Current CISO Demographics
At this time, the CISO jobs are mostly male-dominated. However, the number of female professionals taking up CISO roles is steadily rising as the sector evolves. Compared to people on other senior positions in organizations, the average CISO is younger.
Up to 73% of CISOs are aged under 45, and of all females in CISO positions, 42% are aged under 35 years.
“The CISO field is evolving to become more diverse, drawing from other organizations globally that are moving towards diversity in the workplace. Also, more firms are opting for younger employees to put new thought and experience into the CISO role,” says Joseph Ferdinando, Founder of an NJ based IT support company, HotHeadTech.com.
One positive finding regarding the CISO salaries was that female professionals averaged higher pay compared to their male colleagues. Female CISOs earn an average of £550,000 (appx $705,000) while male CISOs earn marginally less with an average salary of £530,000 (appx $680,000).
Since fewer female employees are taking on CISO roles, firms pay marginally higher for this diverse talent hence the higher average salaries for female CISOs. Also, more firms are looking to diversify their workplace, and have collectively grown the demand for female CISOs.
While the average pays are almost at par between female and male CISOs, there is huge pay parity between employees working for blue-chip organizations and those working for smaller organizations. The average pays for CISOs at blue-chip firms averaged £795,000 (appx $1.02million) with some earning as high as £2.1 million (appx $2.7 million).
The Marlin Hawk study involved 500 companies, each having 500 or more employees. Thus, the data was drawn from 500 CISOs in these companies. The study focused on businesses in the US, UK, Ireland, Netherlands, Switzerland, Hong Kong, and Singapore.
Despite the shifting attitude towards an academic qualification, the researchers noted that 94% of CISOs had degree-level qualifications. The shifting attitude towards academic qualification was most notable in the UK where only 76% of CISOs stated they had attained a Computer Science degree.
Currently, the number of CISOs who have a design or architecture degree is on the rise, as cybersecurity shifts towards organizing IT infrastructure and networks for better security. Asia-Pacific (APAC) and US CISOs however, are still predominantly those with Computer Science qualifications.
Currently, half of the career CISOs have had an interest in cybersecurity. However, unlike in the past, fewer are recruited from the information security department. 17% of the CISOs were picked from departments other than IT; including human resource (HR) finance, and marketing departments.
Of the CISOs with no previous practice under information security, 14% have a risk and compliance background. In the APAC countries, more CISOs (33%) have a risk and compliance background as businesses in this region focus on risk management.
“I come from a compliance background and I had to learn what controls needed to be put in place to meet regulations and then how to build security based on those controls. So I’m completely backwards to most security people – with my background I would always say that compliance comes first. But for someone that grew out of the hacker world or, for instance, deep tech, they would always say security comes before compliance” says Steve Kinman, the CISO at Zalando in Berlin.
Up to 93% of CISOs in the US are actively pursuing new positions or would accept new roles if approached. This number is lower in APAC countries (89%), UK and Ireland (84%) and the Netherlands (74%).
More than ever before, 26% of CISOs working in the public sector are actively pursuing new roles. Of these in search of new jobs, half are pursuing a new challenge and up to 37% need better pay which is hard to come by in the public sector. This shifting expertise from the public sector is likely to open more vulnerabilities in the public sector.
Contrarily, organizations are finding it difficult to recruit new talent from the pool. While most CISOs are willing to get new job offers, only 34% of firms can readily recruit senior talent. 34% of firms that are struggling to recruit noted that they struggle largely because the candidates’ technical knowledge falls short of their requirements.
3 in every 10 firms struggling to recruit stated that the candidates did not have the right experience for the job, while 1 in 10 of these firms noted that the candidates did not fit into the organization’s culture. Most of the firms struggling to recruit are in the APAC region (91%) while only 54% in the US face a similar problem.
“It is certainly my experience that there is a shortage of talent globally, but also specifically here in Hong Kong… I don’t think cybersecurity has really been given the prominence that it deserves in Asian companies. And that, fundamentally, is the reason there is a limited talent pool of qualified people,” says David Gracey, the CISO at CLP Power in Hong Kong.
Towards the Future
Some businesses are looking for younger talent to take positions for CISO roles, often because they can be developed to be both strategic and technical in performing their roles. This method relieves the businesses of the struggle to recruit the already willing pool of talent, which most businesses view as either too strategic or too technical to fit their roles perfectly.
Moreover, unlike employees in other C-suite roles, only 40% are looking to become CEOs in the future.
The majority view their positions as requiring highly specialized skills, viewing other positions as less demanding and as such, less challenging to go for. CISOs are looking to prevent more attacks, contribute to companies’ revenue generation and cost-savings. These are some of the industry’s key performance indicators (KPIs).
Towards the future, with the increasing need for cybersecurity and fewer CISOs ready for CEO roles, businesses will need to elevate CISOs closer to the top management or delegate cybersecurity roles to CEOs. In this way, businesses will make well-informed security decisions critical for their operations.