Insights from IANS CISO Compensation and Budget Survey

Intro: 00:01

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels: 00:21

Hi Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified information privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels: 00:36

Hi Justin Daniels here I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels: 00:59

In. This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business.

Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit RedCloveradvisors.com.

Justin Daniels: 01:35

How are you? Do you have a birthday coming up?

Jodi Daniels: 01:39

At the time of our recording, I do have a birthday coming up, and what’s actually most exciting about this week is it feels like fall. Best season ever.

Justin Daniels: 01:47

And how old are you going to be when?

Jodi Daniels: 01:49

This is the Privacy Conference podcast?

Justin Daniels: 01:53

Is it a conference? No, it’s a conference.

Jodi Daniels: 01:56

We’re conferencing. So, you know it’s privacy and we don’t need to talk. We don’t need to talk about that. See? Haha, that was fun.

Justin Daniels: 02:05

Well, I didn’t know I was at a conference, so I’ll adjust accordingly.

Jodi Daniels: 02:08

There you go. It’s like the podcast conference. It’s a whole new style. Or it’s just Jodi being silly, but we’re still in a privacy podcast, so we’re just going to move right along.

Justin Daniels: 02:20

Okay, then.

Jodi Daniels: 02:21

Okay, then. All right. Today we do have some sillies in store for you and some actually really awesome information.

Justin Daniels: 02:29

Our guest today is Nick Kakolowski, senior research director from IANS. Nick, welcome to the show.

Nick Kakolowski: 02:39

Thanks, Justin. Jodi, it’s great to be here. Really fun to be here today.

Jodi Daniels: 02:43

I’m really excited to dig a little bit deeper into IANS and some of the great work that you do. So, Nick, you’re really specializing in the managerial and the leadership, risk management, privacy, regulatory compliance, components of the science curriculum. But before we dive a little bit more into IANS and its mission, how did you get to where you are managing all these pieces today?

Nick Kakolowski: 03:06

So I started out my career as an English and Latin teacher for a couple of years, realized that I loved the teaching side of it and the communication side of it, but not so much the sitting in a high school classroom all day side of it. Went into writing, spent nine years in content marketing, writing predominantly about tech. And this was the era where content marketing was all about SEO. We were writing dozens of stories a day, thousands of words a day, and I got to dig into everything from network cabling, installation and custom data center server racks to colocation providers, cloud providers, IT training and development, privacy, compliance, whole gamut. And that wide breadth of background knowledge gave me a great backdrop to start getting into cybersecurity research and market research to kind of bring those insights together and really be somebody who can amplify and equip our faculty to bring their expertise to the market and more effective ways.

Jodi Daniels: 04:08

I’m so curious. You mentioned I know we’re obviously going to talk about IANS and privacy and security, but you also mentioned in the era where content marketing was about lots of articles and SEO from your point of view. Where do you think content marketing is today?

Nick Kakolowski: 04:23

I’m wary that it’s becoming more an AI driven industry, and very much so focused on just getting stuff out there that’s going to get people to click. But as I was getting out of the space and into cyber, it was shifting toward, interestingly, a space that’s more about genuinely informing folks and providing deeper insights within the content. Definitely a smaller amount of content, but more white papers, more deep dive blogs, and I hope that it’s able to continue going in that direction as I can sort out some of the everyday quick SEO stuff, and humans can do the deeper dive and more creative work.

Jodi Daniels: 05:04

I hope so too.

Justin Daniels: 05:08

So, Nick, why don’t we talk a little bit about what is IANS and its mission?

Nick Kakolowski: 05:14

Sure. So we are a market research firm, but we do some benchmarking and some market analysis like we’re going to talk about today with our competition budget survey. But what we really focus on is helping CISOs and their teams solve their everyday problems. We do that through our faculty members, like the two of you who are practitioners in the real world, solving actual problems and getting the insights from those folks to our community through a variety of service, ranging from asking experts where folks can come on and just ask a faculty member about problems they’re facing, to written content and event content that lets them do deep dives into various trending topics and really practical tactical advice on how to deal with challenges infosec teams are facing today.

Jodi Daniels: 05:57

Well, let’s talk about some of the studies that IANS does and some of its key findings. I’m going to let you share your favorite one that you might want to talk about.

Nick Kakolowski: 06:07

Sure. So our big research initiative every year we’ve been doing this since 2020 is a partnership with Artico Search, where we do a CISO Compensation & Budget Survey. Our goal setting out was to help solve some of the gaps in the market, where we know there is so much variance in compensation for CISOs, so much diversity of what the job actually is from organization to organization, that a lot of orgs don’t necessarily understand how to hire effectively for CISOs and security leaders. And a lot of security leaders have a difficult time figuring out what their value in the marketplace actually is.

And we wanted to be able to advocate for security professionals and give them tools to practically be able to go into the market and say, this is the type of CISO I am, this is where I am valued, and this is what I can search for in the marketplace. And over four years of trying to provide that transparency, we’ve been able to expand it to talk about security budgets and provide some more visibility into how those budgets are organized and structured and changing year over year into CISO satisfaction with the role, how they report to the board, how their scope is changing, and then C and then organizational models and leadership teams within security. So heads of function like heads of GRC, heads of architecture, heads of CC, ops, etc. so that CISOs can think about building out their direct reports and their teams more effectively. And then last year, we expanded this research to also include a staff compensation and satisfaction survey, where we’re trying to get deeper into the whole stack of the security team and provide transparency, because what we have found is the pay bands in traditional corporate setups don’t really align with what security team needs to figure out how they should be compensating people effectively and competing for the talent in the market. And we want to give leaders tangible resources that they can use to figure out what the right balance of compensation package versus opportunities for growth and development and fulfillment within the work can come. How those can all come together to help them flush out their teams effectively.

Jodi Daniels: 08:05

I think that’s a really interesting finding. Can you share a little bit more about that disconnect that it sounds like is showing in the research?

Nick Kakolowski: 08:15

Sure. So there is generally speaking. So I’ll just start with CISOs as an example. There is a gap of more than $100,000 in total compensation between their median compensation for CISOs and the average compensation for CISOs. When the gap between median and average is that large, what it tells us is the market is very stratified.

There are a lot of people earning way more than the median, a lot of people earning way less than the median, and not that many people actually earning around the median. And this creates a dynamic where a lot of orgs will look at some studies that will just show kind of the lower end of the market and think, oh, I can get a CISO for X amount per year and really undercut the role and have a hard time finding somebody and make it difficult for CISOs to elevate their role in the organization because they’re being put in this lower pay band, and then a lot of works that are needing to offer way more to compete in their space. And what we’re trying to bring is some kind of visibility into those gaps and help CISOs be able to position themselves and find, oh, this is what my peer group actually looks like. Here’s folks in comparably sized organizations in comparable industries that I can look at and say, this is what I should be earning. This is what my value is in the marketplace because there is so much variety in the job is so different, and it can leave folks feeling a little stuck where their skills have exceeded the role that the org has put them in.

As their head of security type CISO, they’re ready to be someone who’s treated more at the VP executive level of the business, and they’re trying to get over the hump and find a business that’s willing to think about the CISO that way, because those businesses very much exist.

Jodi Daniels: 09:45

At an industry level, does it? Have you found that that average and median in that big range is across all industries, or are there any industries that are more than another?

Nick Kakolowski: 09:57

The stratification happens across all industries because it’s largely driven, we see by company size, but we do see general industry trends of tech and financial services being consistently the highest in terms of compensation. Financial services, often because those are very highly regulated and just valuable security programs that are very tied to business, revenue and tech, because there’s a strong tie between product and revenue and the security function. But we also see that in tech there tend to be very large equity packages leading to that high total compensation number, whereas cash compensation tends to even out generally across industries. We then see some other noteworthy examples in healthcare, where the gap between healthcare, excluding hospitals and hospitals and clinics, is around 50 to 100 K per year on average of just hospital CSOs being regarded kind of by the organization as having less of a scope and generally getting paid less. Also, that’s just a reality of budgets and financial structures of those businesses.

And then, as you would expect, government, education, legal, some of those sectors tend to be a little lower on the pay scale.

Jodi Daniels: 11:06

Very very helpful. Thank you so much for sharing.

Justin Daniels: 11:09

So with the research that IANS does, how has security team’s relationship with privacy evolved more and more since? What do we have, Jodi? 19 states have now passed privacy laws?

Jodi Daniels: 11:23

It’s true, 19 comprehensive privacy laws.

Justin Daniels: 11:26

I noticed that topic is coming up a lot more with IANS content, indeed.

Nick Kakolowski: 11:32

Very much is just why we’re keeping you too busy. We ask CISOs to tell us what is under their scope of ownership within the survey. It’s a little open-ended in that it doesn’t necessarily mean that they are the final person accountable for that part of the business, but that they have some direct ownership of it. And we have seen over the past few years privacy going further and further up that chart, with more and more CISOs having direct ownership of some sort over privacy. Our explanation for that is what we are seeing businesses digitizing very quickly.

They are turning to AI. They are turning to a variety of technologies to track more data, more customer data, monetize more of that information. And as they do, and as more privacy laws emerge to kind of control that, the solution to a lot of privacy problems ends up being security, or it controls and security is best positioned to kind of do that cross-departmental wrangling, where they can know enough about the privacy rules to help the privacy team make sense of what needs to happen in security. They know security well enough to implement those controls and security, and they know the IT well enough to advise with the IT team how to apply those things. And they kind of become the central connecting point between all of these divisions and business units that need to act on the various security controls brought in by a wider range of comprehensive compliance laws.

Jodi Daniels: 12:52

I think it will continue to evolve. It’s really interesting to see how privacy and security is. I call it the hot potato of who owns privacy because you essentially need an owner. Sometimes companies are splitting where the legal work might remain legal, and the ops work might come over to security, and we are seeing more and more of that. I think this will be a really interesting trend to watch over time.

Nick Kakolowski: 13:17

Yeah, we’re very much seeing that, and it’s going to become more and more complicated as more business units are digitizing their operations and customer facing apps, marketing data. Those streams are becoming more and more tied to revenue, and figuring out ways to protect that information is critical.

Justin Daniels: 13:33

Don’t you think the privacy situation with the hot potato and CISOs is a pretty good prelude to what’s going to happen as more organizations roll out and have use cases for artificial intelligence?

Nick Kakolowski: 13:44

Yeah. And I think it’s already happening. We are seeing CISOs be very much at the center of the e-commerce AI conversation, because they are the people who know enough about the breadth of issues that AI touches to inform the conversation across various lines of business. The thing we strongly recommend is being really careful about the balance between informing and participating and leading in these conversations, and actually taking ownership of the risk, because much of the risk driven by AI still needs to be owned by the business unit that’s using the technology, and that is hands on day to day with that technology. They need to be able to be the ones who know enough about what that risk is to be accountable for it.

And it’s critical for the CISOs to figure out how they can inform and influence those conversations without becoming the de facto owners who then become responsible and potentially liable and accountable to things that they don’t have direct control of.

Jodi Daniels: 14:37

That makes a lot of sense. And we’ve talked a little bit about the CISO role expanding. Some of them are owning privacy AI and how that’s expanding. You make a really nice distinction about the risk piece. What are some of the other ways you’re seeing the CISO role expand and evolve over these last several years?

Nick Kakolowski: 14:59

Things like identity that have often sat in it are now increasingly sitting over in security. We see, I think it’s something like 30% of CISOs have some ownership of it. As AI technology becomes a little bit more commoditized within the business and a little bit less complex, but security becomes infinitely more complex. We are seeing things like fraud, physical security, just all these parts of the business that used to sit in physical systems, often analog capabilities are now becoming way more digital, and those data streams have to be protected. And security folks just are the ones who are best positioned to step into those roles, especially as we see more and more boards taking an interest in governing this risk.

As shareholder interest grows, as regulatory rules around informing shareholders of security risk grows, the boards need someone to go to to lead those governance conversations and inform those governance conversations. And it’s increasingly becoming the CISO.

Justin Daniels: 16:00

So, Nick, can you talk a little bit more about — because one of the things I’m seeing with CISOs and we kind of touched on it between you’re talking about identity, privacy, security and dealing with all these other business units. Can you talk a little bit about the, I want to say, soft or business or non-technical security skills that CISOs need to develop that have really become table stakes over the last five years.

Nick Kakolowski: 16:26

Oh, yeah. Five years ago, we would have said that most CISOs are security leaders who are learning to impact and align security to the business. Today, more and more CISOs are functioning as business executives with a security background who are helping to inform the business on security topics. We believe the CISO role is starting to really become very similar to the CFO role, where you’re not going to see the CFO go with actuarial tables and detailed financial data to the board and report all that to the CFO is going to communicate and distill that down into financial risk to the board, while the CFOs team is doing that technical finance work. Increasingly, that’s what we’re expecting to see the CISO become someone who is able to be deep enough and aware enough of what’s going on on the security side of the org to distill that risk and distill what’s happening procedurally up to the business, but really aware of how the business is actually making money, how the relationships in the org drive influence and drive progress on projects.

Who’s the right person to talk to about issue X versus the right person to talk to about issue Why all of those soft skills, the ability to kind of play the political moves and drive momentum in the organization are becoming increasingly critical for CISOs.

Jodi Daniels: 17:44

Really interesting. And I, I found what you were talking about with the board and how they’re taking a bigger interest in what CISOs and, you know, security risk. Is there anything else from a board perspective that you’ve identified through any of the work that IANS has done that you can offer and share here?

Nick Kakolowski: 18:06

There are growing concerns across the board around liability. We see the NIST two standards in Europe are potentially going to be starting to hold board members personally liable for accepting risk and having something go wrong that is extending down through the managerial and director chains. For folks who are officially directors of the organization. And as we see something around 40% of CISOs are listed as directors of the organization and no insurance, while those two rules don’t directly apply to US companies. We expect them to establish best practices and board expectations that emerge in the US, and we are anticipating a growing emphasis on figuring out who’s going to be accountable for cyber incidents that have a material impact on the business, and how are folks going to be held accountable.

And no one has the answers right now, but everybody’s watching it very closely.

Jodi Daniels: 18:57

That will be very fascinating to watch. And for me, what comes to mind is will that accountability really start to shift companies’ sincere adoption and effort and resources tied to security programs?

Nick Kakolowski: 19:14

Yeah, and we do see, if we look at our budget data, while security budget growth has increased at a declining rate over the past few years. So from like 16% to 6% to 8% this year, they’re still growing. While lots of corporate budgets are really struggling. And we have seen security budget as a percent of it. Budget and security budget as a percent of revenue incrementally increase each year over the past few years, as security just becomes more and more of a priority within the business.

Justin Daniels: 19:44

So, Nick, can you share with us what additional studies as IANS working on which you are looking for data?

Nick Kakolowski: 19:51

Yeah, I’m happy to. Actually really excited about this. So this is going to be our second year running the staff version of our survey. Last year we had a sample of around 500 folks. And we’re able to provide insights on what’s typical compensation for folks at various levels of the Oregon architecture and Secops and GRC and some really major functions.

This year, we are really hoping to get that sample size up much larger and be able to do a deeper dive into what our normative expectations for folks in various security roles, what is really part of the job? What are the key skills that folks need to advance in their careers in those parts of security operations and security operations? I mean, the broader security team, not not literal security operations, and also more nuanced compensation packages. Our overarching goal here is both to give CISOs ammunition to go to HR and get pay bands and job expectations set more realistically for security teams, as we know that burnout and challenges with development and challenges with compensation are are real issues across the industry and to give security team members some visibility and transparency into what is happening across various businesses and orgs so that they can benchmark.

Jodi Daniels: 21:02

It’s very exciting. When are you anticipating starting and kind of closing that big work?

Nick Kakolowski: 21:09

So that survey is live and running now. We are hoping to close it sometime near the end of the year and be able to report in January.

Jodi Daniels: 21:19

Wonderful data, really impactful, especially as everything we’ve been talking about very obvious that companies are going to need more, more support to be able to achieve all of their obligations. Now, Nick, knowing what you do about security and privacy. We ask everybody to offer your best personal privacy or security tip that you maybe you’re sharing with a friend at a social gathering, and they know what you do, and you would say, make sure you do this.

Nick Kakolowski: 21:50

I spend most of my time around the CISOs, so I do not necessarily. My tip is not so much a hands on typical friend. Go check this box in Microsoft. My tip is really to make security something some of our faculty members will say is make the interesting things matter and make the things that matter interesting. There’s a lot that you can get wrong in security.

There’s a lot you can get right. It’s super complicated. Tying to what the people around you care about and are interested in, to get them to care about the thing that you need them to do, is just going to be critical to keep everyone from getting lost in the complexity.

Jodi Daniels: 22:30

There you go. I like it. Focus on what matters to the people.

Justin Daniels: 22:34

So, Nick, when you’re not developing programs and conducting research for IANS, what do you like to do for fun?

Nick Kakolowski: 22:41

Oh, I am deeply nerdy. Video games, board games. I read a ton, very eclectic stuff. I was a lit major back in the day, so lots of both literary and very trashy novels. I’m learning to draw and paint.

I paint board game miniatures. Lots of hobbies.

Jodi Daniels: 23:01

Do you have a favorite board game?

Nick Kakolowski: 23:03

Right now it’s Heat: Pedal to the Metal. That’s getting to the table most often with my group.

Jodi Daniels: 23:09

I’m very old, as Justin wanted to point out with my birthday conversation earlier, because I am not familiar with that game.

Nick Kakolowski: 23:16

But it’s fairly new. It came out just a couple years ago.

Jodi Daniels: 23:19

Okay, see, I’m not so bad then. Well, Nick, it’s been a joy to have you. Can you share if people would like to connect and learn more, where should they go for IANS? And then in particular, if someone is listening and would be a good candidate for this survey.

Nick Kakolowski: 23:34

Sure. So the IANS website is your best bet. If you search IANS and Articos staff compensation survey, you’ll get to the survey, our website. We actually just relaunched a rebranded website just a couple of weeks ago. So check out the IANS research website and if you want to get Ahold of me, feel free to do so via LinkedIn.

That’s usually the best way.

Jodi Daniels: 23:50

Amazing. Well, Nick, thank you so very much. And to everyone listening, I highly encourage you to go check out the amazing breadth of resources that IANS has and if eligible, go ahead and take that survey.

Nick Kakolowski: 24:02

Thanks for having me. It’s great to be here.

Jodi Daniels: 24:04

Thank you.

Outro: 24:09

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.