When Germany’s Deutsche Post DHL Group—one of the world’s largest couriers—created a custom global cybersecurity role for David Thornewill, in March 2020, it was more than a show of faith in his talent. It was, says Thornewill, a recognition that the multinational corporation, with multiple divisions doing business in hundreds of countries, needed a unified way to fight off cyberattacks.
“As cybersecurity began to command a greater share of mind and wallet, we realized we needed better coordination,” says Thornewill. “Because people don’t attack divisions, they attack brands.”
Today, Thornewill is the group chief information security officer (CISO) for the logistics giant and expects to relinquish his previous title of CIO for headquarters operations next year. (The company grew out of the privatized German post office and pulled in
$77 billion in revenue in 2020.) Its size and distribution networks mean its cybersecurity gatekeepers play a critical role. Each division, including DHL Express, DHL Supply Chain, and DHL Global Forwarding, has a CIO and CISO, as does each business unit. Thornewill’s role is to coordinate the various cybersecurity efforts among all of them.
Not every organization has the same scale of needs as Deutsche Post. But Thornewill’s new role aptly points up the growing importance of qualified CISOs in the face of today’s global cybersecurity crisis, and that increased standing is reflected in their compensation.
Median total pay for CISOs in the U.S. jumped 19% to $936,000 this year, from $784,000 in 2020, according to a survey by recruitment firm Heidrick & Struggles. Total compensation was up an average 12%, with the most generous packages found at companies on the West Coast. In that region, total annual compensation averages over $1 million at public companies and $731,000 at private ones, according to a study by Hitch Partners.
As companies emerge from the pandemic, ramp up operations to pre-pandemic levels, continue their digital transformation journeys, and seek to secure their networks, they’re finding CISOs hard to find.
Making the search more acute: Security professionals are struggling with burnout from the stresses of the role, and candidates are getting pickier about what salary or reporting structure they will accept.
As a result, professionals like Bryan Kissinger, vice president and CISO at Trace3, a technology and IT consultancy firm, are increasingly devoting time to providing consultant CISOs to organizations that can’t afford to hire them on a permanent basis. While Kissinger says a mismatch between supply of talent and demand is good business, there’s a flip side. “I’m working with former CISOs where I’m faced with the daily challenge of retaining them and paying them enough to keep them interested,” he says.
Deutsche Post deals with that challenge by upskilling employees who already have talents in application security, DevOps, risk management, or threat hunting, helping them gain necessary certifications and offering career coaching. “I would rather take somebody passionate than educated,” says Thornewill. “I can always educate a passionate person,” he says.
CISOs must be adaptable, quick-thinking, and it helps if they’re bilingual, meaning they can speak both tech and business outcomes to a leadership audience. Some 90% of CISOs present to corporate boards, and three-quarters do so on a quarterly basis, according to the Heidrick survey. “Boards are asking more questions about technology than ever before,” says Martha Heller, CEO of Heller Search Associates, which recruits corporate CIOs, CTOs, and CISOs. “The ability for the CISO to know how to speak to the CEO, the CFO, and the board is the top skill we’re looking for.”
Who reports to whom?
For CISOs, whom they report to is becoming a key factor in weighing job offers. In many business sectors, CISOs have traditionally reported to CIOs. This has often yielded cries of conflict of interest from CISOs, who complain their security priorities are placed second to the operational and business goals of the CIO.
The ability for the CISO to know how to speak to the CEO, the CFO, and the board is the top skill we’re looking for.Today, it’s still common for CISOs to report to a CIO, according to the Heidrick survey, in which 38% of respondents cited that structure, 16% reported to a CTO or engineering leader, 12% to a COO or administrative executive, 11% to the CEO, and the rest to a smattering of other titles, including global CISO and chief risk officer.
Opportunities for conflict in reporting lines are real, says Thornewill. For example, a CISO may want customers to use multifactor authentication, but the CIO would rather prioritize convenience. CISOs can’t expect to prevail in every case because part of business is accepting some risk. But they do want their concerns taken seriously, says Thornewill.
In his own corporate structure, Thornewill reports directly to Deutsche Post’s CEO. He says the CISOs in the group’s major divisions do most of the work of keeping the organization secure and have a more traditional reporting structure. “The divisional CISOs report to the local CIO, which I’m not sure is the best structure, but it’s the way we do it,” Thornewill says.
He tries to give the divisional CISOs “somewhere else to go” if they are not being listened to. Reconsidering who the CISO should report to—perhaps the COO, if not the CEO—is “worth some serious thought,” Thornewill says.
The ideal structure probably varies based on the maturity of the cybersecurity program, Kissinger says. If an organization has a well-developed program, then it might be helpful for the CISO to have more independence. On the other hand, for a corporate CISO who is trying to grow and develop a cybersecurity protocol, “being part of the IT team can be very, very valuable,” he says.
The ever-changing CISO
While the need for CISOs is rising, their roles and responsibilities are always changing.
Traditionally, the job has required technical IT skills as well as a deep knowledge of network and application security, penetration testing, and defensive countermeasures. As the need for more sophisticated and more expensive security tools and processes increases, CISOs have to offer strategic insight and experience of other elements of business, like finance and compliance.
The CISO must also be both a skilled communicator and an expert on governance, regulation, risk management, and auditing.
Thornewill has an MBA, which helps him speak the language of business and finance when talking with the CEO and CFO. In 20 years at the company, he’s worked across many parts of the enterprise, including logistics. He says some of his CISO colleagues have deeper technical skills, while others have finance and compliance backgrounds. Above all, says Thornewill, CISOs need to be inquisitive and constantly learning.
Given that the value of CISOs is increasingly in their on-the-job training, employers are becoming more willing to look at candidates who meet just some of the qualities on their wish list and show growth potential.
“We’re predominantly working with candidates who are not a finished product,” says Michael Piacente, managing partner and co-founder at Hitch Partners, which recruits cybersecurity talent for cloud-focused tech companies. He says candidates may have a particular “superpower” in network security, application security, or governance, risk, and compliance, but they need coaching in other skills, like jargon-free communication to the board.
One strategy to reel in a talented CISO is to realize their ambitions—for example, by offering a corporate board seat. In Heidrick’s survey, while only 4% of CISOs said they sat on a board, half said they wanted to become board members. Heidrick says this goal may be achievable given that many CISOs are already sitting on advisory boards, “and that cybersecurity will continue to increase in importance as more elements of operations go entirely digital.”
A challenging recruitment issue has been the traditional talent pool for CISOs. In Heidrick’s CISO survey, more than 80% of respondents were white and more than 80% were male. That may change in the near future. This year, the recruiter says, they are “seeing greater diversity among people taking the CISO role and greater focus from companies on hiring diverse CISOs.”
Heidrick says it expects companies to increasingly look outside the traditional industry “to find the best executives for the role, including people who are diverse in terms of gender and race or ethnicity, as well as industry and functional expertise.”