Grooming yourself to be a chief security officer? Pick the right industry and you could find yourself reporting to the CFO and pulling in upward of $400,000 per year, plus a 25 percent bonus. Pick the wrong industry, however, and you could find yourself in the $70,000- to $90,000-per-year range and reporting well down in the chain of command.
According to a new research report from Giga Information Group Inc., of Cambridge, Mass., CSOs in financial services companies are most likely to pull down the big bucks and to report to top management. Among financial services industry CSOs, those reporting to the CIO can expect to make between $125,000 and $270,000 per year plus a 15 percent to 25 percent bonus. Financial services industry CSOs reporting to the CFO or COO can earn up to $400,000 per year.
While financial services companies appear to be on the cutting edge when it comes to granting top status and pay to CSOs, high-tech manufacturing companies and software companies are not far behind, according to Steve Hunt, Giga vice president and head of the companys security practice.
Telecom companies, utilities and manufacturing companies, on the other hand, are the least likely to treat the CSO as a high-paid, high-ranking officer—if, in fact, they have a CSO at all. At companies in those industries, CSOs tend to report to executives two levels below the CIO and to earn between $70,000 and $90,000 before bonuses, which average 15 percent.
Surprisingly, given the amount of sensitive information involved and the importance of regulatory initiatives such as HIPAA (Health Insurance Portability and Accountability Act), healthcare companies are among those that apparently cant afford to grant high status and high salaries to CSOs, according to Hunt. But, Hunt said, there may be a reason for that.
"Why did the healthcare industry need HIPAA in the first place? Because they didnt take security seriously. In many ways, they still dont," said Hunt.
The wide variety in CSO salaries and reporting status, said Hunt, suggest that the position is still new and that many companies havent decided what a CSO is supposed to do and how important the role is.
"Its not a whole lot different than the CIO position 12 years ago," said Hunt. "Then, many CIOs were really simply middle managers in the data center. Only a handful were big shots."
Hunt predicted that the role of CSO, while still controversial and not well-understood in many companies, will mature and attain consistent salary levels over time. In some industries—including financial services—the CSO may end up on a par with the CIO, with the CSO overseeing all risk management functions, Hunt said.