Top CISO pay hits £850,000 as security become key boardroom issue

Biggest companies in UK and Europe putting CISOs on the board - with a remuneration package to match

Chief information security officers (CISOs) at Europe's biggest companies are now being paid as much as £850,000, or €1m in the European Union, as organisations finally wake up to the critical importance of security.

That's according to executive recruitment firm DHR International.

According to DHR, even small and medium-sized business (SMBs) are not paying small-and-medium-sized wages, with the average pay for CISOs falling between €200,000 (£171,000) and €300,000 (£256,000). The largest, stock exchange-listed companies are paying between €700,000 (£597,000) and €1m (£850,000), it claims.

According to Gert Stürzebecher, partner at DHR, fear of losing their job over security incidents has pushed CEOs not just into appointing specialist CISOs and putting them on the board of the company, but offering a high salary and benefits to match the rising importance of the role.

CEOs have started to lose their jobs over data breaches and the financial impact of some individual data breaches now runs into the tens or hundreds of millions of euros. An issue as serious as that gets its own seat at the board," said Stürzebecher.

The implications of a lackadaisical corporate attitude to security has been reflected in recent years by, for example, the CEO of US retailer Target losing his job following a serious data breach, and the sale of Yahoo being cut by $350m, both following serious security incidences.

Furthermore, the General Data Protection Regulation (GDPR), which will become law across the European Union, including the UK, on 25 May 2018 should also have concentrated CEOs' minds. The GDPR will impose a mandatory breach-notification scheme on companies and public sector organisations alongside fines of up to four per cent of turnover.

On top of the GDPR, there is also the Network and Information Systems Security directive, which will change the way major companies implement security procedures, mitigate against attacks and report on breaches.

Join Computing in November for the Enterprise and Security Risk Management Summit 2017. Register to reserve your place now.