Excerpted from Bloomberg: It took a $650,000 salary for Matt Comyns to entice a seasoned cybersecurity expert to join one of America’s largest companies as chief information security officer in 2012. At the time, it was among the most lucrative offers out there.
This year, the company had to pay $2.5 million to fill the same role.
“It’s a full-on war for cyber talent,” said Comyns, a managing partner at executive search firm Caldwell Partners who specializes in information security. “CEOs know that, so they play hardball. Everyone’s throwing money at this.”
The threat of digital breaches — and the fines, lawsuits and occasional executive resignations that sometimes follow — has left companies scrambling to scoop up scarce security experts. The growing compensation packages and broadened responsibilities are a dramatic shift for a group of workers who once confined to obscure IT departments, little more than an afterthought to senior management.
While most U.S. firms don’t disclose compensation for top information-security executives, Comyns said big tech firms on the West Coast can pay as much as $6.5 million, most of it in stock. In some cases, direct reports can make around $1 million — more than their bosses typically would have made just a few years ago.
Aware of the challenges of replacing a security chief, many companies take unprecedented measures to keep them, with CEOs often getting involved in the negotiations. In one recent instance, Comyns said, a CISO who considered leaving was told to go home and write down 10 things that would change his decision. The list included a 50% increase in salary and bonus, more than doubling his long-term incentive award, a promotion and a new office. The CEO concurred, and the person stayed.
Hefty raises can pale in comparison with the potential downside. The average cost of a breach for U.S. companies was about $8 million, according to a study from IBM Corp. and the Ponemon Institute. Equifax shows that the cost can be many multiples of that.
Insurance can cover financial expenses, but won’t help restore lost customer trust and a tarnished reputation, said James Lam, a director at E*Trade Financial Corp. who also advises companies on risk management, including cybersecurity.
CEOs may be inclined to spend more because their own jobs and reputations could be on the line. Gregg Steinhafel resigned as CEO of Target Corp. in 2014 after a hacker attack that compromised 40 million credit card accounts rocked the already-struggling retailer.
That episode “got everyone’s attention,” said Kudelski Group’s Howard, and led to scores of companies appointing people with cybersecurity expertise to their boards.
It’s also pushed many companies to expand the responsibilities of information security staff, ensuring that their work spans the entire organization. To Comyns, that means their pay will continue to increase.
“CEOs don’t know what it’s worth until it’s walking out the door,” Comyns said. “Then they stand in the door and say, ‘You’re not going anywhere.’”