Information Security

Defending the digital infrastructure

mnovelo - Fotolia

Manage Learn to apply best practices and optimize your operations.

CISO job compensation tied to reporting channels

Time to move higher up the chain of command (into the line of fire).

The debate about the reporting structure for the chief information security officer (CISO) has raged on for years. But reports now tie higher CISO compensation to those positions that have a direct line on the org chart to the CEO or the board of directors.

While compensation depends on the size and scope of the company and how the CISO role is defined within the organization, the CISO job is evolving into an executive-level position, with opportunities at some companies to participate in corporate initiatives beyond the information security group, according to Cindy Miseli, senior recruiter at Alta Associates.

Few CISOs have a direct line to the CEO, but those that do, reported a 36% higher annual average salary, according to Ponemon research.

The role of the CISO can fall into different parts of the organization, depending on how the job is defined, and report to the IT director or chief technology officer, chief operating officer, chief risk, privacy or compliance officer, and chief financial officer or general counsel. The most common reporting structure, for now, is still to the CIO. The Ponemon Institute found that 46% of the 133 CISOs it surveyed in 2013, as part of a wider Salary Benchmarking Report, reported directly to the CIO. Few CISOs have a direct line to the CEO, but those who do reported a 36% higher annual average salary, according to Ponemon research. They were also more likely to get fired, research showed.

Who should the CISO report to? "We don't know yet," said Bruce Brody, former CISO and currently chief cybersecurity strategist at Cubic Corp. Brody noted potential concerns about conflicting priorities, such as budget and technology issues, with the CIO.

"If the CISO reports to the chief information officer, there will be some gap or lapse in terms of the support for compliance or security. If the person reports to the chief security officer, then there is some division of the role when it comes to IT security," he said. "The CISO role has grown to the point of corporate importance that no corporate structure today can cleanly place a CISO in the right spot."

Where do you stand on this issue? Send comments on this column to

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

Article 5 of 7
This was last published in October 2014

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All