US-based CISOs receive nearly $1 million a year

The role of the Chief Information Security Officer (CISO) is a relatively new senior management position within most organizations and it continues to evolve.

To find out how current CISOs landed in this role, their aspirations, the compensation they receive, the risks they face and the responsibilities they take on, analysts from global executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.

The survey results revealed these key takeaways:

Who reports to CISOs and to whom do CISOs report?

The top organizational functions that report to CISOs are SecOps (88%); governance, risk and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity or disaster recovery planning (79%).


CISOs report primarily to the CIO (38%); the technical director or senior engineering manager (15%); the COO or CAO (9%); global CISO (8%); and the CEO (8%). But 88% of them also report to the company’s board of directors and/or advisory committee.

CISO roles are often terminal

Most CISOs move laterally in their current role, and the career path for CISOs is most often into another CISO role, analysts found.

If they weren’t CISOs before – and 53% of them were! – these were primarily an associate CISO, regional CISO or business unit and their organization’s senior information security executive.

Many CISOs then aspire to become a member of the board of directors, but this ambition is unlikely to be realized. Even though cybersecurity experience is a must on boards, many boards still frequently prefer board members with previous board experience, analysts pointed out.

The roles of Chief Security Officer (CSO) or Chief Information Officer (CIO) are also coveted by many respondents.

The Threats CISOs Face and the Personal Risks They Worry About

CISOs say ransomware attacks are the biggest cyber risk to their organization (67%), followed by insider threats (32%) and country/state attacks (31%).

On a more personal note, CISOs are most worried about job-related stress (59%) and burnout (48%), and much less about job loss as a result of misconduct ( 25%) or face personal financial liability. for an offense (11%).


“Our survey responses here tell a few different stories,” analysts noted.

“The first is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs do not make unnecessary departures. The second story is that CISOs feel relatively safe in their jobs – job loss as a result of a breach was not the highest risk. That’s, in part, because top CISOs are able to order executive-level protections (D&O insurance coverage and severance packages, for example) that allow them to do their job unhindered by threat of occupational hazard.

CISO compensation continues to rise

“In the United States, reported median CISO cash compensation increased to $584,000 this year from $509,000 last year and $473,000 in 2020. Median total compensation including annualized stock grants or long-term incentives, also increased from $936,000 to $971,000. “, found the company.

New CISOs, in particular, saw the biggest increases in overall compensation, likely because talent to fill the role is hard to find and organizations compete fiercely for it.

In the UK, the median CISO cash compensation has risen to £318,000 this year, but there has been a 14% decline in annual equity.

For those interested, the Heidrick & Struggles report offers a more detailed look at the various factors that impact CISO compensation in different geographies.

Leave a Reply