Chief Information Security Officer salary and job description - What's the role of the CISO, who should the CISO report to and how much does a CISO get paid?

The Chief Information Security Officer job description, CISO salary, reporting line and executive influence have changed in recent years as the cyber threat has evolved and the remits of information security leaders have been thrust into the media and the boardroom. [Also read: Chief Information Security Officer interview questions]

The popular narrative in enterprise technology media runs that as high-profile hacks and security breaches have revealed the stark risk and reality of digital threats, the Chief Information Security Officer and CSO roles have followed the trajectory of the CIO, moving on from a relatively narrow focus as data guardians to executive C-suite contributors who participate in strategic planning, risk assessment, and are emerging as business enablers rather than impediments.

Before looking at how Chief Information Security Officers from organisations like The National Grid, Pearson, Heathrow Airport, The Post Office, DWP, Vodafone, NATS (formerly National Air Traffic Services) and Arriva see the new dimensions of the CISO role, first we look at how much CISOs are getting paid in 2015.

Chief Information Security Officer salary

Chief Information Security Officer salaries are "absolutely rising above inflation", according to director at Harvey Nash, Robert Grimsey.

In the latest Harvey Nash survey of 156 UK CISOs, the average Chief Information Security Officers base salary was £130,823. The global recruiter and executive search firm also looked at other senior security positions which did not necessarily have the 'Chief' title, with Heads of Information Security (£98,056) and Information Security Managers (£70,667) taking home considerably less than their CISO counterparts.

With an average across all leadership job titles of £98,083 for the most senior information security position, sectors saw a considerable variance in salary starting from financial services to government, which were as follows:

Finance & Banking - £111,256
Retail - £104,400
Telco - £85,889
Media - £78,571
Government - £74,600

And a recent CISO salary study reported on our sister title Computerworld UK stated that Chief Information Security Officers were expecting to see a 2.1% salary increase in 2016, rising to a base starting figure of £98,250 - £149,500 from £97,500 - £145,250 in 2015. One step down the chain, information security managers were also expecting a rise to up to £97,500 from £62,500 - £88,250 in 2015.

Grimsey said that with many companies creating CISO roles for the first time, despite this above inflation rise a comprehensive year-on-year comparison is not realistic or perhaps desirable. "With so much turbulence, an 'average' salary isn't necessarily a 'typical' salary," he said.

Who should the CISO report to? Should the CISO report to the CIO or CEO?

In 2014 Forrester reported that almost half of CISOs reported to the CIO, with around a quarter in both Europe and the US answering to the CEO or president - although the Forrester analysts painted a matrix picture of the relationship between CIO and CISO as "strongly interdependent" with both leaders relying on each other for advice, guidance, support, and indeed budget.

Vice President of Security Research at Trend Micro, Rik Ferguson, however, believes that "in too many organisations the CISO is still reporting to the CIO".

"The conflict of interest in having a CISO report to a CIO is clear," Ferguson explained. "The person responsible for ensuring organisational information security cannot be subordinated to the person responsible for technology selection and implementation. Rather the two should operate as a team, driving operational and information security up the boardroom agenda.

"An effective CIO/CISO team will take board level strategic directions and translate them into technological and process requirements for the organisation. The CIO ensures that best of breed technologies are selected and architected in the most operationally beneficial manner, the CISO ensuring that those technologies meet the security requirements of the business on an ongoing basis;  neither one being able to pull rank on the other."

Chief Information Security Officer job description and responsibilities - What CISOs say about the role

With no clear definition of the Chief Information Security Officer job description, one of the best sources is to look at what CISOs have said about their own responsibilities, as well as advice on how to go about the job, secure executive buy-in, and tips on how CISOs and organisations need to respond to a cyber attack or serious data breaches. Here 14 CISOs offer 23 Chief Information Security Officer perspectives on the role:

"The role of CISO continues to evolve in that the expectation now is that the CISO not only be security savvy, but also technically adept and business aware. The right CISO is the ultimate weapon in the resource arsenal against cyber-security issues."
Becky Pinkard, Pearson Director of Security Operations Centre

"The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market.

"It's all about getting the board's head in the right place so that they're OK with spending money and putting resource into this, and that they realise the benefit in it. I don't think I am alone in a CISO operating at that level, and I think more CISOs will have to do that in future."
Andrew Rose, NATS CISO

"The CISO needs to arm the people they work with and look out for the things that could be exploited. We need to build a culture so people can recognise this."
Rod Wallace, Pearson CISO

"Some businesses still view the CISO as purely an IT role which should not be involved in other business functions. My biggest challenge is demonstrating the value of information security and good risk management in financial terms to the business."
Nic Wells, Arriva CISO

"My function moved from IT into General Counsel; we recognised that risk is greater than just the IT function. Boards are very interested in security and the 'what' and the 'why', but more importantly how we are going to deal with it.

"The threats are constantly changing but the integrity of our data is very, very key. It's important we know what's happening with our data and what's happening with our supply chain."
Julie George, Post Office CISO/Head of Information Security and Assurance Group

"I'm a CISO responsible for tech, and for health and safety. Safety is the number one priority at Heathrow and we want people travelling through Heathrow to know it is top priority. In fitting cyber security into that world, it comes in as a resilience context and physical safety comes out of that.


"We have to protect, but have to be well prepared to react. Ten years ago was just about keeping bad guys out. Now it's about reacting well and walking other executives through the part they will have to play."
Mark Jones, Heathrow CISO and Director of IT Compliance and Governance

"My CISO duties are of security strategy development, looking at threats and vulnerabilities, explaining risks and compliance issues, working with all verticals in the company socialising the problems as well as proposing solutions and securing the funding, and finally putting the business case for security together with evidence and good internal models and external advice."
Graham Wright, National Grid CISO and Global Head of Digital Risk

"My job is particularly focused on keeping our customer's data safe, whether they be enterprise users or consumer side. We have good people but there's plenty more we could do. The speed at which threats are evolving and skill levels are going up; it's an arms race."
Richard Spearman, Vodafone Corporate Security Director

"In the coming years, organisations will have to find the right combination of experience, leadership, financial knowledge, business insight and security know-how. They'll have to couple this with a forward-facing visionary - someone who can marry the necessary 'old school' approach with the evolutionary thinking that is required to excel digitally."
Becky Pinkard, Pearson Director of Security Operations Centre

"Learn the business and evolve your ability to act as the interpreter/translator between the technology teams and the business functions. Be able to explain technology risks in the terms of a business such as exposure, reputational impact and financial risk."
Nic Wells, Arriva CISO

"Internal management training is good. They're effectively a bit like a mini MBA. You get to run a pretend company, go to educational classes about finance and marketing - that's the sort of gold dust that CISOs need to know now.

"CISOs need to be a much more rounded business professional. If they aren't they'll get replaced. Because if the CISO goes to the board and talks about technology, viruses and TCIP packets, they will be not invited back."
Andrew Rose, NATS CISO

"During an attack the thing that will save you is process. You need to practice seriously, it can greatly reduce panic."
Rod Wallace, Pearson CISO

"Start with the board so its their journey as well as ours. Get culture right in our organization so security isn't something that gets done to us. Need to make sure its something everyone in company knows they can contribute to.

"Run events, spread knowledge and technologies and run threats so everyone feels more instinctively about the threat in the business in which they operate. Sharing also important for sectors. Lots of this about how successful we team up - opposition very good at it on short or long term gains. We should be better, not always publically but informally."
Richard Spearman, Vodafone Corporate Security Director

"CISOs have to secure executive buy-in. Animate those threats, pick key threat scenarios which work well with key execs to get them fired up so they understand that threats more."
Mark Jones, Heathrow CISO and Director of IT Compliance and Governance

"This is a supporting function. If we don't get buy in from business, and don't translate threats into risk and language the board and business understand we won't get anywhere. It's not about having security for security's sake.

"It's not just the technology - we can fix technology until the cows come home. The human dimension is key and we have ramped up our training and awareness."
Graham Wright, National Grid CISO and Global Head of Digital Risk

"The board has now woken up and is well aware of the potential risk to the business and the risk of resignations of board-level roles if they get it wrong. Breaches occurring in large organisations affecting share prices, reputation, loss of life, loss of IP, loss of customer or internal dataset are in the news more frequently nowadays and thus, are a major cause for concern."
Jimmy Bashir, DWP CISO

"Avoid technobabble, avoid FUD [fear, uncertainty and doubt ], and avoid using any metrics that contain numbers whose positive movement is not totally within the CISO's sphere of control.
"Boards understand numbers, and will focus on them over other things that they may not understand."
Julia Harris, Post Office Senior Information Risk and Compliance Manager, former BBC and Oxfam CISO

"If the board is not listening to you, then rolling out your strategy or transformation programme is just a tick-in-the-box. You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories. You don't need large sums of money to get the basic rights and ensure the business is engaged."
Jimmy Bashir, DWP CISO

"It's all about securing the people. Technical guys can be doing things right, but you need a security leader at the top who has an overview of the whole company - if you don't have an overview you don't have security."
Dra┼żen Morog, Deutsche Bahn Chief Information Security Officer

"Instead of conveying how you're going to stop something from happening, tell them how you’re going to keep things moving. This is your one shot while you're in your honeymoon period to open up and say here is where we need to improve things."
James Christiansen, former Visa, General Motors and Experian CISO

"Getting a handle on cyber security and making sure you have the right protections in place is one of the core things you can do to really improve an organisation quickly as a new CISO."
Micheal Eisenberg, former McDonald's CISO

"I firmly believe in being bold, innovative, a thought leader, and a progressive leader, but this is very hard to perform because the role we need to carry out may limit our true ambitions. Go at the pace your company would like to see; don't tire out your company to a point where the other executives experience your 'cybersecurity exhaustion'."
Todd Bell, former CISO for $2bn automotive company Big O Tyres

"As CISOs we need work with UK and US governments and academic experts. We must share experience, intelligence and support cyber security skills development as an industry whole. We need to take our organisations on a cultural change and make them understand IT security issues.

"We need to be agile enough to move at the pace of the threat. Any of us would expect to be breached and anyone who isn't is being naiive. We need manage our end-point systems, manage the impact it can have on you. Security is about resilience is as much about recovery as prevention."
Graham Wright, National Grid CISO and Global Head of Digital Risk