What's a Chief Security Officer Make? Depends on Where You Look

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article/0,3658,s=720&a=24376,00.asp

By Jeff Moad 
March 20, 2002

Grooming yourself to be a chief security officer? Pick the right
industry and you could find yourself reporting to the CFO and pulling
in upward of $400,000 per year, plus a 25 percent bonus. Pick the
wrong industry, however, and you could find yourself in the $70,000-
to $90,000-per-year range and reporting well down in the chain of
command.

According to a new research report from Giga Information Group Inc.,
of Cambridge, Mass., CSOs in financial services companies are most
likely to pull down the big bucks and to report to top management.  
Among financial services industry CSOs, those reporting to the CIO can
expect to make between $125,000 and $270,000 per year plus a 15
percent to 25 percent bonus. Financial services industry CSOs
reporting to the CFO or COO can earn up to $400,000 per year.

While financial services companies appear to be on the cutting edge
when it comes to granting top status and pay to CSOs, high-tech
manufacturing companies and software companies are not far behind,
according to Steve Hunt, Giga vice president and head of the company's
security practice.

Telecom companies, utilities and manufacturing companies, on the other
hand, are the least likely to treat the CSO as a high-paid,
high-ranking officer - if, in fact, they have a CSO at all. At
companies in those industries, CSOs tend to report to executives two
levels below the CIO and to earn between $70,000 and $90,000 before
bonuses, which average 15 percent.

Surprisingly, given the amount of sensitive information involved and
the importance of regulatory initiatives such as HIPAA (Health
Insurance Portability and Accountability Act), healthcare companies
are among those that apparently can't afford to grant high status and
high salaries to CSOs, according to Hunt. But, Hunt said, there may be
a reason for that.

"Why did the healthcare industry need HIPAA in the first place?  
Because they didn't take security seriously. In many ways, they still
don't," said Hunt.

The wide variety in CSO salaries and reporting status, said Hunt,
suggest that the position is still new and that many companies haven't
decided what a CSO is supposed to do and how important the role is.

"It's not a whole lot different than the CIO position 12 years ago,"  
said Hunt. "Then, many CIOs were really simply middle managers in the
data center. Only a handful were big shots."

Hunt predicted that the role of CSO, while still controversial and not
well-understood in many companies, will mature and attain consistent
salary levels over time. In some industries including financial
services - the CSO may end up on a par with the CIO, with the CSO
overseeing all risk management functions, Hunt said.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.