How Much to CISOs Make?

It started in 1994 with a $10 million bank hack. A young Russian computer programmer stole millions from Citibank in New York. In response, the company hired Steve Katz, the world’s first chief information security officer (CISO).

Cyber threats have grown exponentially in the decades since, with no signs of a slowdown. Cyber fraud grew by almost 500 percent from 2016 to 2021, with hacks costing $180 for each file accessed.

Today, cyber attacks occur every 39 seconds or 2,244 times per day, on average. The average data breach costs $3.9 million.

To combat these threats, corporations, government agencies, and other institutions have hired CISOs. In this article we’ll look at how to become a CISO, what the job involves, what it takes to land such a position, and how much CISOs make. We’ll discuss:

• What is a Chief Information Security Officer?
• How do I become a Chief Information Security Officer?
• How much does a Chief Information Security Officer make?
• Earning an appropriate master’s degree online

What is a Chief Information Security Officer?

In this era of ransomware, malware, phishing, denial-of-service attacks, and other threats, cyber security has become an essential function of any business or organization. Chief information security officers (CISOs) safeguard data and information.

The role of the CISO typically depends on the size of the organization. At large companies and institutions, the CISO oversees an in-house team of security professionals. Smaller entities may contract out security work, which the CISO manages.

As the “chief” name implies, CISOs act as sheriffs, overseeing the people and operations protecting an organization. Common responsibilities of this executive-level position include:

• Overseeing security operations
• Evaluating IT threats
• Preventing fraud and data loss
• Formulating policies and controls
• Managing access to resources
• Spearheading audit and compliance initiatives
• Reporting to officers and directors

The CISO’s primary responsibility is “to create a strategy that deals with ever-increasing regulatory complexity, creating the policies, security architecture, processes, and systems that help reduce cyber threats and keep data secure,” according to ZDNet. “Compliance is a key element of the role, as is understanding risk management.”

What sort of employers need a CISO?

Who needs CISOs? Banks, government agencies, movie studios, manufacturers, universities… basically, any operation that reaches a significant scale. A recent scan of CISO job listings on Indeed showed openings at the Federal Aviation Administration (FAA), Sony Pictures Entertainment, Vistrada, West Virginia University, and Suffolk County, New York, among others.

Most medium-to-large organizations have decided they need an executive-level staff member in charge of information security. About 55 percent of all companies had a CISO in late 2021, with 58 percent of the rest indicating a need for one, according to Navisite.

The proportion of companies with a CISO increases among larger outfits. A 2020 study by IDG found that 61 percent of companies surveyed had a CISO. That number rose to 80 percent among large organizations.

How do I become a Chief Information Security Officer?

A C-suite job like CISO requires years of education and work experience, as well as considerable technical expertise. While there’s no definitive rule for the amount of work experience needed to land a CISO job, most sources agree that you’ll need a work history dating back a decade or more, with considerable security experience and five-plus years in management.

In terms of technical expertise, EC-Council says employers may look for experience or qualifications in:

• Governance, risk, and compliance
• Information security controls and audit management
• Security program management and operations
• Information security core competencies
• Strategic planning, finance, procurement, and third-party management

Education and training

CISO candidates need a bachelor’s degree in computer science or a related field. A master’s degree with a concentration in cyber security will give you a competitive edge. Many organizations will only consider candidates with advanced degrees.

Some schools offer master’s degrees in information management, including The University of Washington. A master’s degree in cyber security, such as the one offered by The University of Tulsa, is a good way to position yourself as a potential CISO candidate.

Licensure and certifications

Certifications and licenses can also boost your expertise and demonstrate the breadth of your knowledge. The Cyber Tech Academy at San Diego State University offers a suite of 14-week certificate programs in:

• Artificial Intelligence for Cyber Security
• Cloud Security and Governance
• Cyber Governance and Risk Management
• Cyber Security in Healthcare
• Ethical Hacking

Medium recommends the following certifications for aspiring CISOs:

• Certified Chief Information Security Officer (CCISO)
• Certified Ethical Hackert (CEH)
• Certified in the Governance of Enterprise IT (CGEIT)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Security Professional (CISSP)
• GIAC Security Leadership (GSLC)
• Offensive Security Certified Professional (OSCP)

Finding a job

Once you’ve put in the years earning degrees and certifications and learning the ropes, it’s time to make the leap to an executive-level CISO job. Your current employer may offer an opportunity, or you can look around for good leads elsewhere.

Darren Argyle, CISO at the Australian airline Qantas and a veteran of IBM and Symantec, offered several recommendations to CSO Online: “Firstly, get a mentor, then start making your personal brand shine by sharpening up your CV or LinkedIn, ask for recommendations, write articles you’re passionate about. Ask around for the good headhunters and gauge the market.”

How much does a Chief Information Security Officer make?

CISO is a powerful, high-stress position and pays accordingly. Six-figure salaries are common, though reports of average salaries vary dramatically from source to source.

Indeed falls on the low end of the scale, putting the average CISO salary at $125,000 per year. ZipRecruiter puts the average considerably higher at $194,600 per year.

Other sources put the average above $200,000. Glassdoor lists an average salary of $156,700, but reports that additional pay from cash bonuses, commissions, profit sharing, and other sources boost that amount to $215,800. Salary.com puts the average $235,600, with a range falling between $209,700 and $266,700.

Earning an appropriate master’s degree online

Plenty of opportunities exist for earning an online master’s degree in cyber security, information management, and other disciplines to position you for a CISO post. The University of Tulsa program mentioned above is geared toward working professionals and 100 percent online.

Online options for master’s degrees in cyber security include:

• Georgia Institute of Technology

• New York University

• The University of California – Berkeley

  Online options for master’s in information systems or information technology management include:

• Georgetown University

• Syracuse University

• University of Cincinnati Main Campus

(Last Updated on February 26, 2024)

Questions or feedback? Email editor@noodle.com