Cybersecurity strategy success depends on appropriate staff size and salary to retain top talent, according to a report from security analysis firm IANS. Credit: BalanceFormCreative / Shutterstock CISOs have a huge amount to consider when trying to align their plans with those of the broader organization, if they hope to hang on to their top talent. To keep pace, according to a survey released today by security analysis firm IANS and headhunting firm Artico, recommend keeping compensation at the high end of the range — the top 25% of earners tend to be perceived as the top performers in their roles. Across the various specialties — including SecOps and governance, risk, and compliance (GRC) — that top 25% averages around $523,000 per year in cash compensation, and $640,000 in total compensation with equity. The “floor” of the top 25% varies by specialty, from $360,000 in total compensation for identity and access management leaders, up to $465,000 for a deputy CISO and $447,000 for a product security department head. The report also found that businesses’ cybersecurity organizations generally divide themselves into three broad structures, based mostly on the size of the company at the time. Fortune firms, which the study classifies as those with more than $6 billion in annual revenue, generally have four organizational layers beneath the CISO and more specialist executives than smaller companies — about half have deputy CISOs and a quarter have a “global” CISO who handles worldwide security issues. “Large enterprise,” according to the IANS and Artico report, runs from $6 billion in revenue down to $400 million. They tend to have two to three layers of support staff under the CISO, and tend to feature specialist leadership in particular subject matter areas. Finally, “midsize” companies cover the $400 million to $50 million per year bracket of annual revenue, and are characterized by smaller teams where each member has multiple responsibilities. The presence of various sub-specialists tends to scale with the size of the company, according to the survey, which polled 1,195 CISOs and cybersecurity staff members. At roughly the $1 billion annual revenue mark, the SecOps head becomes more common than not, with GRC, architecture and engineering, and identity and access management, becoming more commonplace as revenue rises and the number of full-time employees on the security team increases. The total number of people on staff also scales relatively well with revenue, according to the report. At the $100 million mark, most companies have between one and nine full-time security workers, while businesses in the study’s “Fortune” tier tend to have at least 20, and up to 50 or 100 at the largest firms. Aligning the cybersecurity team with the company’s needs is a critical consideration for CISOs, the report said. “The data indicates that, across sectors, roughly 15% are at or approaching a revenue milestone that warrants the addition of a head of SecOps to their security organizations, based on what is typical for their peer group,” the study said. “For 15% of CISOs, the head of AppSec is a likely or critical hire, followed by 13% for a head of IAM.” Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe