In this edition of Cyber Sessions, host Joan Goodchild talks with IANS researcher Nick Kakolowski about why midmarket CISOs now earn record-high pay but are still are stretched thin by expanding responsibilities and limited resources.
Register Now
Hi, I'm Joan Goodchild. Welcome to another episode of Cyber Sessions, where we talk to the voices in security about trends, topics and things that people are talking about in the industry.
Today, I'm really excited to be joined by Nick Kakolowski with IANS, and he is a senior research director there. Welcome, Nick.
Hi, Joan. Thanks for having me. And tell me first a little bit about IANS in what IANS is all about. Sure. So we are a research advisory and decision support firm where we really focus on helping CISOs and their teams solve tactical, practical problems.
In the real world, we're a little less on the prognostication what's going to happen in five years side of the shop and a little bit more on what are the real world issues that security teams are grappling with, and how do we help you solve them? Okay, cool.
And as part of that, you have been tracking pay or CEO compensation and recently wrapped up the CEO Compensation and Budget survey. And that's what we're going to talk about. Everybody's favorite topic pay and how much people are earning in this industry now.
So tell me a little bit to about that research effort. Yeah, we're really excited to have this project going.
We've been partnering with executive search firm Arctica Search since 2020 on this research to really provide some transparency and visibility into what's going on around CEO compensation. We found that the time that HR pay bans were not really applying well to security.
There was a lot of uncertainty because the role is so valuable across businesses. And what is actual normative pay for CISOs that we wanted to kind of pull the curtain back on that and provide some transparency in the industry.
And as we did so, we found it to be a great place to also ask about budgets, CSO satisfaction. And over the past couple of years, we've also expanded it to talk about staff satisfaction, the vendor landscape and similar topics that are of interest to the CSO community.
Okay, so we've been doing this for a few years now then.
And so in tracking that data, you know, what are you finding out about how small and mid-market CISOs are really kind of managing those expanded responsibilities?
One of the things that we are seeing that really stood out to me this year is how the CISOs have become more and more aligned with the business.
When we talk to the CSO community about their budget requests 2 or 3 years ago, what we would typically hear is something to the effect of I had to ask for twice what I thought I needed in order to get what I wanted.
So, you know, I'd ask for a 30% budget increase to get 15%.
When we ask CISOs this year how they requested budget, it was much more well, I saw the business wasn't going to give us a big budget increase because the business is in a tough spot right now.
So I asked for a 5% budget increase and I got a 3%, or I asked for 2% and got 4%.
And so while budget growth has slowed down significantly, become more just in line with how the business and macro environment is going.
CISOs have gotten smarter and more thoughtful about aligning what they're asking for to where the business is going, as opposed to simply asking what they need relative to the threat environment.
And that makes it easier to justify what they're asking for, for budget resources, and to connect to how they're delivering opportunities for the business to really drive down risk and grow. Interesting.
Now, you also found through this data that, compensation is higher than ever, but retention rates are low.
You know, what's kind of the disconnect there between, you know, we're paying folks in these extremely high pressure roles, for that high pressure and and for the responsibilities that they're taking on. But yet, you know, people aren't staying that long on the CSO side of the shop.
It is more a byproduct of stagnation. Over the past couple of years, what we saw was a huge spike in turnover in the late pandemic and immediate post-pandemic stage, the early 2020s and then the past two years, there's been very little movement in the CSO market.
Retention numbers dropped went from around 24 months to 36 months on average for CISOs started climbing up to 3648 months on average, and CISOs were staying put.
And this year we saw the market start to open up a little bit again, particularly later in the year. We expect that to continue into next year. We're seeing similar things on the staff side, but even slower movement and less mobility on the staff side of the job.
Do you attribute that to anything? I mostly just congestion in the market, let's say slow movement over multiple years and more CSOs just being willing to take a job change because they've felt like they've been in their role for a little longer than they want to. Sure.
Now, another, thing that I thought was interesting is we see, expectations in smaller organizations for CISOs to take on enterprise level responsibilities without necessarily having enterprise level resources. What are you hearing there?
You know, how are people managing those kinds of expectations without, you know, necessarily having the budget that goes along with it? Yeah, there's a really interesting thread going through the industry right now where we see kind of two cohorts of those mid-market and smaller org CISOs.
They are all universally seeing massive increases in scope and expectations for what they are responsible for. But about half to two thirds of them are also getting compensation increases.
They're also getting more visibility with the executive team and that scope is building influence and giving them the ability to prioritize across lines of business.
And they are happy with the increased scope, and they are enjoying the opportunity to have more of an executive leadership role in the business.
The other third to close to a half, are finding that they're getting more scope, but they're just getting all of the problems that the business has thrown on them, and they're being told to figure it out with flat budgets, without necessarily getting a compensation increase, without necessarily getting more visibility.
And they are feeling stuck and trapped and burnt out.
And it's becoming a very difficult situation to be in. How does that impact, do you think overall security strategy in an organization of that size then it is very tough.
What we are seeing is there is a cohort of organizations that are elevating the CSO role and giving the CSO real, strong, connected fabric to the business and letting that CSO become an influencer.
And those CSOs are becoming all purpose digital problem solvers and driving business growth opportunities. And then there are businesses that look at the CSO as a back office technical function, put them in a box and expect them to solve technical problems and not really engage with anything else.
And those CISOs often see the big picture challenges. They see the need for a more strategic, cohesive approach to digital risk management and get very frustrated by where the business is putting them.
And it's very difficult to move a business off of that stance if they don't see the overarching value to the organization, and having the CSO more involved in those conversations now being more involved in those conversation two includes audience with the board.
You know, this is something that we've covered for years now in the industry and on CSO is this idea that the CSO and or the CSO really needs to be able to have some time with the board a few times a year and really get, themselves on their priority list as well.
What did your data find about the evolution of visibility for this role? With the board? It's definitely increasing. We are seeing more CSOs get consistent access to the board and particularly boards, subcommittees and more CSOs serving on subcommittees year over year.
What is challenging is you can't really change or shift the board structure. Your board structure is what it is.
And so CSOs who don't have that board access can feel very trapped and stuck. And what we recommend there is to start to take baby steps. Maybe your organization won't give you a board seat, but maybe they'll let you sit in on the board meetings and listen in.
Maybe they'll give you more of an opportunity to strengthen how you give your reports to whoever reports on your behalf, so you can at least see then, okay, how do they take what I'm giving them and how do they present it when I see it?
Then how can I change what I give them to align with what I need them to say and get stronger connectedness there.
But ultimately, getting that board access, even at a subcommittee level, can be hugely valuable, and that can be a good entry point if you can't get on a full board to get on a subcommittee and be able to influence them, because that's where a lot of the board's work gets done anyway.
And then the full board meeting is often more of a reporting session. Another issue that kind of goes hand in hand with that, too, is the evolution of the role and the expectation.
You know, at the executive level to the security executive needs to demonstrate ROI for the program. You know, I mean, I've been covering this space now for 20 years, and at first it was almost exclusively a cost center.
And now that's really no longer acceptable. Does the data reveal anything there in terms of those efforts and kind of what's happening in terms of demonstrating ROI for security investment?
I almost feel like ROI is becoming a trigger word for some CSOs in the community, because they feel like it's an impossible standard to reach to. We don't have good enough industry wide benchmarks and metrics to really compare security programs from one to another.
It's very difficult to quantify risk in a sufficiently nuanced way to demonstrate ROI. So the way we recommend CISOs think about talking about it is more around how can I create value for the business?
Maybe I'm not going to get to a direct dollar amount ROI, but can I take a project that would normally take 90 days to get through a process and bring it down to 45 days by accelerating how we audit and measure risk in that process, can I figure out ways to get to a ballpark loose figure of how much we think it will cost to buy down a certain risk versus the value that would be lost if we ignore that
risk and get business partners on board with that. And over time, as you have some of those conversations, you get to a sufficient level of granularity that everyone can kind of wrap their heads around it.
And don't worry about getting super granular, because at that high level of the business, that level granularity is not necessary, particularly helpful anyway.
And then over time, as you have those conversations with multiple business leaders and multiple project stakeholders, you start to build influence and start to have people see, oh, if I get security in the conversation earlier, they can give me value opportunities by solving problems that I'm going to run into later.
Now you also found that for organizations under $50 million, the highest level security practitioner, you know, or the person at the executive level held, you know, higher level titles, executive level titles, the CSO and so forth as opposed to larger companies.
Any idea why smaller organizations would be kind of more ahead of the curve compared to, you know, their larger counterparts in this regard? This is another area where we see two clear cohorts.
So we ask in our in our survey, are you regarded in your organization as an executive, a VP or a director? And we see a relatively significant cohort of folks regarded as executives at either very large organizations or fairly small organizations.
But when we look at the scope of those individuals, we look at the compensation packages of those individuals, we look at how they talk about and think about their job. And then we just have conversations with them.
The folks who are at those large orgs and are regarded as executives are almost entirely in a strategic problem solving role.
The security team is running day to day through their deputies, and they are 100% in a strategic role.
When we look at those CISOs who are thought of as executives in smaller orgs, they are very much that hands on small business executive who might be one moment solving a technical problem, getting hands on keyboard and another moment talking to the head of sales about a procurement problem and then needing to manage risk through procurement.
And it's more a reflection of the lack of maturity of the management team in those small organizations. They tend to be smaller, flatter management teams. And therefore the CSO sits closer to those executives and is often among them.
But it's usually something where, as the org grows, more layers might get built up in between the CSO and the management team.
When that business expands. So let's dig into the, the data a little bit more, too, when it comes to compensation. You know, we talked about the title issue, you know, depending on the size of the organization. And so forth.
Does the data tell you that compensation kind of breaks down in logical ways in terms of, like, you know, geographic location or size of company?
You know, what kind of highlights stood out to you in terms of who's getting paid, what and where they're located and what their title might be. Size of company and industry behave as you would expect.
The historic large org financial services tech companies are going to generally be the highest paid. We also see very, very large retailers starting to drive compensation in that segment up higher.
Definitely a very strong correlation between size of company, size of security team and CEO compensation, which just makes sense.
What we've been surprised by is over the past two years, we've seen a gradual, let's say, shrink, sorry, a gradual decline in the gap between disparity of pay by region.
Regional disparities have gotten smaller and smaller and smaller, in part because while more organizations are pushing for move back to office and move back into hybrid environments, they are more willing to have the CSO going into satellite office locations, as you so might report to, you know, a New York companies, Florida offices twice a week, and then once every other month, go meet up the management
team and headquarters or once a month be flying up there. And there's more tolerance and more willingness for that. And so we see some of the regional pay disparities shrink, with the caveat that a huge part of very large CEO compensation packages is driven by equity.
And we see tech firms on the West Coast driving up those equity packages, creating situation where the West Coast tends to be the highest pay area for CSOs.
But even there, the gap is not particularly huge. Interesting. Okay. What about budget? You know, this this survey also looks at spending priorities. You know, what highlights were there? Of course, everybody's thinking like an investment in AI. And, you know, things that we talk about all the time.
But, can you give us kind of a broad look at where you see spending currently?
What we see is for the most part, SIC ops tends to be the predominant area, getting around 19% of security budgets in terms of the software and tooling side of the budgets overall staff gets.
Every year we do the service that gets somewhere between 37 and 39% of the budget within tooling and hardware in there, getting around 20% total and we are seeing an emergence of desire for automation, definitely desire for AI, but it's not necessarily a single spend category because folks are trying to use AI all over the place.
And it's more, you know, a dab here, a dab there, than it is. We can have a big category for AI. What we expect to see as we look at this data next year is increases in spend in IAM.
We see that the larger and or gets, the heavier its IAM spend becomes proportionately and raw dollar amount in the budget.
Because managing identities at scale becomes harder and harder, and as more non-human energy, sorry, as more non-human identities become prevalent through use of AI and orgs need to scale their identity functions not necessary based on the size of the business, but the size of the virtual apprentice.
Staff in the business. That's going to lead to more parity in terms of spending on IAM, we also expect to see increases in spending on apps as AI enables more orgs to have non development folks develop apps.
So they're starting to have to rethink how do we extend our apps, like functionality outside of the traditional departmental boundaries to figure out how to set baseline best practices for apps like for AI enabled development, what's, you know, kind of the factors do you think they're behind that increased?
I am spent I mean, you mentioned the non-human identities and the need to secure those.
I know there's a lot of sort of newer players in that space, too, in terms of new vendors that have come onto the scene in the last few years.
With that specific focus in mind, can you speak a little bit of that, like what's happening in the enterprise, what's happening in small to, midsize organizations that this has become a priority now more so than in the past?
Sorry, I should probably add that caveat. In the past, there have been many situations which I would fall under it, and security is taking greater ownership of IAM. That's part of it.
Part of its IAM is is becoming incrementally and dramatically, I should say, more exponentially than incrementally more complex as a result of AI, the genetic, but also all the need for things like rule based access control, all the needs to manage information channels.
It's just becoming such a complex area to oversee. Numbers of devices are rising, numbers of human and non-human identities are rising. And then you get misinformation. You get fraudulent identities. You have, you know, imposter employees.
All of these things where verifying identities is becoming harder and harder, that it's, you know, it's a little cliche, but identity is becoming the new perimeter.
Yeah, yeah, we've been hearing that now, for a bit. And back to the AI thing, too, if we can dig into that a little bit more.
You know, you mentioned kind of the blips here and there, but what level of maturity do you think we still need to get to?
You know, again, covering this space, what I see a lot is there's obviously an enthusiasm and interest in, you know, technology that uses AI to help in the SoC and in other places when it comes to security.
But there's still sort of a, I think, a lack of vision of what practitioners actually want to do with the technology. Is that reflected in the data?
I don't know if it's really in the data, but it's definitely reflected in what we hear from the community as we talk about our data.
We'll use a lot of our, you know, as we talk about budgets, not only our budget as budget growth slowing, but staff budget growth is slowing more precipitously than overall budget growth, to the point where it's now normal for staff budgets to be flat for most teams.
And we are seeing orgs turn to AI to help them sustain and still expand operations without adding to staff. But what we are seeing is lots of piecemeal projects. You know, let's use AI to summarize our big architecture reviews.
Let's use AI to summarize our third party questionnaires, where we are seeing the most pervasive kind of at scale use of AI is probably within seconds, which I think we would all expect.
And mostly we are seeing a lot of vendor promise, a lot of hype and under delivery and frustration in the community.
But because AI is learning so fast and getting better so quickly, and CISOs are seeing it as they start using more of these agen tech tools and start using more of these, just summarization tools and see how much faster they're getting, how much better they're getting at summarizing data effectively.
There is definitely a stronger outlook heading into 2026 for CISOs to really get aggressive about using AI across their programs. Generally speaking, we are seeing very little around reducing staff, but more about reducing the burden on existing staff.
Yeah, yeah, that's a, a similar theme that I hear a lot in my work in terms of, you know, using AI, but you can't necessarily use it to replace actual human manual work.
It sort of as being supplemental, and you still need human oversight in that. It sounds to me like that mirrors what you guys are hearing too. Exactly.
We had a really efficient conversations with some CSOs at one of our roundtable recently, where they were talking about what AI is often doing in their programs is elevating their top performers, even more and showing the flaws in the lower performers even more.
Because as lower performers just start throwing out AI and the AI is not good enough and they're not fixing, or its top performers are going faster because of AI.
But then they're also being thoughtful about supplementing the AI and fixing of the problematic elements of the AI to drive efficiencies.
Another trend that I'm hearing kind of more about, too, is sort of the breaking apart of the CSO role at a very large, you know, level, like a large organizational level, like in some places in large organizations.
It's not just the CSO anymore, but, you know, there are a number of CSOs there are a number of people who have this executive level security role that are responsible for different aspects of the organization. Are you starting to see that emerge at all over Diane's?
Anecdotally, we're seeing a little bit of that. We our focus is on for this study, whoever is kind of the top ranking security person in the organization is one taking the CSO survey.
But we've definitely seen historically you might have, you know, a global CSO and then regional CSOs, you might have a CSO and then somebody who's head of infosec and someone else who's head of physical security.
We see more CSOs getting pulled into ownership of it, and then they might have someone who's head of it.
We're also seeing a strengthening of functional department heads, heads of architecture, heads of GRC, just taking on more responsibilities and more leadership roles as the CSO scope increases, more of those team management fundamental elements of the CSO role are getting delegated down to those functional heads and those departmental leads are becoming more strategic and a little less technical in those larger orgs.
Care to make any predictions right now in terms of, you know, where do you think the role is going?
I mean, where are we going to see more of that or, you know, and any thoughts on kind of how we've we've seen the CSO role evolve so much in the last decade or so. What's the future look like working with our partners, our arctica threats?
We've been putting a lot of thought into this.
And as we talk about the CSOs who are kind of at the cutting edge of the industry and really modeling where it's going to go, we are seeing individuals who get into a program, get the team stable, get the program stable, figure out their baseline expectations for how the program will function, and then delegate the vast majority of that day to day management to their leaders, and run an excellent program without themselves having to put too much hands on work into the program.
Once it is stable, and then they become all purpose problem solvers for the executive team.
If there's a new initiative to expand into a market, and we know there's going to be new cyber risk because of that market, they're the ones who are going to understand the connection points between the regulatory laws and the nuances of the marketplace and the hardware capabilities in that marketplace, and be able to help manage that broad digital risk.
Same thing with launching new technologies, deploying new business units. They're the ones who are kind of that connecting fabric within the business, because digital risk is becoming embedded in so many things.
It's crossing regulatory privacy, technology, and no one person in the business is really a position to know all of that well, because CISOs have this kind of ingrained curiosity and ingrained sense of wanting to be the person who goes in and solves the problem, and they're tending to know a little bit about all of those things.
They're just the best person to solve that problem, and the business is looking for whoever is going to solve it fastest. And so they're turning to the CISOs. And CISOs who are embracing that role are really driving the future of where this rolls evolving. Okay.
One question we like to ask everyone on this show is unpopular opinion.
Do you have one at all. It could be about the role of the CSO. It could be about compensation. It could be about the industry in general. Is there anything that any kind of opinion you have that you feel like might be somewhat controversial?
I don't know how controversial, but what we find most disheartening about the marketplace right now is there's really a huge stratification.
We see these executives, CSOs who are super strategic, being paid $1 million plus in large organizations.
And then we see a lot of CISOs who are in smaller orgs that are still regarding security as a back office function and kind of putting them into that technical box, paying well under median pay.
We see a really fairly small cohort that are actually in that middle, and it's very hard to jump from one to the other because the business context is so different.
So often CISOs will have to do things like take on a head of architecture job in a much larger organization, or very painstakingly, gradually move to larger job, to larger job, to a larger job or take some career risks, because the job is just so vastly different as it's evolving from organizational structure to organizational structure, that that middle is disappearing.
It's interesting.
Okay. okay.
So moving forward, you know, what advice if you could or you know, what kind of, manual could we give to boards, executive leadership within organizations on how to best enable the CSO moving forward drive collaboration and visibility.
We see an incredibly strong correlation in our data, in CSO satisfaction and CSO access to the board. When we ask CISOs if they are happy with the business's alignment with the security team, CISOs who do not have consistent board access are very dissatisfied.
CISOs who have consistent board access are very satisfied. The actual business strategy, the actual state of the budget changes in the budget are really not that directly tied to satisfaction.
It's that access, because the CISOs who are with talking to the board all the time and hearing from the executive team all the time, will understand where the business is going and will adjust accordingly.
And the boards and executive teams that are engaging with the CSO regularly will start to understand how security can drive value for the business and will adjust accordingly.
And it becomes a strong collaborative relationship as opposed to the situation where the CSO is the person shouting about risks in the back room, trying not to scare everybody and everyone else is trying to understand it and make sense of it.
You know, those days are slipping behind us, but there are still orgs that are kind of trapped in that time frame.
And if you want to get out of that, it just is going to take time as a business to develop that shared vocabulary and that shared language, to talk about risk in a cohesive way across lines of business.
And there's no better way to start than just to get the CSO involved in those conversations and go through the growing pains together. Great.
And we will continue to watch it. Nick Kakolowski, thank you so much, senior researcher with IANS for joining us today. Joan, thanks for having me. This is fun. All right. Great. And thanks to you for watching.
If you want to learn more about IANS, their work and, how to learn more about these CSOs, the CSO budget, our CSO Compensation and Budget survey, please head over to the irons site.
And, if you enjoyed this, we want you to watch more. So please follow along and like and check us out for future cyber sessions. For now, I'm Joan Goodchild. Thanks for watching. See you next time.
Sponsored Links