2023 Global Chief Information Security Officer (CISO) Survey
Welcome to our 2023 Global Chief Information Security Officer (CISO) Survey, which examines both organizational structure and compensation for this critical enterprise leadership role.
For this report, Heidrick & Struggles compiled organizational and compensation data from a survey fielded in early 2023 of 262 CISOs around the world. Most carried the title of chief information security officer, but respondents also include chief security officers and senior information security executives.
This report includes organizational data from respondents in the United States, Europe, and Asia Pacific, and compensation data for respondents in the United States, Europe, and Australia. We always aim to broaden the spread of our geographical data set and will continue to in the future.
We hope you enjoy reading the report, which is now in its fourth year and widely recognized as the most authoritative and widely disseminated survey of its kind. As always, suggestions are welcome, so please feel free to contact us—or your Heidrick & Struggles representative—with questions and comments.
Introduction
The theme of this year’s survey of chief information security officers (CISOs) is “more.” More risk, more opportunity, more compensation. Even in the context of a cooling hiring market, the role of the CISO is maturing along with the function as organizations’ technological needs and risks advance, bringing greater emphasis on cybersecurity. Organizations and leaders must look to the future of the function, ensuring success and continued organizational sustainability with a robust succession plan, expanded cybersecurity expertise and leadership development, and competitive compensation packages.
Respondents this year cited a number of ongoing threats to organizational cybersecurity—risks both personal and organizational, including advancements in artificial intelligence and machine learning, geopolitical risks, and cyberattacks, which include nation/state attacks. “It feels as if cybersecurity threats, both criminal and state-sponsored, [will] continue evolving at a rapid pace that's often unpredictable or surprising,” wrote one respondent.
“Systemic risk will increase due to widescale dependence on a few providers,” said another. And, said a third: “[There is risk in] less owned infrastructure and more cloud-native assets. Also, skills don’t scale from old to new.”
We believe that this expertise is more and more crucial not only within organizations and executive teams but on boards as well. However, where there is a need for expertise there is inherent risk—talent risk. A notable 41% of respondents said their company does not have a succession plan in place for the CISO role. Organizations must ensure that they are prepared for the future in the case of a CISO’s unexpected departure.
In 2023, the share of CISOs who sit on a corporate board more than doubled, but still remains relatively low, and other Heidrick & Struggles research shows that the addition of board members with cybersecurity skills remains low as well. In the United States, new Securities and Exchange Commission (SEC) guidance may soon ask public companies to disclose which board members, if any, have cybersecurity experience, thus elevating the role even further. That said, the topic of who is qualified to be a cyber expert on a board remains complex.
As in prior years, the majority of respondents were men, and, in the United States, the majority were also white. Heidrick & Struggles’ experience recruiting CISOs so far in 2023 reflects an increasing need for diverse talent. Heidrick & Struggles is proud to share that non-white executives account for 46% of our cybersecurity search placements.1 We are seeing companies increasingly think outside the traditional industry- and IT-specific criteria for CISOs to find the best executives for the role, including people who are diverse in terms of gender and race or ethnicity, as well as industry and functional expertise.
Key findings
Organizational structure and risks
- Forty percent of CISOs reported that their company does not have a succession plan for the role; 13% said their company isn’t in the process of developing one.
- This is particularly concerning considering the importance of the role. Among leaders, according to a recent survey we conducted, 76% said they were very or entirely open to changing companies in the next three years.2 A lack of succession planning should be considered an organizational risk.
- Unsurprisingly, AI is the most often identified significant threat in the next five years. It’s one of many threats that will require a constant and rapid evolution of the CISO’s skills and is part of a broader trend of the CISO role becoming more technical. Specifically, we are seeing a rise in the need for CISOs to understand software engineering and cloud security. This tracks with the general “shifting left” of security, a trend in which “security measures, focus areas, and implications should occur further to the left—or earlier—in the lifecycle than the typical phases that used to be entry points for security testing and protections.”3
- However, the good news is that 80% of respondents agree that they are able to invest in leadership and development to build or enhance team capabilities.
- Over half of respondents say they believe their board only somewhat has or does not at all have the knowledge or expertise to respond effectively to their presentations, but only 30% of CISOs say they currently sit on a corporate board—still a notable leap from the 14% who said the same in the prior year.
Compensation
- As we have seen in past surveys, US CISOs generally report the highest compensation. For CISOs in the United States, reported median total cash compensation increased 6% year over year, to $620,000 in 2023. Median total compensation, including any annualized equity grants or long-term incentives, also increased, up to $1,100,000 this year.
- The average total cash compensation for CISOs in Europe was $457,000. Average total compensation, including any annualized equity grants or long-term incentives, was $552,000.
- The average total cash compensation for CISOs in Australia was $368,000. Average total compensation, including any annualized equity grants or long-term incentives, was $586,000.
- Across regions, CISOs in the financial services industry reported the highest average total compensation, while those in the technology and services industry received the highest average annualized equity or long-term incentives.
For full organizational structure and compensation data, download the full report.
About the authors
Matt Aiello (maiello@heidrick.com) is a partner in Heidrick & Struggles' San Francisco office and leads the global Cybersecurity Practice. He is also a member of the global Technology & Services and Information Technology Officers practices.
Scott Thompson (sthompson@heidrick.com) is a partner in Heidrick & Struggles’ New York office and a member of the Financial Services Practice.
Max Randria (mrandria@heidrick.com) is a partner in Heidrick & Struggles’ Melbourne office and a member of the global Technology & Services Practice.
Camilla Reventlow (creventlow@heidrick.com) is a partner in Heidrick & Struggles’ Amsterdam office and the leader of the Technology & Services Practice for Benelux.
Guy Shaul (gshaul@heidrick.com) is a partner in Heidrick & Struggles’ London office and a member of the global Technology & Services Practice. He leads the Crypto & Digital Assets and Cybersecurity sectors in Europe & Africa.
Adam Vaughan (avaughan@heidrick.com) is a partner in Heidrick & Struggles' London office and a member of the global Financial Services Practice. He also leads the Fintech Sector across Europe & Africa.
References
1 Heidrick & Struggles’ proprietary data.
2 Proprietary data from a survey of 250 executives in six countries around the world conducted in spring 2023.
3 Zachary Malone, “What executives should know about shift-left security,” CIO, February 24, 2023.