2021 Global Chief Information Security Officer (CISO) Survey

For this year’s report, we expanded the survey from North America to countries around the world, with the goal of offering a more comprehensive and comparative look at how these roles have developed in different countries.

For this report, Heidrick & Struggles compiled demographic, organizational, and compensation data from a survey fielded in March and April of 2021 of 354 CISOs around the world. Most carried the title of chief information security officer, but respondents also include deputy chief information security officers, chief security officers, and senior information security executives.

The numbers of respondents varied significantly in different countries. This report includes organizational data from respondents in the United States, Europe, and Asia Pacific, and compensation data for respondents in the United States and the United Kingdom. We expect to be able to report more fully on additional countries in future years.

Where are the CISOs?

The chief information security officers (CISOs) who responded to the survey came predominantly from the United States. Australia, France, Germany, Singapore, and the United Kingdom were also represented.

Nearly half of the CISOs were at companies with an annual revenue of $5 billion or more.

The CISOs worked across a range of industries, most often financial services and technology. (See chart “Company information” on page 4 of the full report.)

In terms of experience, it’s not surprising that they also most often had recent experience in financial services and technology. In the United Kingdom, the share with financial services experience rose to 86%; in European countries, half had financial services expertise. In terms of background, most come from IT, though we are seeing other types of functional expertise emerging. (See chart “General experience” on page 4 of the full report.)

Most respondents were male and white, with little variation across regions. However, so far this year we are seeing greater diversity among people taking the CISO role, and greater focus from companies on hiring diverse CISOs (as is true for most executive roles). We expect companies to increasingly think outside the traditional industry- and IT-specific criteria for CISOs to find the best executives for the role, including people who are diverse in terms of gender and race or ethnicity, as well as industry and functional expertise. (See chart “Demographics” on page 4 of the full report.)

What CISOs do all day

The CISO role has become even more important in the past year, as digital technologies became ever more prevalent and remote working became the norm in many industries. CISOs were among the many IT professionals who scrambled early in 2020 and made significant contributions to the success of their companies through the pandemic. That was on top of CISOs’ already large portfolios, which cover everything from securing systems from attack to simultaneously managing increased regulatory scrutiny and use of the data these systems contain.

In the context of remote working and online customer interactions, it’s little surprise that CISOs this year most often said that they are focused on network/cloud security and identity management. This is a shift from a focus on endpoint security, which was a significant focus for CISOs for many years. This is likely the result of companies moving ever more activity to the cloud, leading to a focus on platform security rather than traditional endpoints. In addition, there were some notable regional differences in CISO focus. (See chart, “CISO focus,” on page 5 of the full report.)

There are five functions that most CISOs said report to them, which are, on the whole, consistent with their overall focus. The strong presence of application/product security as a regular part of the CISO's mandate is an increasingly important function. (See chart, “Areas that report to CISO,” on page 6 of the full report.)

CISO reporting lines: Up and down

Most of the CISOs who responded to our survey, 86%, were in global roles (ranging from a high of 90% in the United Kingdom to a low of 63% in Asia Pacific). More than a quarter, 28%, have been in their role for more than five years. Indeed, though there is a perception of fast turnover and low tenure in CISO roles, this survey shows that 56% of these CISOs have been in their role at least three years, with little variation across regions. (See chart “Current role background” on page 7 of the full report.)

CISOs reported either fairly small teams or fairly large ones: 38% of all CISOs surveyed said they have 25 or fewer people reporting to them, while 29% said they have 101 or more direct reports. (For detail on how team size varies by CISO remit, see page 8 of the full report.)

Looking upward, the majority of CISOs report to someone other than the CIO. Globally, 11% report directly to the CEO, and a quarter of CISOs in Europe said they do so (many respondents from Europe are at smaller companies, where this structure is more common).

Despite the low share of CISOs who have corporate board seats, CISOs do have high visibility with the board: 90% said they present directly to their company’s board and/or audit committee, three-quarters of them on a quarterly basis. These figures vary little regionally.

Almost half of all CISOs said they sit on an advisory board, not necessarily at their own company—and two-thirds of CISOs in Asia Pacific said they do so. However, globally, only 4% said they sit on a corporate board. This low figure is consistent with Heidrick & Struggles’ annual Board Monitor reports, which show than only 6% of directors added to boards in Europe in 2020 and 8% of those in the United States had cybersecurity expertise of any kind. (For more, see Board Monitor Europe 2021 and Board Monitor US 2021.) Given the increasing strategic and operational importance of cybersecurity for all organizations, we hope to see many more companies bringing this expertise onto their main board rather than relying on advisors. (See chart “Current board experience” on page 7 of the full report.)

Two types of CISOs

Last year, we identified three basic types of CISO roles in North America: a traditional security leader, a Risk/Trust leader, and a role we called CISO Plus, which has a wider remit. (For more, see 2020 North American Chief Information Security Officer (CISO) Survey.) With this year’s global scope, two types of roles came into clear focus: an Everything CISO role, made up of 45% of respondents—those who have responsibility across all three areas of security, risk, and trust; and a Specialist role, made up of 55% of respondents—those who have responsibility across only one or two of those three areas. These roles are about equally distributed by region, as well as by years in the role.

Everything CISOs are more common in technology and financial services than are Specialist CISOs. This may be because, in both of these industries, many CISOs have specialists reporting to them, in our experience. (See chart “Company industry, by CISO type” on page 8 of the full report.)

More of the Specialist CISOs had an IT background: 74%, compared with 59% of the Everything CISOs. And Specialists far more often said identity and access management was a core focus: 44% compared with 31%.

Everything CISOs more often report to business leaders, and 17% report directly to the CEO, while almost half of Specialists have the more traditional reporting pattern to the CIO. (See chart “To whom CISO reports, by CISO type,” on page 8 of the full report.)

Everything CISOs said they have larger teams, on the whole, than Specialists.

Given the wider scope of the Everything CISO role, it is no surprise that these CISOs are, on the whole, paid more than specialists. In the United States, for example, the difference in median cash compensation is $113,000. (See charts “Number of team members, by CISO type” and “Median compensation: United States, by CISO type” on page 8 of the full report.)

What’s next for CISOs?

Given that the CISO role is relatively new in the context of other C-suite roles, we also asked where CISOs want to go next. Nearly half of respondents want to be board members, which seems achievable given how many are already sitting at least on advisory boards and that cybersecurity will continue to increase in importance as more elements of operations go entirely digital.

Outside of board roles, CISO career progression remains tricky. Though 38% report to the CIO today, only 12% see that as an ideal next role. The wide range of next roles CISOs are interested in highlights that this is an evolving role, one where the next move isn’t clear. In this context, Everything CISOs may be able to develop more options to move up in their current company, since they more often report to business leaders, which gives them more exposure to their companies’ broader strategic interests.

In addition, more than half of CISOs don’t want to move geographically for that next role, though that share may well change in future surveys as post-pandemic conditions become clearer. In general, we found that CISOs’ teams are geographically distributed, and CISOs themselves are often not co-located with the rest of the executive team, though this varies widely from company to company. (See chart, “Future career plans,” on page 9 of the full report.)

CISO compensation: United States

Since last year’s survey, reported median cash compensation for CISOs in the United States has risen to $509,000, from $473,000 last year. (See chart, “Median Compensation: United States,” on page 10 of the full report.)

Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $936,000, from $784,000. (See chart, “Median base, bonus, and equity: United States,” on page 11 of the full report.)

Regionally

As in last year’s report, we see some variation in compensation across US regions. For cash compensation, CISOs in the Midwest report the highest figure, $668,000. When annualized equity is added in, West Coast CISOs top the list, at $1,196,000. (See charts “Median base, bonus, and equity: US regions” and “Median joining bonus: United States” on pages 12 and 13 of the full report.)

CISO compensation: United Kingdom

For UK CISO compensation, see pages 14–16 of the full report.

About the authors

Matt Aiello (maiello@heidrick.com) is a partner in Heidrick & Struggles' San Francisco office and leads the global Cybersecurity Practice; he is also a member of the Global Technology & Services and Information Technology Officers practices.

Max Randria (mrandria@heidrick.com) is a partner in the Melbourne office and a member of the Global Technology & Services Practice.

Camilla Reventlow (creventlow@heidrick.com) is a principal in the Amsterdam office and a member of the Global Technology & Services Practice.

Guy Shaul (gshaul@heidrick.com) is a principal in the London office and a member of the Financial Services, Blockchain & Distributed Ledger Technology, and Cybersecurity practices.

Scott Thompson (sthompson@heidrick.com) is a principal in the New York office and a member of the Financial Services Practice.

Adam Vaughan (avaughan@heidrick.com) is a partner in the London office and a member of the Financial Services Practice.

Acknowledgments

The authors wish to thank Mohd Arsalan for his contributions to this report.