Salary CISO not commensurate with workload
Relatively low pay, little recognition, a lot of stress and potentially major consequences for cybersecurity if nothing changes. The working conditions and salaries of CISOs (Chief Information Security Officers) need to be improved, argues Orange Cyberdefense. The company is supported by Dimitri van Zantvliet, chairman of the CISO Platform Netherlands.
TEXT: PIM VAN DER BEEK IMAGES: DAAN MULLER & SHUTTERSTOCK
According to Orange Cyberdefense, it is time to revaluate the profession. CISOs are under immense pressure and are the first line of defence against cyber attacks, which are increasing in frequency and complexity every day. The company points to the technical skills a CISO must possess and a strong business instinct. Only with this combination can they act as a bridge between business and IT, bridging often conflicting interests.
Management level accountability
Matthijs van der Wel-ter Weel, strategic advisor at Orange Cyberdefense, explains that Europe is the continent with the most stringent privacy and security legislation. ‘This regulatory environment does not make life easy for CISOs. With NIS2, they even have a lot of personal responsibility.’ He sees management level executives being held accountable for very serious, large-scale data breaches.
‘This pay gap needs extra attention’
Financial valuation also lags behind in Europe. CISOs in the US are said to earn an average of $341,000 a year (equiv. of €311,449), with peaks of up to half a million dollars (equiv. of €456,670) for senior executives at multinationals. In Europe, the average annual salary for a CISO is considerably lower: around €119,000 in the Netherlands and around £102,000 (equiv. of €121,123) in the UK. The picture is more or less the same in Germany and France. Orange Cyberdefense believes that this pay gap needs extra attention.
NIS2
Dimitri van Zantvliet, chairman of the CISO Platform Nederland and director of cybersecurity and CISO at Nederlandse Spoorwegen (Dutch Railways), also notes that salaries among colleagues are not commensurate with the workload.
‘I definitely see this. Not necessarily at listed companies or large multinationals, but in municipalities, independent administrative bodies (Dutch ‘ZBOs’), public authorities and smaller SMEs. There are ten thousand new companies in need of NIS2 compliance and they all are looking for a CISO. But the salaries leave something to be desired.’
Dimitri van Zantvliet, chairman of CISO Platform Nederland
He sees a lot of demand driven by the digitisation of society, the worsening threat landscape and the ‘tsunami of cyber legislation’ in Europe. CISOs are often not given enough resources by their employers to make the organisation resilient and must learn from each other how to deal with this situation. Van Zantvliet has therefore created a platform where colleagues can learn from each other. Van Zantvliet is aware of the differences between salaries in the EU and the US, although he thinks the examples as mentioned are rather exaggerated. ‘Me and some colleagues had to laugh out loud at the salary of half a million dollars a year, we would sign up for that in a heartbeat.’
No glorification
Van Zantvliet is also of the opinion that salaries usually are not commensurate with the training, certifications and experience that cyber experts must bring to the table these days. ‘There’s definitely a need to adjust pay scales and valuations in general, and we at the CISO Platform are in full support of that.’ He still sees CISOs tucked away somewhere deep in the organisation, sometimes even with the CISO function as an add-on role. ‘That is, of course, asking for trouble. Incidentally, in America we see CISOs at Uber and Solarwinds being held personally liable for the damage caused by a cyber incident. That too is America, let’s not glorify it.’
5 Consequences
Orange Cyberdefense identifies five potentially significant consequences of the low valuation of CISOs:
- The profession becomes less attractive, leading to high turnover.
- Loss of expertise. The departure of CISOs not only means the loss of valuable expertise and experience, but also creates a vacuum that will be difficult to fill due to the shortage of qualified cybersecurity professionals.
- The destabilisation of security strategies. Each CISO brings his/her own insights to the table, which can influence strategy. This increases vulnerability to cyberattacks.
- Cost and time. Organisations must continually invest in recruiting and training new CISOs. This is a time-consuming process that is not conducive to stable security leadership. It is also costly, leaving less budget for security resources.
- Knowledge flows to the US. Current circumstances make Europe unattractive to CISOs. As a result, it is not inconceivable that they will consider positions in the US. This would be detrimental, as scarce knowledge flows to another continent.
Salaries
Van Zantvliet acknowledges the consequences cited by Orange Cyberdefense. However, he believes there is a difference between multinationals, authorities and SMEs. ‘In the first group you already see a lot more worldwide labour mobility, in the latter none at all, partly fuelled by salaries and language issues.’ Losing all the cyber experts to America is not that much of a risk, he says. ‘But we run the risk of losing good cyber experts to other ICT or AI fields.’
It is time, he says, to give CISOs more room to make their mark. He points out that more cooperation is also needed within Europe, and that the resilience of essential services such as defence, energy, internet and mobility should be at the forefront. Adequate pay for cyber experts is a prerequisite for this.’
