How effective compensation makes a difference in online talent retention
Aligning cybersecurity organization models with business goals enables talent retention and security program success, according to IANS and Artico Search.
The role of CISOs in organizational and hiring decisions
Large companies with annual revenues exceeding $6 billion generally operate large, specialized security organizations with four or more management layers, often with a global chief security officer overseeing the company-wide security organization.
In large organizations with annual revenues between $400 million and $6 billion, the chief information security officer is generally the head of the cybersecurity team. In more than 75% of companies, there is typically a management layer consisting of the head of security operations (SecOps), along with the heads of governance, risk and compliance (GRC), architecture and engineering (A&E), and identity and access. Management (IAM).
Mid-sized companies with annual revenues between $50 million and $400 million typically feature leadership roles with cross-functional responsibilities, where employees, including analysts, architects, and engineers, wear multiple hats.
“The success of an enterprise security strategy depends on the right size of the security organization, the quality of the team talent – especially functional department leaders – and the right corporate plans,” said Nick Kakulovsky, senior research director, IANS Research. . “IT managers must make organizational and staffing decisions in anticipation of the dynamic needs of the organization as it evolves based on market conditions, growth goals, and regulatory requirements.”
Average compensation range
The study also found that success in recruiting and retaining cyber leaders depends on the right compensation plans.
For functional leaders, the top 25% of the compensation range averages $523,000 in total compensation. The top 10% compensation range averages $640,000. For Vice President of Information Security (CISO), Head of Product Security, and Head of A&E, the range for the top 10% comps exceeds $700,000.
Finance and healthcare companies have the highest average total annual compensation at $341,000. The top 25% and top 10% of compensation range averages in finance exceed those of other sectors by $594,000 and $767,000, respectively.
In addition, the organizational design of functional leadership varies by growth stage and industry.
Industry-neutral cybersecurity management organizations with annual revenues of $100,000 report that between 25% and 50% of CISOs indicate they have leadership positions on their teams for one or more SecOps, GRC, A&E, and product security functions.
At $500,000, the presence of leadership positions in SecOps, GRC, and A&E grows to between 50% and 74% of CISOs. The role of Head of SecOps appears to be standard at the $1 billion revenue level. At the $10B threshold, the same is true for GRC and A&E, and at $25B, most companies also have Heads of AppSec and VPs of Information Security.
Organization design varies by industry
The study also reported that organizational design varies by industry, with significant differences in the timing when functional leaders are added to the team.
At finance companies, cybersecurity leadership teams hire a security operations leader earlier than average, especially at $100 million in revenue. Technology cybersecurity leadership teams are more comprehensive in the early stages than average. At $100 million in revenue, between 50% and 74% of technology CIOs have heads of SecOps, GRC, and/or A&E.
Healthcare cybersecurity leadership teams in later stages of revenue are rounding out the average. At $100M, $500M, and $1B milestones, less than 50% of healthcare IT administrators have appointed GRC, A&E, and IAM leaders.
In manufacturing, cybersecurity leaders are added with above-average revenues. None of the leadership roles see penetration rates of 75% or higher at the $1B or $5B revenue frontier.
“Although security leadership is largely industry-agnostic, when it comes to allocating budget for staffing, industry-specific needs play a critical role,” said Steve Martano, partner and executive recruiter in Artico Search’s cyber practice.
“For technology companies, products and AppSec are a key element in the design of their security organization, leading to technical hires early in the company’s lifecycle, while manufacturing companies design more complete software later in revenue. The banking sector has been a first mover in designing operations centers Advanced security, and this trend continues in this sector. “Financial services companies typically design a more robust SecOps program internally rather than outsourcing compared to other sectors,” added Martano.