Are you as an CISO so much in demand, and exactly who do you report too?
Is the 38 percent of organisations actually listening to their CISOs?
Have these organisations level of protection and maturity increased?
Are people actually seeing CISO positions at the pay ranges mentioned in this article?
I did an indeed search and only 4 positions came up across the entire US that were above 200k and nothing as high as mentioned.
Just trying to reconcile what is in the article with what can actually be seen in the real world.
@JKWinigerA lot of hype, but definitely a lot of jobs on offer, but not at the salary ranges this article is talking about. As though hoping to generate sufficient hype, to create those type of salaries. We have enough problems on the ground and day to day without having to worry about salaries at the moment. Maintaining sanity, and staying calm whilst dealing with the next hypothesis, which ones hopes will be proven to be flakey, before it can cause major concerns. Easier to fail quickly, then fail slowly.
Thank you for the sanity check! I do however agree with the article that it is a problem when you expect the CISO to report to the CIO. To me it's a direct conflict since they both have different focuses and missions, but hey, that's just me..
The role of CISO is only approximately 25 years old, according to the article shown above:
In reality the CISO really does need to be elevated to the C-Suite, it really is the only way that CISO's can demonstrate the true ramifications of poor board decisions, which look good on paper, but in reality the organisation is not equipped or prepared to support or protect against. Digital transformation is a buzz word, for a lot of pain, and cultural changes in order to keep the organisation competitive, and flinging data out into the cloud, to get closer to the services they really want to embark upon i.e. Augmented Intelligence, Data Analysis, enhanced security services etc. This means making the business flexible and subtle enough to be able to meet client demands, for better services, but without bending the rules, so much that things start to break, or can be demonstrated that they have been broken. Therefore modern organisations, need to have alignment with Zero Trust, (Zero Trust is all about data protection) which means digging into the C-suite, and commencing from the top down, because without their support, the resultant cultural change will not occur, and as seen many times, even organisations have failed miserably even on agile transformations, by being caught in the ceremony, rather than the results of their efforts.
This means a change over from qualitative risk management to quantitative risk management techniques, which can be measured directly in terms of real world values and impacts.
If you don't know where the organisations data is, and who has access, at any point of time, then why are they in business and how are they surviving? We live very much in a world that is increasingly demanding, demanding flexibility, versatility, and we need to think differently or plainly they will not survive, regardless of whether they are a Government focused organisation or even commercial one. In fact, recently I saw a Government entity taking the opposite approach, cutting the capital budget, to the point that it took ten years to make decisions, and puts them in a situation, whereby they are a sitting target for diverse testing by cyber-criminals. And yet they are responsible for the health & safety of many patients. The mind boggles. They will learn from example eventually.
How well the C-Suite do on a daily, basis, means they must understand the risks they undertake, the investment they need to keep the organisation sustainable even in the worst of times. They need to value the skills of a CISO, who can speak their language and convert it into tangible outcomes to protect their business strategy into successes. Yes, the C-Suite can be held responsible for their decisions, including fiduciary responsibility, it is time to make the entire C-Suite accountable directly for their actions.
@Caute_cautim Well said, and you brought a thought to mind. As you mentioned the C-Suite can be held responsible, so where does that leave a CISO who reports to s CIO? Are they accountable because the title starts with a "C" or are they not accountable because they are under the CIO? In looking at open positions and associated salaries I have come to believe that an CISO should pay a bit more than a director level position just for that fact that at the higher level you could be held accountable.
@JKWinigerYou certainly have me thinking like a philosopher this morning 🙂 There was a posting not so long ago, which pointed out all the activities and responsibilities of a CISO, which used the Mindmap Tool called XMind, as long as you indicated the author who originally created it, as it is evolving rapidly. I think I posted a link to it previously. I will do a search and if it pops, augment this posting, as it is a useful reminder on the role of CISO and the responsibilities they hold within an organisation, which continues to grow.
This mind map would easily indicate the CISO's responsibilities, particular legislation they were monitoring, or had to adhere too.
Here is the link to the mindmap: https://rafeeqrehman.com/2021/07/11/ciso-mindmap-2021-what-do-infosec-professionals-really-do/
I tend to agree with you John, a CISO is the translator on behalf of the business either upwards or downwards or even horizontally the reality checker or even sanity checker for the organisation, and possibly the chief intelligence source too. Unfortunately, there is still this stigma around, which appears to haunt organisational structures, that the C-Suite are held to a higher level of expectation, legally, but possibly wrongfully in many cases. Does a CEO, CIO, CTO, etc etc require a certification to practice? For example they may be member of an institution i.e. Institute of Directors, whereby they are expected to behave and abide by a set of ethics, rather like ourselves. But in reality, this mainly affects their ability to move from organisation to organisation, by reputation and word of mouth etc. Yes, they can be prosecuted, but not to the full extent mainly on liability or nefarious negligence or even on a fiduciary basis.
However, in most crisis situations, I have witnessed despite warnings, and relevant reports from CISO's, these have been ignored even by the board themselves, until something goes wrong. Often it is found to be a lack of maturity in governance, and adequate investment to actually protect the organisation. Unfortunately those days are passing quickly, as the state of the nation is rapidly changing, no matter where you are, an incident will occur and depending on how resilient the organisation in terms of preparation or whether they get caught with their proverbial pants down and its splashed across the media. Often the the CISO is the one who is hung out to dry, rather than the C-Suite taking the heat so to speak.
I did not get a raise salary "directly" but I was just hired for newly created CISO role/position the another company. (of course salary get "adjusted".)
The creation of this role is due to regulation requirement to have CISO overseeing the security program of the company.
I would agree with John that CISO ideally should not be "hiding" or reporting to CIO. Company have different lines of reporting, some CISO reported to CIO , some report to the risk function. the "C-suite" is really depends on your reporting.
Regarding total compensation, given the figure a US$200K annual is already a good package in my region- AP. When saying average or "400-500k", maybe the average of the top CISO in the fortune 500 company can get up to range.
@Caute_cautim Ok, so I have been going over this mind map and want to see if I can get a little clarity. If I am understanding it correctly it would seem to be saying the CISO just handles the 7 items to the left of the work budget. Could this be right? And I am guess that is so this would be for a larger more mature company, as in with smaller companies single people would do a lot more of the items on the mind map.
But then also, this would explain why places are looking for MBAs to fill CISO position and normally end up with a breach because they don't really understand the underlying technologies and threats. I am sure many of us who have come up through the ranks over the years know a lot of things listed here so putting ourselves into these newer defined boxes get a bit difficult.
@JKWiniger My response, no matter what your certification level or degree's I want life experience, someone who has experienced and dealt with various life changing episodes, and knows how to handle pressure.
Whether you are plunged into Time Machine, and go through 1,000's experiences, you still need a cool head, when exposed to daily pressures, which have to be considered carefully, and what you advise at the point in time, may have good or lesser outcomes.