It took a US$650 000 (R9.7-million) salary for Matt Comyns to entice a seasoned cybersecurity expert to join one of America’s largest companies as chief information security officer in 2012. At the time, it was among the most lucrative offers out there.
This year, the company had to pay $2.5-million (R37.4-million) to fill the same role.
“It’s a full-on war for cyber talent,” said Comyns, a managing partner at executive search firm Caldwell Partners who specialises in information security. “CEOs know that, so they play hardball. Everyone’s throwing money at this.”
The threat of digital breaches — and the fines, lawsuits and occasional executive resignations that sometimes follow — has left companies scrambling to scoop up scarce security experts. The growing compensation packages and broadened responsibilities are a dramatic shift for a group of workers who were once confined to obscurity in the IT department, little more than an afterthought to senior management.
In the 12 months ended August 2018, there were more than 300 000 unfilled cybersecurity jobs in the US, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education. Globally, the shortage is estimated to exceed a million in coming years, studies have shown.
That’s coincided with increased frequency and sophistication of digital attacks, which range from disruption of computer systems to extortion and theft of sensitive personal information.
Unlimited budget
In April, JPMorgan Chase & Co CEO Jamie Dimon told shareholders that cybersecurity “may very well be the biggest threat to the US financial system”. His counterpart at Bank of America, Brian Moynihan, said previously that the lender’s cybersecurity unit operates with an unlimited budget.
Just last week, Capital One Financial disclosed that personal data of about 100 million customers had been illegally accessed by a Seattle woman, possibly one of the largest breaches affecting a US bank. The firm’s shares have fallen 8.9% since the intrusion was revealed.
In late July, credit reporting firm Equifax agreed to pay up to $700-million to settle federal and state investigations into a 2017 hack that compromised sensitive information of more than 140 million people and led to the resignation of the firm’s long-time CEO Rick Smith.
Industry insiders joke that there are two types of companies: those that have been hacked, and those that haven’t yet discovered that they’ve been hacked. “If you’re not careful, you can get numb to it,” said Andrew Howard, who leads the enterprise security division of Kudelski Group.
Equifax paid Jamil Farshchi $3.9-million in 2018 to take the job as chief information security officer. He joined from Home Depot, which had hired him in the wake of a 2014 breach that exposed credit card information belonging to 56 million customers.
While most US firms don’t disclose compensation for top information security executives, Comyns said big tech firms on the West Coast can pay as much as $6.5-million, most of it in stock. In some cases, direct reports can make around $1-million — more than their bosses typically would have made just a few years ago.
Aware of the challenges of replacing a security chief, many companies take unprecedented measures to keep them, with CEOs often getting involved in the negotiations. In one recent instance, Comyns said, a CISO who considered leaving was told to go home and write down 10 things that would change his decision. The list included a 50% increase in salary and bonus, more than doubling his long-term incentive award, a promotion and a new office. The CEO concurred, and the person stayed.
Hefty raises can pale in comparison with the potential downside. The average cost of a breach for US companies was about $8-million, according to a study from IBM and the Ponemon Institute. Equifax shows that the cost can be many multiples of that.
Insurance can cover financial expenses, but won’t help restore lost customer trust and a tarnished reputation, said James Lam, a director at E*Trade Financial who also advises companies on risk management, including cybersecurity.
Expanded responsibilities
CEOs may be inclined to spend more because their own jobs and reputations could be on the line. Gregg Steinhafel resigned as CEO of Target in 2014 after a hacker attack that compromised 40 million credit card accounts rocked the already-struggling retailer.
That episode “got everyone’s attention”, said Kudelski Group’s Howard, and led to scores of companies appointing people with cybersecurity expertise to their boards.
It’s also pushed many companies to expand the responsibilities of information security staff, ensuring that their work spans the entire organisation. To Comyns, that means their pay will continue to increase.
“CEOs don’t know what it’s worth until it’s walking out the door,” Comyns said. “Then they stand in the door and say, ‘You’re not going anywhere.’” — Reported by Anders Melin, (c) 2019 Bloomberg LP