back to article Quick, better lock down that CISO role. Salaries have apparently hit €1m

Salaries for chief information security officers (CISOs) at leading European firms have hit €1m (£850,000) as the threat of data breaches grows, City AM reports. An experienced CISO told El Reg that only his counterparts in merchant banks could hope for such a salary. "Outside of investment banking I think total packages of £ …

  1. Alister Silver badge

    evidence that the startling rise of cyber attacks year-on-year has caused boardrooms to recognise the dangers of hacking for companies' bottom lines, reputation, customer retention and employee confidence.

    Except at Talk Talk...

    1. mwnci

      I think you'll find Talk-talk are probably one of the few who take it seriously and have invested...Nothing like a Grade A cock-up to make you think twice.

      1. Tom Paine Silver badge
        Thumb Up

        As a grunt in the trenches

        I've always said that my three biggest allies for getting management to pay attention and then do things are:

        1. Demanding customers

        2. Demanding regulators

        3. Well-resourced, skilled and motivated attackers.

  2. ElReg!comments!Pierre Silver badge

    Meaningless if...

    ... the punters are hired to add some security as an afterthought on intrinsically insecure procedures. ITSec is not a million-dollar CISO, it's a corporate culture.

    1. Tom Paine Silver badge

      Re: Meaningless if...

      In my experience, having a CSO is a good proxy for being prepared to spend time and money on security. It certainly doesn't guarantee good security practices, but NOT having a CSO is IME usually a sign of an organisation that really doesn't get it.

  3. Anonymous Coward
    Anonymous Coward

    Eye-watering CIxO salaries mean absolutely nothing...

    if the organisation's project management culture allows these people to sign off on projects that then, almost immediately, show that they aren't worth the paper they were written on. I could name one organisation that spent ~£633,000 on a new backup strategy that was signed off by the CIO just 5 months before a massive, unrecoverable, data loss incident exacerbated by the design of the new system. I'm not saying any more, because I want to keep my job.

    The hypothesis is that if these highly paid individuals DON'T do their job, then they won't get new jobs in that role if they prove to be incompetent. But then the embarrassment factor for the company when they get it wrong means it all gets hushed up and they keep their job because for them to leave would be far, far too obvious.

    That's what happened.

    1. Dr Who

      Re: Eye-watering CIxO salaries mean absolutely nothing...

      *Roughly* £633,000? That sounds quite specific to me.

      Some kind of fookin' tape drive that must have bought! Or was it £500 for the tape drive and tapes plus £632,500 on backup rotation design consultancy and tape changing training.

      1. Naselus

        Re: Eye-watering CIxO salaries mean absolutely nothing...

        "Some kind of fookin' tape drive that must have bought! "

        Sounds more like live backup to off-site SAN storage to me, tbh. Which could easily top 600k if you have enough data. Not sure how it would fail to prevent the data loss, though, aside from possibly if they put it in the same server room as the main systems...

        1. Anonymous Coward
          Anonymous Coward

          Re: Eye-watering CIxO salaries mean absolutely nothing...

          I can't say much more, but it was ~£350,000 in capital costs, hardware and software, and the rest made up of ongoing costs relating to staffing, licenses and facilities charges. It was intended to replace an old tape backup system that had been identified as a weak point in the DR, but which proved to be the only source for restoration when the hardware failed. Live off-site SAN backup WOULD be what you think they'd designed and signed off on... snapshotting to the very same same SAN, on-site, as they were backing up was what they actually achieved. Heads should roll, but instead it's all being hushed up.

        2. Anonymous Coward
          Anonymous Coward

          Re: Eye-watering CIxO salaries mean absolutely nothing...

          For between 100 & 150 Tb current, increasing annually over 5 years. Does that sound like good value to people?

  4. Doctor Syntax Silver badge

    Advice given by someone on €1m will obviously be better than the same advice given by someone on £100k. After all you paid more for it.

    1. Naselus

      Unfortunately, that's largely the logic on some boards. You can ignore the CISO if he only cost 60k, but if he costs a million then he outranks the lesser boardlings. Which is, of course, why the beancounters and the lawyers tend to rule the roost.

    2. JimC Silver badge

      > After all you paid more for it.

      Sadly true. Also, of course, the principle that keeps high cost consultancy organisations in business.

      I do wonder whether any studies have ever been done to see whether mega bucks executives are worth the money compared to cheaper ones. I suspect not for obvious reasons.

      The other thing that makes me wonder is that the chief execs deputy seems to earn about half what the chief exec does, yet must surely be competent to step into his shoes at any time. So are the deputies wildly underpaid or...

      1. mwnci

        Re: > After all you paid more for it.

        I'd love to get some people who think this, to actually do some of the jobs these people do and then judge. My CISO does 90hrs a week, and literally reads 300pages a night...then goes to meetings about that 300pages, goes all over the place working on X and Y and grapples with massive problems (like PSD2 implementation, GDPR etc), which if they are wrong could end up with 1500 of us losing our jobs, and 2 million customers not being served. He still does all the other stuff, recruitment etc, and his working day does start until after 16;00 when he can get work done rather than goto meetings. He's on 200k a year, great you think, what if I told you everytime you are on annual leave you get recalled, and you haven't had more than 3 days off in 18months? It's easy to focus on the money, but not focus on what they do...and the sacrifices, i earn a good crust 1/3 what he does, i can take leave when i want, never get recalled, am responsible for a small chunk not the whole...i work hard, but no where near his level, I'm in by 08:00 home by 18:00, no extra reading, no logging on in the evening for an extra 3 hrs.

        1. Tom Paine Silver badge

          Re: > After all you paid more for it.

          You're home by 18:00 and don't do out of hours reading? How do you keep up with threat intel, new vulns, new tools, changes in management frameworks, etc etc?

        2. Naselus

          Re: > After all you paid more for it.

          "I'd love to get some people who think..."

          No-one is suggesting that the guy on a million a year doesn't work hard. We're just also suggesting the guy on 100k also works just as hard, but isn't listened to because he's not costing as much.

      2. Tom Paine Silver badge

        Re: > After all you paid more for it.

        I do wonder whether any studies have ever been done to see whether mega bucks executives are worth the money compared to cheaper ones. I suspect not for obvious reasons.

        Like these, the first three hits for "Harvard Business review directors remuneration" ?

        https://hbr.org/2016/07/improving-the-way-boards-ceos-and-shareholders-interact

        https://hbr.org/1999/03/new-thinking-on-how-to-link-executive-pay-with-performance

        https://hbr.org/1990/05/ceo-incentives-its-not-how-much-you-pay-but-how

    3. Anonymous Coward
      Anonymous Coward

      Not even that.

      The CISO has been promoted to a full member of the golfogarchy(*), the ruling caste in a golfocracy. His dept has been in the news long enough for the people who have the caste entitlement to use the "I had no clue what my employees were doing" defense in a trial or parliament committee hearing (they are marked with C in the title nowdays).

      That, however, applies solely to the CISO. The low caste scum reporting to him is not getting any more dosh or any more budget for technical equipment as a result.

      (*)In the meantime, the proles pray for the day when they will have a golf club shoveled up their arse

      1. Anonymous Coward
        Anonymous Coward

        Sir, please subscribe me to your newsletter. Post haste! Not since Ass Pennies* have I heard a more sound proposition; golfers with their clubs up their asses, yet I'm thinking, yes, they just play though like that! No hands, just assholes with their ass clubs. Thank you, and I look forward to the your next issue!

        *Ass Pennies® are an invention, and registered trademark, of the comedy TV series:

        https://en.wikipedia.org/wiki/Upright_Citizens_Brigade_(TV_series)

        The joke is that you shove pennies up your ass, tons of them, then spend them around the town. You then get a positive mental boost from knowing that the person you are dealing with probably handled one, or more, of your ass pennies, thereby giving your a secret business advantage. I know, it's pretty awesome.

  5. Marketing Hack Silver badge
    Black Helicopters

    Hmmmm.....

    1) Launch global worm bearing malware nastiness package

    2) Circulate CISO resume

    3) Profit!

  6. marion43
    Alert

    Really interesting article on why employees lose their jobs, particularly as it quotes DHR International. Of course, DHR are a master at getting rid of people. When a number of their employees sued DHR in the Employment Tribunal and won bigly, DHR simply put the UK business into liquidation and started again! See http://www.recruiter.co.uk/news/2017/03/dhr-global%E2%80%99s-uk-business-forced-liquidation and http://unofficial-dhr-international.blogspot.com/2015/11/dhr-international-in-united-kingdom.html and http://www.recruiter.co.uk/news/2017/04/ex-ctpartners-consultant-wins-dismissal-case-against-troubled-dhr-global

  7. DougS Silver badge

    Having a million dollar/pound CISO wouldn't stop WannaCry

    A cheap one could still say "patch early, patch often" as far as security patches go, don't use obsolete OSes and so forth, and when that causes pain like a patch that breaks stuff or expensive migrations off Windows XP, they have to be able to convince everyone affected that this pain is preferable to the pain of IP theft / malware / ransomware / etc.

    I suppose spending a fat salary on a guy would impress upon everyone else "we think security is important enough to pay big bucks for", but it won't make convincing that everyone else of the above any easier.

    1. Naselus

      Re: Having a million dollar/pound CISO wouldn't stop WannaCry

      Actually, it might.

      It's an accepted cultural thing in business that a man with a bigger salary carries more weight in discussion. If your CISO costs a million quid a year, he has much more clout to argue for whatever his expert staff say should be happening than a 50k CISO who is there simply so the company can say it has a dedicated CISO.

      Sure, the real way of stopping individual bits of malware is to have good techies... but the CISO ought to be able to take what the techies say, convert it into boardspeak, and then successfully make the case that it ought to happen. His odds of successfully making that case are at least partially contingent on his salary being big enough to ean the respect of the other executive board members.

  8. Anonymous Coward
    Anonymous Coward

    Request for nano-violins

    I could do the job of a CSO, but I'll never get the title because I know far too much about security; that makes me a "technical specialist". If only I'd spent time going to dinner parties with the bourgeoisie and learned how to make small talk about house prices and the difficulty of finding good au pairs! Oh well, never mind, back to the PCAPs...

    (I know more about non-tech aspects like risk, policy, ISMSes and frameworks, governance and the law than the next two layers of management above me, too, but as they've permanently filed me under "nerd" they pay no attention to anything I say on the subject. Saves me from getting into trouble for explaining what a risk assessment is, again, though.)

    1. Naselus

      Re: Request for nano-violins

      And with that kind of modesty and self-deprecating humour, I'll bet you don't rub people up the wrong way or strike them as arrogant at all.

    2. Anonymous Coward
      Anonymous Coward

      Re: Request for nano-violins

      Then you clearly don't want the job. All layers of security are short of good people so go and do 2-3 years as an Information Security Manager at one or two places, then get a CISO job in a smaller place. If you're any good at it then in ten years you'll have shed the nerd specs and will be more worried about decent au pairs.

      Or stick to what you do because it suits you but don't complain.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019