A new benchmark study reveals that aligning cybersecurity organization models with business objectives enables talent retention and security program success.

Today, IANS Research and Artico Search released their 2023 Security Organization and Compensation Benchmark Report, an annual research study that analyzes security organization planning across revenue segments and industries. This year, a total of 1,195 Chief Information Security Officers (CISOs), functional department leaders and other staff provided survey data that demonstrated a positive correlation between revenue and a security organization’s size and complexity. The report found: 

  • Fortune firms with annual revenues exceeding $6B generally operate large and specialized security organizations with four or more management layers, often with a global CISO overseeing the company-wide security organization. 
  • At large enterprises with annual revenues between $400M and $6B, the CISO is generally head of the cybersecurity team. At more than 75% of the firms, there is typically a management layer comprised of a head of Security Operations (SecOps), along with heads of Governance, Risk and Compliance (GRC), Architecture and Engineering (A&E) and Identity and Access Management (IAM). 
  • Midsize companies with annual revenues between $50M and $400M typically feature leadership roles with multi-functional responsibilities, where staff, including analysts, architects and engineers, wear multiple hats.

The study also found that successful hiring and retention of cyber leaders hinges on the right compensation plans. Specifically:

  • For functional leaders, the top 25% compensation range averages $523K in total compensation.
  • The top 10% compensation range averages $640K. For the deputy CISO, the head of product security, and the head of A&E, the top 10% comp range exceeds $700K.
  • Finance and healthcare firms have the highest median annual total compensation at $341K. The top 25% and top 10% compensation range averages in finance exceed those of other sectors at $594K and $767K respectively.

Additionally, organizational design varies for functional leadership by stage of growth and industry:

  • Industry-agnostic cybersecurity management organizations at $100M in annual revenue report that between 25% and 50% of CISOs indicate they have leadership positions on their teams for one or more of the functions of SecOps, GRC A&E and product security.
  • At $500M, the presence of leadership positions for SecOps, GRC and A&E grows to between 50% and 74% of CISOs. 
  • The head of SecOps role appears to be standard at the $1B revenue level. At the $10B threshold, the same is true for GRC and A&E, and at $25B, most companies also have heads of AppSec and a deputy CISO.

The study also reported that organization design varies by industry, with large timing differences when functional leaders are added to the team:

  • In finance firms, cybersecurity leadership teams appoint a SecOps leader earlier than average, especially at the $100M revenue milestone.
  • Technology cybersecurity leadership teams are more comprehensive at earlier milestones than average. At $100M in revenue, between 50% and 74% of tech CISOs have heads of SecOps, GRC and/or A&E. 
  • Healthcare cybersecurity leadership teams are rounded out at later revenue milestones than average. At $100M, $500M and $1B milestones, fewer than 50% of healthcare CISOs have appointed leaders for GRC, A&E and IAM. 
  • In manufacturing, cybersecurity leaders are added at higher revenue thresholds than average. None of the leadership roles see 75% or higher penetration rates at the $1B or $5B revenue thresholds.