The French Club of Information Security and Digital Experts (CESIN) has revealed the conclusions of its survey on the salaries and roles of cybersecurity leaders (CISOs). Conducted in partnership with OpinionWay, the survey carried out in June 2024 among 390 CESIN members, sheds light on the evolution of a key profession amid growing cyber threats.
This new salary study follows the CESIN’s ongoing monitoring since 2017, with updates in 2021. This year, it introduces a new section that explores the positioning of CISOs within organizations. Respondents provided insights on 33 activities, specifying their role using a standard RACI model (Responsible, Accountable, Consulted, Informed).
CESIN, a French association, works to enhance the recognition of cybersecurity leaders’ essential role in organizations. Key findings from the survey highlight a predominantly male and experienced workforce, responsible for diverse tasks, with rising annual salaries.
What is the Profile and Role of Cybersecurity Leaders?
According to the survey, the CISO role focuses strongly on risk management (73%) and operational duties (64%). Compliance and resilience have also gained importance over the last five years.
A Predominantly Male and Experienced Workforce
Cybersecurity leaders are mostly men, with a slight increase in female representation, rising from 5% in 2021 to 8% in 2024. They are experienced professionals, 52% are aged between 35 and 49, and 37% are between 50 and 64.
Over half (56%) have more than 10 years of experience in the field.
In terms of education, 75% hold a master’s degree or higher, with 58% having an engineering background, primarily in IT (81%), compared to cybersecurity specialists (30%).
Management responsibilities vary across organizations, with both direct and functional leadership roles. 85% of CISOs manage teams, typically ranging from 13 to 20 people. The majority (77%) report directly to a senior executive, mostly the CIO (54%) or CEO (20%), with 50% at the second level below the executive leadership.
READ ALSO
Core Activities
Here are CISOs’ primary activities:
- Risk analysis (92%)
- Security policies (89%)
- Awareness programs (86%)
- Offensive Security (audits, pentests, red teams, bug bounties, etc.) (80%)
In terms of strategic oversight,
- 75% are responsible for monitoring, strategy, roadmaps, budgets, and strategic reporting.
- Two-thirds make decisions on cyber solutions, oversee their integration, and manage operations.
- Previously, IT risk was handled separately from cyber risk, but now all CISOs participate in managing IT risks, with 60% responsible for it.
All CISOs are involved in project security and third-party risk management, with 67% overseeing these activities. While 84% contribute to securing architectures, only 31% are directly responsible.
CISOs also play a significant role in crisis management:
- 74% are accountable for cyber incidents
- Around 80% handle or contribute to operational security (SOC, CERT)
- and 60% are responsible for it.
CISOs are heavily involved in vulnerability management (86%), with two-thirds responsible for threat detection, alerting, and prioritizing vulnerabilities.
However, IT teams still handle patch management and obsolescence.
Regarding identity management,
- 80% are involved,
- 38% lead this function.
While CISOs generally have less involvement in fraud prevention or overall security, only half (49%) take the lead on compliance issues. An increase in operational duties has been observed over the past five years, correlating with the rise in cyberattacks and vulnerabilities.
How Much Are CISOs Paid?
In 2024, the average fixed annual salary for CISOs is €96,543, up from €88,342 in 2020.
- One-third of CISOs report earning more than €105,000.
- The average salary for the bottom 10% is €51,534, while the top 10% earn €171,809.
Notably, the salary gap between large corporations and small/medium-sized businesses is widened by bonuses and additional benefits available to cybersecurity leaders in large firms.
The high salaries of a few cyber directors in large companies tend to balance out with those of mid-level cybersecurity managers or those in smaller organizations.
66% of CISOs are considering changing organizations, with 24% certain about it. Succession planning is a concern, as only 11% of organizations have or are developing a succession plan.