Transcription
Specialty Practices: CybersecurityTechnology Officers Practice2021Global Chief InformationSecurity Officer (CISO) Survey
2021 Global Chief Information Security Officer (CISO) SurveyContents2A message from the authors3Methodology3Where are the CISOs?4What CISOs do all day5CISO reporting lines: Up and down7Two types of CISOs8What’s next for CISOs?9CISO compensation: United States10CISO compensation: United Kingdom14
Heidrick & StrugglesA message from the authorsWelcome to our 2021 Global Chief InformationSecurity Officer (CISO) Survey, which examinesboth organizational structure and compensationfor this increasingly critical role.For this year’s report, we expanded the survey from North America to countriesaround the world, with the goal of offering a more comprehensive and comparativelook at how these roles have developed in different countries.For this report, Heidrick & Struggles compiled demographic, organizational, and compensationdata from a survey fielded in March and April of 2021 of 354 CISOs around the world. Most carriedthe title of chief information security officer, but respondents also include deputy chief informationsecurity officers, chief security officers, and senior information security executives.The numbers of respondents varied significantly in different countries. This report includesorganizational data from respondents in the United States, Europe, and Asia Pacific, andcompensation data for respondents in the United States and the United Kingdom. We expectto be able to report more fully on additional countries in future years.We hope you enjoy reading the report, which remains the only one of its kind.As always, suggestions are welcome, so please feel free to contact us—or yourHeidrick & Struggles representative—with questions and comments.MethodologyIn an online survey, we asked participantsto provide information on how theirrole is structured, to whom they reportand who reports to them, and dataon compensation including currentbase salary, bonus for the most recentfiscal year, and annualized equity orlong-term incentive pay, as well asjoining bonuses. All data collected wasself-reported by information securityprofessionals and has been aggregated.With warmest regards,Matt AielloPartnerLeader, GlobalCybersecurity PracticeMax RandriaPartnerCamilla heidrick.comGuy ShaulPrincipalScott ThompsonPrincipalAdam k.comavaughan@heidrick.commaiello@heidrick.comOn confidentialityAcknowledgmentsThe global chief information security officer (CISO) survey,2021, has been conducted on an anonymous basis. Alldata is reported anonymously and in aggregate.The authors wish to thank Mohd Arsalanfor his contributions to this report.3
2021 Global Chief Information Security Officer (CISO) SurveyWhere are the CISOs?The chief information security officers(CISOs) who responded to the survey camepredominantly from the United States.Australia, France, Germany, Singapore, andthe United Kingdom were also represented.Company information 0– 50m3Technology, telecoms, SaaS, or cloudNearly half of the CISOs were at companieswith an annual revenue of 5 billion or more. 51m– 100m2Consumer, retail, or media 101m– 250m3Industrial, manufacturing, or energyThe CISOs worked across a range of industries,most often financial services and technology. 251m– 500mCompany revenue (%)Company industry (%)1Pre-revenue31Financial services or fintech52910108Healthcare, biotech, or life sciences 501m– 1bn9Business or professional services 1bn– 5bn20Education or not-for-profit0Public sector024 5bn– 20bn10 20bn– 50bn65Other14More than 50bn9Don’t know or prefer not to answerNote: Numbers may not sum to 100%, because of rounding.Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionalsIn terms of experience, it’s not surprising thatthey also most often had recent experiencein financial services and technology. In theUnited Kingdom, the share with financialservices experience rose to 86%; in Europeancountries, half had financial servicesexpertise. In terms of background, mostcome from IT, though we are seeing othertypes of functional expertise emerging.General experienceSector experience in past two years (%)Main function of career (%)55Financial services or fintech49Technology, telecoms, SaaS, or cloud26Consumer, retail, or mediaIndustrial, manufacturing, or energyHealthcare, biotech, or life sciences6Finance219Compliance1Legal110Public sector7Software engineeringNo function has comprisedthe majority of my career2016Business or professional services68IT15Other3Education or not-for-profit7OtherSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionalsMost respondents were male and white, withlittle variation across regions. However, so farthis year we are seeing greater diversity amongpeople taking the CISO role, and greater focusfrom companies on hiring diverse CISOs (asis true for most executive roles). We expectcompanies to increasingly think outside thetraditional industry- and IT-specific criteriafor CISOs to find the best executives for therole, including people who are diverse interms of gender and race or ethnicity, aswell as industry and functional expertise.DemographicsGender (%)Ethnicity (%)MaleFemale984White/CaucasianPrefer not to answer9Asian/Asian American4Hispanic/Latinx5Black/African American4Mixed1Malay0.3Indian0.3Arab/Arab American/Middle r873Native American/Alaska NativePrefer not to answer28Note: Numbers total more than 100% because respondentscould choose more than one answer.Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionals4
Heidrick & StrugglesWhat CISOs do all dayThe CISO role has become even moreimportant in the past year, as digitaltechnologies became ever more prevalentand remote working became the norm inmany industries. CISOs were among themany IT professionals who scrambled early in2020 and made significant contributions tothe success of their companies through thepandemic. That was on top of CISOs’ alreadylarge portfolios, which cover everything fromsecuring systems from attack to simultaneouslymanaging increased regulatory scrutiny anduse of the data these systems contain.In the context of remote working and onlinecustomer interactions, it’s little surprise thatCISOs this year most often said that theyare focused on network/cloud security andidentity management. This is a shift froma focus on endpoint security, which was asignificant focus for CISOs for many years. Thisis likely the result of companies moving evermore activity to the cloud, leading to a focuson platform security rather than traditionalendpoints. In addition, there were somenotable regional differences in CISO focus.CISO focus2021 security program focus: Overall (%)47Network/cloud security3835Identity andaccess managementData security512Prefer not to answerOther13Endpoint security27Application securitySource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionalsNote: Respondents may have chosen more than one focus area.2021 security program focus: By region (%)APACOther EuropeUKUS3333Network/cloud security485525Identity and access management67294033Data security321717Application security1954453013Endpoint security01912Prefer not to answerOther00557172912Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 337 information security professionals5
2021 Global Chief Information Security Officer (CISO) SurveyThere are five functions that most CISOs saidreport to them, which are, on the whole,consistent with their overall focus. The strongpresence of application/product security as aregular part of the CISO's mandate is anincreasingly important function.Areas that report to CISO (%)Penetration testing90Security architecture90Security operations9088Governance, risk, and compliance85Product and/or application security37Business continuity planning or disaster recoveryTrust28Enterprise crisis management28Physical security2821Privacy or chief privacy officerFraud18Safety18Other12Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionals6
Heidrick & StrugglesCISO reporting lines:Up and downMost of the CISOs who responded to oursurvey, 86%, were in global roles (rangingfrom a high of 90% in the United Kingdomto a low of 63% in Asia Pacific). More thana quarter, 28%, have been in their role formore than five years. Indeed, though there isa perception of fast turnover and low tenurein CISO roles, this survey shows that 56% ofthese CISOs have been in their role at leastthree years, with little variation across regions.CISOs reported either fairly small teams orfairly large ones: 38% of all CISOs surveyedsaid they have 25 or fewer people reportingto them, while 29% said they have 101 ormore direct reports. (For detail on how teamsize varies by CISO remit, see page 8.)Looking upward, the majority of CISOs reportto someone other than the CIO. Globally, 11%report directly to the CEO, and a quarter ofCISOs in Europe said they do so (manyrespondents from Europe are at smallercompanies, where this structure is morecommon).Despite the low share of CISOs who havecorporate board seats, CISOs do have highvisibility with the board: 90% said theypresent directly to their company’s boardand/or audit committee, three- quarters ofthem on a quarterly basis. These figures varylittle regionally.Almost half of all CISOs said they sit on anadvisory board, not necessarily at their owncompany—and two-thirds of CISOs in AsiaPacific said they do so. However, globally, only4% said they sit on a corporate board. This lowfigure is consistent with Heidrick & Struggles’annual Board Monitor reports, which show thatonly 6% of directors added to boards1in Europe in 2020and 8% of those in the2United States had cybersecurity expertise ofany kind. Given the increasing strategic andoperational importance of cybersecurity for allorganizations, we hope to see many morecompanies bringing this expertise onto theirmain board rather than relying on advisors.Current role backgroundTime in current role (%)282710Less than 6 months2876 months–1 year1–2 years3–4 years5 years or moreNumber of team members More than 200To whom CISO reports38CIO16CTO or senior engineering executive12COO or chief administrative officers11CEOChief risk officer or senior regulatory executive5Global CISO52General counsel11OtherSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionalsCurrent board experience (%)5AdvisoryCorporateBoth36NeitherPrefer not to answer4781 Board Monitor Europe 2021, Heidrick & Struggles, on heidrick.com.2 Board Monitor US 2021, Heidrick & Struggles, on heidrick.com.4Source: Heidrick & Struggles’ global chief information security officer(CISO) survey, 2021, n 349 information security professionals7
2021 Global Chief Information Security Officer (CISO) SurveyTwo types of CISOsLast year, we identified three basic types of CISOroles in North America: a traditional securityleader, a Risk/Trust leader, and a role we calledCISO Plus, which has a wider remit.3 With thisyear’s global scope, two types of roles cameinto clear focus: an Everything CISO role, madeup of 45% of respondents—those who haveresponsibility across all three areas of security, risk,and trust; and a Specialist role, made up of 55%of respondents—those who have responsibilityacross only one or two of those three areas.These roles are about equally distributedby region, as well as by years in the role.Everything CISOs are more common intechnology and financial services than areSpecialist CISOs. This may be because, in bothof these industries, many CISOs have specialistsreporting to them, in our experience.More of the Specialist CISOs had an ITbackground: 74%, compared with 59% of theEverything CISOs. And Specialists far moreoften said identity and access managementwas a core focus: 44% compared with 31%.Everything CISOs more often report to businessleaders, and 17% report directly to the CEO,while almost half of Specialists have the moretraditional reporting pattern to the CIO.Company industry, by CISO type (%)Everything CISOTechnology, telecoms, SaaS, or cloud3723Financial services or fintech35288Industrial, manufacturing, or energy127Consumer, retail, or media136Healthcare, biotech, or life sciences4Business or professional servicesEducation or not-for-profit00Public sector001073OtherSpecialist7Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionalsTo whom CISO reports, by CISO type (%)26CIOCOO or chief administrative officer8CEO4718176CTO or senior engineering executive14171111Other4Chief risk officer or senior regulatory executiveGeneral counsel0642Global CISO8Note: Numbers may not sum to 100%, because of rounding.Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 354 information security professionalsEverything CISOs said they have largerteams, on the whole, than Specialists.Given the wider scope of the Everything CISOrole, it is no surprise that these CISOs are, onthe whole, paid more than specialists. In theUnited States, for example, the difference inmedian cash compensation is 113,000.Number of team members, by CISO type (%)43Median compensation: United States,by CISO type (USD, thousands)Median base32509Median bonusMedian total cashcompensation5844712520015316 1780–253 Matt Aiello and Scott Thompson, 2020 North American Chief InformationSecurity Officer (CISO) Survey, Heidrick & Struggles, on 76–100 101–200Morethan 200Note: Numbers may not sum to 100%, because of rounding.Source: Heidrick & Struggles’ global chief information security officer(CISO) survey, 2021, n 354 information security e: Heidrick & Struggles’ global chief information security officer(CISO) survey, 2021, n 259 information security professionals
Heidrick & StrugglesWhat’s next for CISOs?Given that the CISO role is relatively newin the context of other C-suite roles, wealso asked where CISOs want to go next.Nearly half of respondents want to be boardmembers, which seems achievable givenhow many are already sitting at least onadvisory boards and that cybersecurity willcontinue to increase in importance as moreelements of operations go entirely digital.Future career plans47441816129Outside of board roles, CISO careerprogression remains tricky. Though 38%report to the CIO today, only 12% see thatas an ideal next role. The wide range of nextroles CISOs are interested in highlights thatthis is an evolving role, one where the nextmove isn’t clear. In this context, EverythingCISOs may be able to develop more optionsto move up in their current company, sincethey more often report to business leaders,which gives them more exposure to theircompanies’ broader strategic interests.BoardmemberChief securityofficer (physicaland informationsecurity)Entrepreneur/consultantChief risk officerCIORetirement833205Private equityexecutiveCEOPrefer not toanswerDeveloper ofnew tools at asecurity firmGeneral counselOtherIn addition, more than half of CISOs don’twant to move geographically for that nextrole, though that share may well change infuture surveys as post-pandemic conditionsbecome clearer. In general, we found thatCISOs’ teams are geographically distributed,and CISOs themselves are often not co-locatedwith the rest of the executive team, thoughthis varies widely from company to company.Ideal next role (%)Potential future geographies (%)54I prefer to stay where I live now in my native country41I would be open to working in another countryI would be open to working in anotherlocation in my native countryI prefer to stay where I live now in another country364Prefer not to answer1Other1Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 349 information security professionals9
2021 Global Chief Information Security Officer (CISO) SurveyCISO compensation:United StatesSince last year’s survey, reported median cashcompensation for CISOs in the United Stateshas risen to 509,000, from 473,000 last year.Median compensation: United States (USD, thousands)Median baseMedian total cash compensationMedian bonusBy industry509565656By revenue441435456401409373By team size565703409546By tenure778469520By CISO 763763263763263263263261–2years3–4years5 ormoreyears326301276Overall Consumer Financial Healthcare Industrial Technologyservicesor lifeorsciencestelecomsOtherLess than 1bn 1bn– 5bn 5bn– 20bnMore than 20bn50 orfewerSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 259 information security professionals1051–100MoreLess thanthan 1001 yearEverything SpecialistCISO
Heidrick & StrugglesMedian total compensation, including anyannualized equity grants or long-term incentives,also increased, to 936,000, from 784,000.Median base, bonus, and equity: United StatesMedian base(USD, thousands)Median bonus (%)Median bonus(USD, thousands)Median totalcash compensation(USD, thousands)Median equity(USD, thousands)(base and bonus)Median totalcompensation(USD, thousands)(base, bonus, r(n 1,387Financial services(n ,1341,468Healthcare or life sciences(n 868Industrial(n 1,130Technology or telecoms(n ,0602,295Other(n 26Less than 1bn(n ,266 1bn– 5bn(n ,342 5bn– 20bn(n 1,387More than 20bn(n 1911,58650 or fewer (n 1,06151–100 (n 21,407More than 100 (n 1,0811,4432,471Less than 1 year(n 691,4071–2 years (n 1,4913–4 years (n 1,3055 or more years (n 0061,548Everything CISO(n 1961,656Specialist(n 11,272Overall (n 259)By industryBy revenueBy team sizeBy tenureBy CISO typeSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 259 information security professionals11
2021 Global Chief Information Security Officer (CISO) SurveyRegionallyAs in last year’s report, we see some variationin compensation across US regions. Forcash compensation, CISOs in the Midwestreport the highest figure, 668,000. Whenannualized equity is added in, West CoastCISOs top the list, at 1,196,000.Median base, bonus, and equity: US regionsMedian base(USD, thousands)Median bonus (%)Median bonus(USD, thousands)Median totalcash compensation(USD, thousands)Median equity(USD, thousands)(base and bonus)Median totalcompensation(USD, thousands)(base, bonus, st (n 1,342Mid-Atlantic (n 46979Southeast (n 1,081Midwest (n 1331,410Southwest (n 1,193West Coast (n ,1962,200Overall (n 259)By regionSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 259 information security professionals12
Heidrick & StrugglesMedian joining bonus: United States (USD, thousands)In cashFormat of sign-on equity (%)In equity(excludes the 25% that said 0) (excludes the 34% that said onsumer(n 18/14)1002553001504501,000Financial services(n 30/21)1001502501705001,000Healthcare or life sciences(n 16/11)2575188100200250Industrial(n 13/6)305050150250350Technology or telecoms(n 42/29)501004002005001,600Other(n 10/6)50225400400400500Less than 1bn (n 23/13)2530501005001,000 1bn– 5bn (n 19/17)5075225150200400 5bn– 20bn (n 39/27)501003001503001,000More than 20bn (n 39/25)1002005002507001,000255011510017050051–100 (n 27/17)50100400200280500More than 100 (n 46/33)1502505003007501,400Less than 1 year (n 29/17)501204002004006001–2 years (n 37/24)501003001505501,5633–4 years (n 30/22)501253001032907505 or more years (n 32/24)501002001632501,000Northeast (n 27/26)40105300100185400Mid-Atlantic (n 11/6)50752501506751,400Southeast (n 11/10)50503002804001,000Midwest (n 21/16)75150450250500775Southwest (n 13/7)50101501501502,200West Coast (n 44/22)501003002008001,750Overall(n 129 cash/87 equity)By industryRestricted stock units (RSUs)OtherCombination of RSUs,PSUs, and/or optionsPerformance share units (PSUs)Options1141547By revenueBy team size50 or fewer (n 56/37)22Note: Numbers may not sum to 100%, because of rounding.By tenureBy regionSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 129 information security professionals13
2021 Global Chief Information Security Officer (CISO) SurveyCISO compensation:United KingdomMedian compensation: United Kingdom (GBP, thousands)Median baseMedian bonusMedian total cash compensationBy industry306351By revenue176351255260By team size229639328258By 262265845542265120126226201176176Less than 1bn 1bn– nology ortelecomsOther 5bn– 20bnMore than 20bnSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 41 information security professionals1450 orfewer51–100Morethan 1002 yearsor less3 or moreyears
Heidrick & StrugglesMedian base, bonus, and equity: United KingdomMedian base(GBP, thousands)Median bonus (%)Median bonus(GBP, thousands)Median totalcash compensation(GBP, thousands)Median equity(GBP, thousands)(base and bonus)Median totalcompensation(GBP, thousands)(base, bonus, 2636564580153220306463175175226395523699Financial services(n 38Industrial(n echnology or telecoms(n 31Other(n 2Less than 1bn(n 1 1bn– 5bn(n 26 5bn– 20bn(n 91,069More than 20bn(n 2950 or fewer(n 651–100(n 4More than 100(n 1,0692 years or less(n 383 or more years(n 31Overall (n 41)By industryBy revenueBy team sizeBy tenureNote: One person receives compensation in USD.Source: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021, n 41 information security professionals15
2021 Global Chief Information Security Officer (CISO) SurveyMedian joining bonus: United Kingdom (GBP, thousands)In cashFormat of sign-on equity (%)In equity(excludes the 25% that said 0) (excludes the 34% that said 0)Overall(n 8 cash/8 estricted stock units (RSUs)OtherCombination of RSUs,PSUs, and/or optionsPerformance share units (PSUs)OptionsSource: Heidrick & Struggles’ global chief information security officer (CISO) survey, 2021,n 8 information security professionals313134626Note: Numbers may not sum to 100%, because of rounding.Source: Heidrick & Struggles’ global chief information security officer(CISO) survey, 2021, n 8 information security professionals16
SpecialtyPracticesHeidrick & Struggles’ Specialty Practices provideexpertise on emerging technologies.These practices include: Artificial Intelligence, Data, and AnalyticsBlockchain/Distributed Ledger TechnologyCybersecurityDigital InnovationInternet of ThingsLeader of Heidrick & Struggles’ Specialty PracticesGlobalSam BurmanManaging iceThe world is currently experiencing a revolution. With technologyconstantly advancing, the contemporary business landscape isnow defined by rapid innovation. Advances in cloud computing,artificial intelligence, machine learning, and the Internet ofThings have enabled companies to become lean, agile, andefficient competitors in the global market. Indeed, the promiseof a digital future has convinced organizations across all industrysegments to adopt more technology-focused business strategies.At Heidrick & Struggles, we believe that leadership plays anessential role in this transformation. That is why our TechnologyOfficers Practice is committed to helping our clients find the nextgeneration technology talent necessary to take their organizationsto the next level. Our executive search consultants bringunparalleled experience, having successfully placed more than1,000 information and technology functional officers with some ofthe best-known and most-admired companies around the world.Leader of Heidrick & Struggles’ Technology Officers PracticeGlobalDennis BadenManaging Partnerdbaden@heidrick.comCopyright 2021 Heidrick & Struggles International, Inc.All rights reserved. Reproduction without permission isprohibited. Trademarks and logos are copyrights of theirrespective owners.
Heidrick & Struggles representative—with questions and comments. With warmest regards, Matt Aiello Partner Leader, Global Cybersecurity Practice maiello@heidrick.com Guy Shaul . Heidrick & Struggles' global chief information security officer (CISO) survey, 2021, n 337 information security professionals What CISOs do all day The CISO .
