducted by cybersecurity advisory firm IANS Research and Artico Search.

A quarter of the nearly 150 tech CISOs surveyed are unhappy with their compensation package, according to the study.

It also reports that the average total compensation for tech CISOs is $710,000, with a median of $440,000. The highest earners are CISOs at cybersecurity vendors, followed by those in fintech and hardware/infrastructure, where average compensation packages exceed $800,000, including substantial equity shares.

The number of technology CISOs who saw an increase in their base salary compared to the previous year dropped 18 percentage points. The situation varies by sector: While more than 80% of CISOs in healthcare tech and hardware/infrastructure experienced salary bumps, just 39% of cybersecurity vendors received such raises.

A recent ISC2 survey of nearly 15,000 participants found female cybersecurity professionals face continued pay disparities compared to their male counterparts.

Security Budgets Stagnant, CISOs Stay Put

Also weighing on CISOs was the slowdown in growth for tech firms’ annual security budgets, according to the report, which eased down to just 4% in 2023, a significant decline of 26%. On average, security spending accounts for 14.4% of the IT budget and 1.27% of the annual revenue.

There’s also been a slowdown in hiring activities within the tech industry, coinciding with a decrease in CISO movement in the job market. The percentage of tech CISOs who switched employers dropped to 19% in 2023 from 34% in 2022.

Nick Kakolowski, research director at IANS, said the most surprising finding was this lack of job movement for CISOs. “While this is consistent with the market as a whole, the tech sector is generally more volatile. It’s surprising to see such little movement despite so much economic uncertainty in the sector,” he said.

The tech sector is being hit harder than most by the macroeconomic uncertainty, Kakolowski said. And while security is still slightly sheltered from this trend, tight resourcing was evidenced by the survey findings.

The security spend as a percentage of the IT budget averaged 14.4%, while security budgets as a percentage of annual revenue averaged 1.27%, according to the report.

“The amount of pressure on CISOs is skyrocketing while budget and compensation increases are slowing,” Kakolowski said. “This dichotomy is fueling burnout, leaving CISOs feeling isolated and without adequate support from the business.”

This all comes at a time when CISOs are under increased pressure due to the complexity of GenAI and AI implementation amid shifting regulations and a rise in cyberattacks, and burnout rates are on the rise.

From Kakolowski’s perspective, CISOs are struggling to maintain a work/life balance in the face of multiple challenges—from budget and talent constraints to multiplying threats that are growing more sophisticated. “It is a high-pressure job that is increasingly being elevated in the business with uneven support across the industry,” he said. “A lot of CISOs are looking for new opportunities.”

CISOs Want to Feel Valued

Kakolowski advised organizations who want to retain their CISOs to evaluate whether their current compensation package – including issues like liability protections and indemnity – sends a message that the CISO is valued and supported.

“CISOs are being pushed into risk leadership roles, leaving them in situations where there is pressure to own risk decisions that fall out of their areas of direct responsibility while the business rushes to deploy technology that is largely unproven and inherently unpredictable,” Kakolowski said.

Harold Rivas, CISO of Trellix, isn’t surprised that CISO job satisfaction has dropped significantly in the last two years. While media attentiveness surrounding high-profile cyber breaches is heightening the public profile of CISOs, he said, it also places them under intense scrutiny.

“A combination of high expectations to implement the latest technology (like we’ve seen with AI) at top speed while ensuring airtight security and an increased load of responsibility drastically increases CISO’s day-to-day stress levels,” Rivas said.

Photo credit: Marek Studzinski on Unsplash