What is fair compensation for a chief information officer (CIO) or chief information security officer (CISO)?
Organizations must ensure that salaries are in line with other executive compensation in the organization. Candidates have to research the organization and ask questions to find out how the offer compares with what other company executives are making.
For the CIO job, where the position reports will define both the true nature of the position and the level of compensation. If, for example, the position reports to the chief financial officer, you will not be a member of the cabinet and your salary is likely to be significantly less than the CFO's pay. This is most likely a director of IT position dressed up with a CIO title. Probably the organization views IT as a cost center rather than as a strategic asset driving revenue. Ask why the CIO reports to the CFO. You may very well find that other C-level executives drive technology decisions and your job is to simply run, support, or integrate these systems -- an operational and not very strategic role.
Some time ago, when I was grappling with this issue, a CFO friend showed me GuideStar.org, a valuable resource he used to judge whether the salary offered was fair and comparable to other C-level executives in the organization. This free Website contains the IRS Form 990 filings for the past three years for non-profit organizations. The database includes most universities, religious organizations, healthcare organizations, public and community services, as well as charity organizations.
The IRS 990 filings provide information on the financial stability of the organization as well as compensation for its highest paid people. This data is very valuable in figuring out whether the salary offer for one position is comparable to other executives' pay. Check the filings for all three years to estimate future salary increase potential by looking at the organization's past history of increases.
If a CIO will be a member of the president’s cabinet and your offer is significantly lower than other executives', asking about this disparity will often reveal interesting information, which may cause you to have second thoughts about the position. In one case, an organization offered the CIO $50,000 less than the CFO. After questioning, the organization revealed that although the position was a member of the president’s cabinet, officially it dual-reported to two other C-level executives -- one of which was the CFO. Not a very comfortable setup!
In the case of a CISO, the offer should be comparable to the CIO's compensation. Organizations -- and candidates for the CISO role -- need to know that the CISO carves out the most complex technical, policy, and operational responsibilities of the CIO in all IT and systems areas. This complex position will require an extremely strong technical, policy, and people management background -- usually more complex than the CIO role. The role also carries with it a high level of career risk compared with all other IT positions within the organization. The position deals with all parts of the organization. The CISO requires a solid background in all technical areas, including challenging industry certifications. The person will need to be familiar with compliance requirements for applicable security and privacy laws along with a strong background in risk management principles. The CISO also needs strong communications and leadership skills because areas and people influenced will not report to the position. The CISO will manage hundreds of projects and deal with security audits and incidents.
Sometimes an organization will hire a CISO as a true partner for a CIO. It might be defined as a deputy CIO role. At times, the person will be hired to shield others and to serve as the person to be blamed in the event of a major security incident. For a CISO candidate, it will be very important to assess whether this is the case during the interview process. Ask the question: Who is responsible for security in the organization? If the answer is the CISO, that is a warning sign. If the answer is everyone in the organization, you are dealing with an organization that has a better understanding of this role.
— Mansur Hasib has served in CIO/CISO and other leadership roles in the public, private, and education sectors.