The search for chief information security officers has become a seller’s market as companies rush to hire security experts in the wake of several high-profile cyberattacks. High demand, coupled with a shortage of talent, is leading to compensation that is “zooming up on an almost daily basis,” said Peter Metzger, vice chairman at executive recruiter CTPartners CTP -0.73%.
“In the last six months, we have seen a one-third increase in total compensation packages for Fortune 100 companies,” Mr. Metzger said. “In some cases, big banks are paying over $1 million. Healthcare companies are paying over $1 million, big insurance companies are paying over $1 million. Total compensation is $500,000 to $600,000 in other industries.”
CIOs who play a key role in CISO recruitment efforts, say they are finding it hard to quickly find and hire top cyber talent, even with inflated salaries.
“It’s probably one of the hardest roles to fill,” said Bryson Koehler, CIO of The Weather Company, which hired its first CISO, Reynaldo Santiago, one month ago after a six-month search. “We searched all over.” With cybersecurity a top corporate concern, applicants are expected to be skilled in cybersecurity, but also know their way around the board.
A rash of cyberattacks, including those against Target Corp.TGT -0.66%, Home Depot Inc.HD -1.36% and Sony Pictures, is spurring companies who don’t already have CISOs to hire them. President Obama, Wednesday, raised the stakes by proposing a law requiring companies to report breaches to customers within 30 days of discovering them. Such a tight timeline will pressure CIOs to improve their cybersecurity practices, including working with C-suite executives, board of directors and corporate communications. CIOs need to lean on their CISOs to help with this work.
At the Weather Company, Mr. Santiago is assessing the security of systems which regularly exchange weather data with millions of computers, mobile devices and weather stations worldwide. Such digital services are subject to denial-of-service attacks designed to slow traffic. Mr. Koehler said he selected Mr. Santiago, who previously worked in information security roles at SAIC Inc., Darden Restaurants Inc. and the Walt Disney Co., because he wanted someone who “came up through the ranks as an engineer” and could protect corporate data without crimping business processes. “Many CISOs come into an organization and try to be the Gestapo,” he said. “That’s not a realistic approach.”
Shortly after joining Idexx Laboratories Inc.IDXX -1.12% as CIO in August, Ken Grady began searching for a CISO to strengthen the life science company’s cybersecurity posture. Five months later, Mr. Grady is still interviewing people for the role. His ideal candidate? Someone who can unify security processes across Idexx’ internal IT systems and commercial software development. “Everybody is recognizing the need to increase tools and raise awareness around [cybersecurity],” Mr. Grady said. “We need to take the next steps to be more proactive.”
The Weather Company and Idexx join the likes of Target Corp. and Neiman Marcus Group Inc. in hiring their first CISOs over the last year. Target hired General Motors Co. information-security chief Brad Maiorino to as its CISO in June 2014. In November, Neiman Marcus Group Inc. named Sarah Hendrickson as its first CISO.
Executive recruiting firm Alta Associates Inc., which specializes in placing CISOs, saw an increase in companies hiring their first CISO in 2014, Alta CEO Joyce Brocaglia said.
Despite the CISO gold rush, only 28% of companies have hired chief security officers or CISOs, according to a cybercrime survey PWC published last June.
Hiring a CISO remains an open question for some CIOs who have recently joined companies. Asked if he planned to hire a CISO, Aaron Weis, who started his job as CIO of Axalta Coating Systems Ltd. last week, replied: “Great question — ask me in a few weeks…” He noted that it’s not an easy task. The key, Mr. Weis said, is finding a candidate with the right combination of “knowledge and experience, which is rare in the CISO world.”
Some of the top talent is coming from government, such as the National Security Agency, said Mr. Metzger, a former foreign intelligence officer in the CIA and Marine Military Assistant to President Ronald Reagan. He adds that the public sector is now experiencing its own shortage as more of its talent joins the private sector.
“What difference does it make what it costs for this person? It is one of the best insurance policies in the world,” he said.
Steven Rosenbush contributed to this article.