CISO role turns into a boardroom position as cyber-security jumps up the agenda. Salaries for CISOs top €1m as threat of data breaches grows. European businesses are increasingly appointing Chief Information Security Officers (CISOs) to their boards and awarding them pay packets of over €1m (£850k) for the role as cyber-security becomes an increasingly important boardroom issue, says DHR International, the global executive search firm. Comment from Gert Stürzebecher, Partner at DHR International.
The last five years has a rapid increase both in the number of cyber-attacks but also the financial damage done by successful cyber-attacks. It’s estimated that in Q2 2016 there were over 55 million cybercrime attacks across Europe, a 66 percent increase on the same quarter in 2015. (Source: Threat Matrix). The recent ‘WannaCry’ ransomware attack is a particularly high profile example, which saw tens of thousands of businesses’ data in over 150 countries held ransom by hackers.
At small- midsized listed companies in Europe the average pay for CISOs generally falls between €200k (£171k) and €300k (£256k), and at larger listed companies CISOs could be paid from €700k (£597k) to €1 million (£853k). Gert Stürzebecher, Partner at DHR International, comments: “CEOs have started to lose their jobs over data breaches and the financial impact of some individual data breaches now runs into the tens or hundreds of millions of euros. “An issue as serious as that gets its own seat at the board. Every corporate wants to avoid being the first major company put out of business by a cyber-attack that has got out of control.”
Verizon recently reduced the price they agreed to pay for Yahoo by $350m (£298m) after a serious data breach at Yahoo came to light. Shareholders and regulators now expect boards to take direct responsibility for the consequences of a successful cyber-breach. For example, the New York state regulator has recently announced new regulation that will require top executives at some of the world’s biggest banks and insurers to vouch for their companies’ resilience to cyber-attacks. In the EU the new General Data Protection Regulation means that fines for failures in data protection could theoretically be as high as 4 percent of global turnover.
Until relatively recently a business’ cyber-security would have been dealt with by a manager who might have only reported to the Head of IT. However, the role has progressed rapidly up the corporate ladder. HR explains that the role of a CISO involves designing, implementing and managing cyber-security, extensive testing to ensure company technologies are protected from hackers, and responding to data breaches or attempted cyber-attacks. Gert Stürzebecher adds: “This relatively new role and the importance attached to it is evidence of just how valuable and potentially dangerous all that data held by a consumer business now is.”
“The modern big business acquires and stores as much data on its customers as it possible can – sometimes in the hope that one day they will find a way of properly mining that data. In the meantime though that data can be liability if there is a successful cyber-attack. With accountability sitting on the shoulders of the most senior executives, boards want to ensure that there is the knowledge and expertise to make critical decisions on cyber- security at the highest levels too. The apparently large sums paid to CISOs are actually modest compared to the risk they are managing. The availability of off the shelf hacking software has meant that attacks have become more frequent and can now affect businesses of any size or sector.”