How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)
I got the inspiration for this article after listening to the David Spark podcast (Defense in Depth) which talked about Security Budgets, “We’ll find the Cyber Security budget when we’re breached”.
In this podcast, one of the participants “Yaron Levi” ( the CISO of Blue Cross ) brought up the “Value” element. That you need to understand the value of the company and then you can understand Cyber Budgets.
I fully agree.
But this got me thinking on the big issue of “Value assessment/knowing the value of … ” in Cyber Security. I meet (Well now its mostly Zoom 🙂 ) and hear many Cyber Professionals discussing the vastly different Salary ranges across the industry.
There doesn’t seem to be a clear definition for: “How much a CISO should earn” from either the business side or from Cyber Professionals.
This leads me to the core of the issue.
A lack of ability to assign value, which in my eyes is one of the biggest issues in cyber security.
It’s impacting cyber budgets, cyber salaries, and has everything to do with value rather than money.
Cybersecurity and IT have always been hard to quantify (it’s why I started Boardish in the first place) and this is because the ‘value’ is defined in different ways. As an example, technology value can be seen in:
- Facilitating business working/development/growth
- PREVENTING cost-impacting events e.g. ransomware, or data breach fines etc.
So what does this mean for CISOs and cyber professionals and getting paid?
The Traditional approach to salaries and consulting have flaws within the realm of Cyber Security:
When going to an interview or a meeting regarding the fees of consulting or the salary you will ask for, you will try to negotiate your pricing based on the following:
- Your experience level.
- How you perceive the company’s ability to pay.
- The market averages for this specific role and sector.
- And of course – Your “shrewd negotiator abilities”.
Usually, with those 4 metrics, you will determine your Bottom and Top ranges of salary/price.
This approach is fine, but for Cyber Security it just does not work well enough, for the following reasons:
- Your Experience Level – Cyber Security is constantly changing and evolving, your experience level is important but being a specialist in “something” does not mean this “something” will be relevant in 3 months, it’s your learning capabilities and ability to react which is in my eyes more important than your “classic experience”
- How you perceive the company’s ability to pay – Yes you can research a bit and know the turnover of the company and in general what the averages salaries are BUT – You don’t know how much value the company puts on Cyber Security, the company can be huge and very profitable but it does not value cybersecurity at all and so, will not hold value in your proposition regardless of what it is.
- The Market averages for this specific role and sector – You usually do not have visibility into how complex the system is, what is the Risk Exposure, or how much Financial Risk you will be responsible for. So 2 companies who look EXACTLY the same from the outside may be completely different in the “Risk Levels” that the CISO needs to take under his/her responsibility.
- Shrewd negotiator abilities – Always a good thing to have, but without them seeing the value of what you’re offering, it’s not going to be much of a negotiation! 🙂
So how should CISOs and Cyber Pros be approaching this instead?
The key in my experience is looking from the perspective of value to the company and ‘knowing the financial amount (and risk) that you’ll be responsible for.’
Depending on the amount of risk you’ll be responsible for, you can set your acceptable minimum and preferable maximum salary.
CISO’s (and other Cyber Security professionals) must be able to QUANTIFY what they are responsible for. There is a huge difference in the level of responsibilities and mitigation needed between $100M and $10M so the salaries shouldn’t be the same because the VALUE is not the same.
To put this into perspective. If you are interviewed for a position that means you’re responsible for mitigating $100M of Cyber risk to the company – would you consider $60K yearly enough?
How do you Quantify the value of ‘How Much a CISO is worth to the company’?
You need to know 3 main metrics:
- The company’s Turnover – this is usually something you can easily research yourself and get a ballpark.
- The Total Financial Figure of Cyber Security Risk that you will be responsible for mitigating. (This can also be done via the Boardish Methodology and Boardish Tool I’ll discuss in the next section)
- The current remaining exposure, AKA “Total Threat Loss (Minus) how much was mitigated already” = The actual Financial figure you will be responsible for.
How To Use Boardish To Get This Figure
You can use exactly the Boardish Methodology and tool to get this information because it’s similar to budgeting. After completing the wizard you will get on your Dashboard EXACTLY what we discussed!
After filling the information, your Dashboard will show you a clear connection between the Turnover of the company, the biggest Threat in financial figures, and what is the remaining exposure.
In the screenshot below the biggest threat has a total Threat Loss of 93M (which is twice the yearly turnover of the company which is 75M) with a remaining exposure of 46M.
So when looking at the ‘value’ of the position of CISO for this company, you will be responsible for a Financial Risk figure of 46M in a company with a 75M yearly turnover.
Now that you have the figures – you unleash your “shrewd negotiator abilities”.
Ultimately, when it comes to your value, don’t let the market ‘assume for you’, in fact, don’t assume at all. Quantify!
You can use Boardish Basic to quantify completely free!
Sign Up here: https://app.boardish.io/
Learn more here: https://www.boardish.io/
Eli Migdal – Co-Founder of Boardish.
Align with the board
Explain why/how your solutions work, to a non-techy audience.