As cybersecurity challenges grow in complexity, chief information security officers (CISOs) are exploring new leadership roles to bolster their teams.
According to an IANS survey of more than 800 CISOs, roles such as business information security officers (BISOs), chiefs of staff and heads for privacy, program management and data protection are among the top positions being considered to support cybersecurity efforts.
George Jones, CISO at Critical Start, noted operational maturity is a key factor when considering new leadership roles.
He said without a mature cybersecurity program and the ability to determine how these roles will drive measurable impact -- such as mitigating specific risks, improving compliance, or enhancing business-aligned security initiatives -- it is challenging to justify the creation of specialized roles -- even as CISOs themselves feel increasingly overwhelmed.
"Highly regulated industries, such as healthcare or financial services, or those with diverse business units or global operations, can benefit from leaders who can bridge security, privacy and data protection with specific business goals," he explained.
Trey Ford, CISO at Bugcrowd, added that investing in executive leadership below the CISO can be driven by any combination of customer needs, regulatory overhead, business lines and technology stacks that diverge from the core business.
"It may be to increase focus and execution in higher leverage organizations with excessive span of control, it is also to help contain and manage risk from the focus area," he explained.
The report also highlights significant disparities in security compensation across industries.
Tech, financial services and consumer goods/services lead the pack in average pay, reflecting the high demand for expertise in these sectors.
Total compensation for top-performing functional cybersecurity leaders in the highest quartile starts at $345,000, while the average across all cyber leadership roles is $280,000.
Ford explained security talent (especially leadership) does not map to classical IT and engineering compensation packages.
"Companies are investing in experience, perspective - not just knowledge and raw competence," he said.
He added that "je ne sais quoi" for security leadership is the ability to partner and influence outside direct reporting lines.
"That includes the ability to speak multiple business and technical languages, and to foster ownership for outcomes aligning incentives," Ford said. "It's not just financial, it's a force multiplier impact."
He explained that CISO recruiting benchmarks vary widely, and specialized security search firms have some of the best data on hiring and compensation trends.
With the macroeconomic tension over the last couple of years, many companies have pulled recruiting and search back in-house - with varied impacts and learnings.
"I would encourage companies to partner with those specialized firms to find the right fit - not just a human that ticks a short list of boxes," Ford said.
Jones said while compensation is an important factor, organizations that invest in robust professional development programs, prioritize career progression, and offer clear growth opportunities can sometimes overcome this obstacle.
"Another avenue is offering equity options, performance bonuses and non-financial perks, such as flexible work arrangements, wellness initiatives and workload management," he said.
These strategies can differentiate an organization that may not have the same budget structure to attract top talent.
He noted that highlighting an organization's purpose -- such as securing critical infrastructure or public services -- can also help set it apart.
Jones recommended smaller organizations leverage cross-functional leadership roles, such as combining privacy and compliance oversight under a single leader and sharing responsibilities to drive efficiency.
He noted that compliance-heavy industries can prioritize roles that drive business alignment or privacy under a BISO to have a higher impact at a lower cost.
"Adaptable leaders who can wear many hats often thrive in environments and organizations with a lean focus," Jones said.