Businesses pay over $500,000 for top cyber security talent

Some organizations are paying more than US $500,000 for “top” cyber security talent in specific roles. That’s according to a new report from security analysis firm IANS which indicates that salary and staff size contribute significantly to not only talent retention but also the success of security strategies.

The global cyber security industry currently faces a workforce shortage of just under four million, despite the cyber security workforce growing by almost 10% in the last year, according to the latest figures from cyber security membership organization ISC2. The gap between the number of workers needed and the number available has risen 12.6% year over year, with cutbacks, economic uncertainty, artificial intelligence (AI) and a challenging threat landscape key driving forces, the ISC2 research found. Emerging technologies are considered one way to bridge the ongoing skills gap.

Security salaries vary across specialties and sectors

The IANS 2023 Security Organization and Compensation Study Benchmark Summary Report found that the salaries of security leaders vary considerably across specialties and sectors. For example, in security operations (SecOps) and governance, risk and compliance (GRC) roles, the top 25% averages around $523,000 per year in cash compensation. That figure drops to $447,000 for product security department heads, $465,000 for deputy CISOs and $360,000 for identity and access management leaders.

As for differences across sectors, finance and healthcare firms have the highest median annual total compensation at $341,000, but the top 25% and top 10% averages in finance exceeds that of the other sectors at $594,000 and $767,000, respectively.

“At different levels of size and scale, the security needs and corresponding organizational designs differ,” the report read. “Fortune firms with annual revenues exceeding $6 billion operate large and specialized security organizations with four or more management layers, often with a global CISO who heads up the companywide security organization.”

The dedicated functional department generally has 12-plus years of domain experience and receives compensation packages that include annual equity, it added. “Smaller organizations with more limited security requirements scale their security organizations accordingly.” A typical feature at midsize companies with annual revenues between $50 million and $400 million is leadership roles with multifunctional responsibilities, as well as staff – analysts, architects and engineers – who wear multiple hats.

Top salary ranges help to attract and retain key cyber security talent

Businesses should advocate for budget in the top 25% compensation ranges to attract and retain key cyber security talent, according to the report. “Fortune firm security organizations need leaders who are experienced with complexity and scale. The market rates for these leader roles are higher than for those in large enterprises and midsize companies,” it read. What’s more, the top 25% has an overall compensation that averages about $200,000 more than the median, and while hiring in the top 25% doesn’t guarantee top performance, when an organization considers its talent to be in the top quartile for pay, they generally also perceive them as top-quartile performers in their respective roles, the report stated.