iStock chip security

The Chief Information Security Officer job description, CISO salary, reporting line and executive influence have changed in recent years as the cyber threat has evolved and the remits of information security leaders have been thrust into the media and the boardroom. [Also read: Chief Information Security Officer interview questions]

The popular narrative in enterprise technology media runs that as high-profile hacks and security breaches have revealed the stark risk and reality of digital threats, the Chief Information Security Officer and CSO roles have followed the trajectory of the CIO, moving on from a relatively narrow focus as data guardians to executive C-suite contributors who participate in strategic planning, risk assessment, and are emerging as business enablers rather than impediments.

Before looking at how Chief Information Security Officers from organisations like Barclays, Trainline, Marks & Spencer, The National Grid, Pearson, Heathrow Airport, The Post Office, DWP, Vodafone, NATS and Arriva see the new dimensions of the CISO role, first we look at how much CISOs are getting paid.

Chief Information Security Officer salary

At the beginning of 2018, Harvey Nash told CIO UK the average salary for a Chief Information Security Officer is $180,889 [we have kept all salaries in the currencies in which they were originally reported - ed.], with the search firm adding it had seen considerable rises in CISO salaries due to the focus of board attention on governance caused by increasing regulation and GDPR.

CISO salaries varied massively by organisation size, Harvey Nash reported, with those at larger, listed companies could easily commanding four times the average salary.

A 2017 report by executive search firm DHR International revealed CISO salaries were increasing along with board representation. In Europe the average pay for CISOs at listet SMEs generally falls between €200k (£171k) and €300k (£256k) the company said in May 2017, and at larger listed companies CISOs could be paid from €700k (£597k) to €1 million (£853k).

In its 2015 Harvey Nash survey of 156 UK CISOs, the average Chief Information Security Officers base salary was £130,823 with the company's Robert Grimsey adding that salaries were "absolutely rising above inflation". The global recruiter and executive search firm also looked at other senior security positions which did not necessarily have the 'Chief' title, with Heads of Information Security (£98,056) and Information Security Managers (£70,667) taking home considerably less than their CISO counterparts.

With an average across all leadership job titles of £98,083 for the most senior information security position, sectors saw a considerable variance in salary starting from financial services to government, which were as follows:

Finance & Banking - £111,256
Retail - £104,400
Telco - £85,889
Media - £78,571
Government - £74,600

As noted above, government CISO jobs trail the private sector but the lure of working in an exciting environment could be a boon to many information security professionals. At the start of 2017 the Department for Education was recruiting a CISO to be based in London or Sheffield with a salary of £68,000 to help oversee an investment of £2 billion in the organisation's capabilities over the next two years and "safeguard over £60 billion of annual budgets and vast amounts of personal and sensitive information relating to children and people employed in the education sector". A January 2016 job advert for a Chief Information Security Officer at government intelligence agency GCHQ has a starting salary of £65,000 to £90,000, the same grade as GCHQ's Chief Data Scientist and Deputy CTO.

And a CISO salary study reported on our sister title Computerworld UK stated that Chief Information Security Officers were expecting to see a 2.1% salary increase in 2016, rising to a base starting figure of £98,250 - £149,500 from £97,500 - £145,250 in 2015. One step down the chain, information security managers were also expecting a rise to up to £97,500 from £62,500 - £88,250 in 2015.

Grimsey said after the 2015 research that with many companies creating CISO roles for the first time, despite this above inflation rise a comprehensive year-on-year comparison is not realistic or perhaps desirable. "With so much turbulence, an 'average' salary isn't necessarily a 'typical' salary," he said.

Who should the CISO report to? Should the CISO report to the CIO or CEO?

IDC predicts that as the prevalence of the CISO role increases, 75% of CSOs and Chief Information Security Officers will be reporting to the CEO directly - although the picture at the moment is one of CISOs generally reporting to the CIO.

[See also: Eight reasons the CISO should report to the CEO and not CIO]

The 2017 CIO 100 revealed that at 70% of organisations the CISO or equivalent security leader reported to the CIO function, while at only 5% was the CISO a peer to the CIO. A further 3% responded their organisation had a CISO but did not mention their postioning relative to the CIO.

In May 2016 Standard Chartered bank hired Cheri McGuire as CISO reporting to Group CIO Dr Michael Gorriz, while Barclays CISO and CSO Troels Oerting reports to the bank's Chief Operating Officer. In January 2018 The Guardian was recruiting a Head of Information Security reporting to the media company's Chief Digital Officer.

In 2014 Forrester reported that almost half of CISOs reported to the CIO, with around a quarter in both Europe and the US answering to the CEO or president - although the Forrester analysts painted a matrix picture of the relationship between CIO and CISO as "strongly interdependent" with both leaders relying on each other for advice, guidance, support, and indeed budget.

In the same year PwC found that 28% for CSOs and CISOs at large companies reported to the CEO or board, compared to just 43% at small companies. Meanwhile, 46% report to the CIO at large companies - compared to just 15% at small companies.

CISO at accountancy giant Grant Thornton, Todd Fitzgerald, said that there were clear advantages having a CISO report outside of IT and to the CEO - removing any conflict of interests regarding budgets while also giving security issues more visibility by putting the CIO and CISO on a more equal footing.

Vice President of Security Research at Trend Micro, Rik Ferguson, however, believes that "in too many organisations the CISO is still reporting to the CIO".

"The conflict of interest in having a CISO report to a CIO is clear," Ferguson said. "The person responsible for ensuring organisational information security cannot be subordinated to the person responsible for technology selection and implementation. Rather the two should operate as a team, driving operational and information security up the boardroom agenda.

"An effective CIO/CISO team will take board level strategic directions and translate them into technological and process requirements for the organisation. The CIO ensures that best of breed technologies are selected and architected in the most operationally beneficial manner, the CISO ensuring that those technologies meet the security requirements of the business on an ongoing basis;  neither one being able to pull rank on the other."

Chief Information Security Officer job description and responsibilities - What CISOs say about the role

With no clear definition of the Chief Information Security Officer job description, one of the best sources is to look at what CISOs have said about their own responsibilities, as well as advice on how to go about the job, secure executive buy-in, and tips on how CISOs and organisations need to respond to a cyber attack or serious data breaches. Here 19 CISOs offer 32 Chief Information Security Officer perspectives on the role:

Security isn't purely focused on technology, and the role of the CISO is not solely a technical one. Security is about creating a culture where information and systems are protected by shifting how people interact with them. Where possible we use technology and automation to do this, but ultimately, it's about gaining consumer trust, winning hearts and minds and changing behaviour."
Mieke Kooij, Trainline Security Director

"The role of CISO continues to evolve in that the expectation now is that the CISO not only be security savvy, but also technically adept and business aware. The right CISO is the ultimate weapon in the resource arsenal against cyber-security issues."
Becky Pinkard, former Pearson Director of Security Operations Centre

"The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market.

"It's all about getting the board's head in the right place so that they're OK with spending money and putting resource into this, and that they realise the benefit in it. I don't think I am alone in a CISO operating at that level, and I think more CISOs will have to do that in future."
Andrew Rose, NATS CISO

"The CISO needs to arm the people they work with and look out for the things that could be exploited. We need to build a culture so people can recognise this."
Rod Wallace, Pearson CISO

"I'm not so interested in what is hitting me now, but more what will hit me. We invested heavily in intelligence. Because that's the real threat and otherwise I am just preparing for the past, and while I'm doing that the criminals are inventing new methodologies of penetrating so that's the two ways we are approaching this right now."
Troels Oerting, Barclays CSO

"I'm always looking three to five years into the future, trying to assess the direction that attacks are moving in whilst ensuring our feet remain planted in the here and now."
Lee Barney, Marks & Spencer Head of Information Security

"Information security should be integrated with physical security and other security-related divisions in global companies in order to see security in a holistic way. There is a need to establish an intelligence-led defence resting on adequate cyber hygiene, physical and cyber security controls, with the ability to detect and react to the right 'signals'. Companies should focus not on notions, such as 'information', 'cyber', or 'physical' describing security, but simply focus on the core: to deliver 'Security'.
Elena Kvochko, CIO of Barclays Group Security Function

"Some businesses still view the CISO as purely an IT role which should not be involved in other business functions. My biggest challenge is demonstrating the value of information security and good risk management in financial terms to the business."
Nic Wells, ex-Arriva CISO

"My function moved from IT into General Counsel; we recognised that risk is greater than just the IT function. Boards are very interested in security and the 'what' and the 'why', but more importantly how we are going to deal with it.

"The threats are constantly changing but the integrity of our data is very, very key. It's important we know what's happening with our data and what's happening with our supply chain."
Julie George, Arriva CISO, former Post Office CISO/Head of Information Security and Assurance Group

"Reporting lines and their appropriateness can be very organisation dependent. The key thing is to have sufficient independence and a line to the whole board, including the chairman, and not just a single member of the executive team."
Mieke Kooij, Trainline Security Director

"I'm a CISO responsible for tech, and for health and safety. Safety is the number one priority at Heathrow and we want people travelling through Heathrow to know it is top priority. In fitting cyber security into that world, it comes in as a resilience context and physical safety comes out of that.

"We have to protect, but have to be well prepared to react. Ten years ago was just about keeping bad guys out. Now it's about reacting well and walking other executives through the part they will have to play."
Mark Jones, ex-Heathrow CISO and Director of IT Compliance and Governance

"I think in the early days we had problems, right now the board is all over it - possibly because there is a lot of regulation against banks. There is a personal liability for the CEO, so again it is all about highlighting what is actually a threat, where are the priorities, and when can we do something and are we good enough. So I'm in a good position to have a very good update with board; they understand it."
Troels Oerting, Barclays CSO

"My CISO duties are of security strategy development, looking at threats and vulnerabilities, explaining risks and compliance issues, working with all verticals in the company socialising the problems as well as proposing solutions and securing the funding, and finally putting the business case for security together with evidence and good internal models and external advice."
Graham Wright, National Grid CISO and Global Head of Digital Risk

"My job is particularly focused on keeping our customer's data safe, whether they be enterprise users or consumer side. We have good people but there's plenty more we could do. The speed at which threats are evolving and skill levels are going up; it's an arms race."
Richard Spearman, Vodafone Corporate Security Director

"The top management, they don't care about technology. What they are interested in is the risks for the business. So I try to present all the security risks in terms of operational risk management."
Xavier Leschaeve, Rémy Cointreau CISO

"In the coming years, organisations will have to find the right combination of experience, leadership, financial knowledge, business insight and security know-how. They'll have to couple this with a forward-facing visionary - someone who can marry the necessary 'old school' approach with the evolutionary thinking that is required to excel digitally."
Becky Pinkard, former Pearson Director of Security Operations Centre

"Learn the business and evolve your ability to act as the interpreter/translator between the technology teams and the business functions. Be able to explain technology risks in the terms of a business such as exposure, reputational impact and financial risk."
Nic Wells, former Arriva CISO

"If you want to be a CISO then I urge you to do it - plan your career path and think about why you really want to do it. There is nothing wrong with being a brilliant Architect or a fantastic Analyst. If you love technology then a CISO role may not be for you but, if you can see different approaches and often find yourself being the voice of pragmatism, you love numbers and enjoy being part of the wider business then perhaps a career as a CISO beckons."
Lee Barney, Marks & Spencer Head of Information Security

"Internal management training is good. They're effectively a bit like a mini MBA. You get to run a pretend company, go to educational classes about finance and marketing - that's the sort of gold dust that CISOs need to know now.

"CISOs need to be a much more rounded business professional. If they aren't they'll get replaced. Because if the CISO goes to the board and talks about technology, viruses and TCIP packets, they will be not invited back."
Andrew Rose, NATS CISO

"During an attack the thing that will save you is process. You need to practice seriously, it can greatly reduce panic."
Rod Wallace, Pearson CISO

"Start with the board so its their journey as well as ours. Get culture right in our organization so security isn't something that gets done to us. Need to make sure its something everyone in company knows they can contribute to.

"Run events, spread knowledge and technologies and run threats so everyone feels more instinctively about the threat in the business in which they operate. Sharing also important for sectors. Lots of this about how successful we team up - opposition very good at it on short or long term gains. We should be better, not always publically but informally."
Richard Spearman, Vodafone Corporate Security Director

"CISOs have to secure executive buy-in. Animate those threats, pick key threat scenarios which work well with key execs to get them fired up so they understand that threats more."
Mark Jones, ex-Heathrow CISO and Director of IT Compliance and Governance

"This is a supporting function. If we don't get buy in from business, and don't translate threats into risk and language the board and business understand we won't get anywhere. It's not about having security for security's sake.

"It's not just the technology - we can fix technology until the cows come home. The human dimension is key and we have ramped up our training and awareness."
Graham Wright, National Grid CISO and Global Head of Digital Risk

"It is high time organisations focus on building more security within products by design, rather than developing niche security products and solutions. Security products should complement our technologies, not make up for the vulnerabilities that these technologies might have. If a system is well-designed and structured, security should be at its core."
Elena Kvochko, CIO of Barclays Group Security Function

"The board has now woken up and is well aware of the potential risk to the business and the risk of resignations of board-level roles if they get it wrong. Breaches occurring in large organisations affecting share prices, reputation, loss of life, loss of IP, loss of customer or internal dataset are in the news more frequently nowadays and thus, are a major cause for concern."
Jimmy Bashir, ex-DWP CISO

"Avoid technobabble, avoid FUD [fear, uncertainty and doubt ], and avoid using any metrics that contain numbers whose positive movement is not totally within the CISO's sphere of control.
"Boards understand numbers, and will focus on them over other things that they may not understand."
Julia Harris, Post Office Senior Information Risk and Compliance Manager, former BBC and Oxfam CISO

"If the board is not listening to you, then rolling out your strategy or transformation programme is just a tick-in-the-box. You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories. You don't need large sums of money to get the basic rights and ensure the business is engaged."
Jimmy Bashir, ex-DWP CISO

"It's all about securing the people. Technical guys can be doing things right, but you need a security leader at the top who has an overview of the whole company - if you don't have an overview you don't have security."
Dražen Morog, Deutsche Bahn Chief Information Security Officer

"Instead of conveying how you're going to stop something from happening, tell them how you’re going to keep things moving. This is your one shot while you're in your honeymoon period to open up and say here is where we need to improve things."
James Christiansen, former Visa, General Motors and Experian CISO

"Getting a handle on cyber security and making sure you have the right protections in place is one of the core things you can do to really improve an organisation quickly as a new CISO."
Micheal Eisenberg, former McDonald's CISO

"I firmly believe in being bold, innovative, a thought leader, and a progressive leader, but this is very hard to perform because the role we need to carry out may limit our true ambitions. Go at the pace your company would like to see; don't tire out your company to a point where the other executives experience your 'cybersecurity exhaustion'."
Todd Bell, former CISO for $2bn automotive company Big O Tyres

"As CISOs we need work with UK and US governments and academic experts. We must share experience, intelligence and support cyber security skills development as an industry whole. We need to take our organisations on a cultural change and make them understand IT security issues.

"We need to be agile enough to move at the pace of the threat. Any of us would expect to be breached and anyone who isn't is being naiive. We need manage our end-point systems, manage the impact it can have on you. Security is about resilience is as much about recovery as prevention."
Graham Wright, National Grid CISO and Global Head of Digital Risk