![Cybersecurity compensation 2025 Artwork](https://www.buzzsprout.com/rails/active_storage/representations/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBCSG9NTHdJPSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--74f6a75d23e1f10b96a73eaab8acc8f4e31663ae/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdDVG9MWm05eWJXRjBPZ2hxY0djNkUzSmxjMmw2WlY5MGIxOW1hV3hzV3docEFsZ0NhUUpZQW5zR09nbGpjbTl3T2d0alpXNTBjbVU2Q25OaGRtVnlld1k2REhGMVlXeHBkSGxwUVRvUVkyOXNiM1Z5YzNCaFkyVkpJZ2x6Y21kaUJqb0dSVlE9IiwiZXhwIjpudWxsLCJwdXIiOiJ2YXJpYXRpb24ifX0=--1924d851274c06c8fa0acdfeffb43489fc4a7fcc/0081-004.jpg)
Cloud Security Today
The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cloud security. This is not a news program but rather a podcast that focuses on the practical side of launching a cloud security program, implementing DevSecOps, and understanding the threats most impacting the cloud today.
Cloud Security Today
Cybersecurity compensation 2025
In this conversation, Steve Martano discusses his journey from writing about baseball analytics to becoming a key player in cybersecurity executive search and strategy. He emphasizes the evolving role of CISOs, the importance of aligning with business objectives, and the need for strong leadership skills. The discussion also covers trends in CISO compensation, the mental health challenges faced by security leaders, and the significance of organizational culture in driving satisfaction and effectiveness in cybersecurity roles.
The Latest CISO Compensation Trends & Benchmarks.
Takeaways
- Understanding economics can enhance a CISO's effectiveness.
- Compensation data must be contextualized for accurate benchmarking.
- Low attrition doesn't always indicate job satisfaction.
- CISOs face increasing pressures and scope creep in their roles.
- The job market is expected to become more active in 2025.
Chapters
- 00:00 The Journey from Baseball to Cybersecurity
- 05:53 The Intersection of Leadership and Cybersecurity
- 12:00 Mental Health and Satisfaction Among CISOs
- 17:49 Preparing for Future Attrition in Cybersecurity Roles
- 26:29 Engagement and Satisfaction Beyond Compensation
- 32:13 The Evolving Role of Cybersecurity Leadership
- 38:15 Mentorship and Professional Growth
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Matt (00:00.942)
Steve, welcome to the show.
Steve Martano (00:03.095)
Thanks Matt, thank you for having me.
Matt (00:04.546)
This is going to be fun. This is going be fun. So one of the things I dug up when I was looking at your profile that really just caught my attention was back in 2012, you were a writer and editor at SB nations beyond the box score. So I got a bunch of questions about this, but what drew you to this opportunity and what did you learn then that you still use now in your current role?
Steve Martano (00:29.333)
Yeah, thanks. That's digging deep in the bio for a side gig that I was doing while I was doing industrial and cyber recruiting. So Beyond the Box score was an analytics driven baseball statistical site. One that was frequented by general managers of teams and data analysts for different teams. And in fact, many of the people on our staff got recruited to teams. I was drawn to that site in particular, just because of the compelling narratives that their writers would create based on baseball statistics.
Matt (00:57.71)
Hmm.
Steve Martano (00:57.911)
I have a master's in economics. I wrote my thesis on looking at picture statistics and trying to derive different metrics and things like this. so worked for SB Nation just as a night job, side hustle, beer money type job for about six or seven years. And taking those narratives in baseball and looking at it from a statistical perspective really helped me in the work that we do with our Comp and Budget Survey with IEDS research because it's
taking all this data that's out there, making sense of it, coming up with a narrative that's helpful and in many cases actionable for people in the market. So that skill set, it's interesting, has come all the way through, which is fun. I'm still a baseball fan. I don't write anymore, but still enjoy it. And that definitely helped me get a different perspective on the game and a different perspective on statistical analysis and crafting narratives around that.
Matt (01:50.99)
I think there's some lessons you could probably teach CISOs there on economics because my take generally with CISOs is that the industry I think has changed probably in a good way in the last three to five years in terms of CISOs understanding that they've got to speak more of the business language. They can't go before the board and talk about,
Steve Martano (01:54.113)
Yeah.
Matt (02:11.918)
firewall denial rules, things like that, that that just doesn't work. But I'm curious though, now that I, and I didn't miss that on your background, that you have a background in economics. So I apologize for that, but I'm curious and I'm going off the script here a little bit, like that background in economics, when you look at what you see with CISOs, because you spent so much time digging into compensation and things like that. Do you, do you think that's something that CISOs would benefit from?
Like just understanding more of economics and business and things like that. How has that changed maybe over the last couple of years? What's your thoughts on that?
Steve Martano (02:45.065)
Yeah, I think that we're in year 10 of probably a 30 year transformational journey. And it is, right? But when I started in recruiting in 2010, I was doing industrial recruiting and then I came into cyber recruiting and focused on cyber recruiting for now going on 12 or 13 years. This cohort of CISOs has been elevated to a point where you have to speak a business language. You have to know what's going on in quarterly business reviews. You have to be listening to your earnings calls if you're at a public company.
Matt (02:50.605)
It's long.
Steve Martano (03:11.999)
and really understanding ROI not only in terms of your company, but in terms of your program, because it's impossible to go and craft that story around the budgeting unless that's married to the business objectives. And you say, okay, well, in our last three earnings calls, we talked about this being a topic. Well, whatever that is, there's gotta be a security implication for it. And so take those tailwinds and move them forward so that you can match what you're doing in the program. It's, hey, we need to fund this.
particular part of security because it's embedded in the expectations that the board and the C-suite and senior leadership has outlined.
Matt (03:49.678)
It seems like it's common sense, I've seen it often not be that way. But I think that's a trend, like you said, that is changing, thankfully, and moving in the right direction. So, blah, blah.
Steve Martano (04:01.707)
Yeah, and I think that there are people who are more business minded than others. But if you really want to be at the C-suite level and the leadership table, you have to do that. There are plenty of CFOs out there who are really strong controller or accounting backgrounds, and they could talk about FASB regulations all day long, but that's not what your senior leadership or board wants to hear about. So knowing when to elevate up and knowing when to go down into the operations.
that's imperative for CISOs and really any C-suite leader. And I think that when we find an environment where most people have come up the ranks through the technical aspects of security, those bona fides are there. Now you need to elevate the software skills. Now you need to elevate the more business acumen. And that may be through an MBA in formal programming, but not necessarily either. There's a lot at our fingertips through mentoring and just self-teaching related to business acumen.
Matt (04:55.276)
So speaking of, of boards and senior leaders, there, there are a lot of boards and senior leaders who seek you out specifically because you've carved out a niche in cybersecurity executive search and strategy. I'm curious, you know, you, again, you were doing the baseball writing for some beer money on the side, but what initially drew you to this kind of intersection of leadership in cybersecurity? I think you mentioned you were in industrial, recruiting before maybe what exactly is that? I think I know what that is, but.
Steve Martano (05:23.605)
Yeah, so I started my career working for Sikorsky aircraft, which was part of United Technologies. I was working in finance and program planning and so tracking where helicopters were in the manufacturing cycle, ensuring that they were on time or not or on budget or not, and reporting that to different clients that we had on nation states, different militaries, the US military, things like this. And I ended up at Russell Reynolds Associates in their industrial practice for the first few years of my career.
Working on supply chain initiatives, working on general management roles for various manufacturing and diversified industrial companies. Once Matt Cummins joined, so I joined in 2010, my colleague and our president and co-founder Matt Cummins, he joined in 2011 in the tech group. Our offices were next to each other. And about a year into his tenure, a security search came over the transom and it was, well, we don't really do these searches. They're not really executive level searches or they hadn't been to that point.
Hey, new guy, why don't you go do this? And so it ended up on Matt's desk and Matt said, you know, I think the more that he was in the market, he said, I think there's a big problem here. I think this is category is going to absolutely be a huge thing. Maybe even ride out the rest of my career. I don't I don't want to go alone. Do you want to partner with me on this? And so I was I was doing half time and it went pretty well with what I was doing from a supply chain standpoint, because it was an automation component and an OT component to all of that as well. And so eventually,
It started 50-50, industrial and then cyber, but then cyber just kept getting weighed more and more and more. The compensation packages continued to increase. And this was at a time where Fortune 500 companies did not have a true CISO head of information security that had any influence. It was just a back office tech function. And I saw an opportunity not only to be recruiting these individuals and being an expert in this area, but also helping guide a group that had...
not necessarily had C-Sweeter leadership aspirations in the business sense that we alluded to earlier. And so to be able to not only do these searches and service and advisors to our clients, but also to be embedded in this community. And Matt and I have been going to RSA and Black Hat, and I've been on the ISAC speaking tour and things like that over the last few years as well. It's also to be on the ground with practitioners to help elevate your brand and your program and really listen to what your concerns are, but then also go and do an NACD talk.
Steve Martano (07:45.651)
and hear what the board members are saying and be able to be that bridge. much more than tactical recruiting, but just advising clients, but also advising the candidate pool to get people to the right place and be thinking about their career in the right way so that they can achieve whatever trajectory and aspirations that they have to be best positioned to be able to do that.
Matt (08:03.96)
So your recent survey highlights some trends in CISO compensation and also budget allocation. So this is something that I know was pretty highly sought after in the industry. Everyone's always looking to see, you know, if you're a CISO or even maybe not a CISO, but just a very senior security leader, you kind of want to benchmark and see like, Hey, how, you know, how am I doing from a comp perspective? And then from a budget allocation perspective, it's the same thing, right? No one necessarily wants to be way out of range from a peer.
So, you know, let's talk a little bit about maybe what you found most surprising in your most recent research or counterintuitive of maybe some of the findings from this year's report.
Steve Martano (08:44.385)
Sure. Maybe we go back to the beginning, go back to the genesis of this, because I think the most surprising thing we found through all of this was when our clients came to us with specific questions on compensation or budget allocation and things like this, there was a ton of misinformation. Misinformation that was not even remotely close to what Matt and I were seeing in the field from very credible sources. Big four and big consultancies saying the average CISO compensation is X and that number was in a vacuum. was inaccurate. There was no context around it.
Matt (09:01.934)
Hmm.
Steve Martano (09:14.485)
Are we talking about a hospital CISO? Are we talking about a B2B tech SaaS CISO? Are we talking about a financial services top 10 bank CISO? Those are different jobs and different skill sets for different sets of people. And so we decided to partner with Einstein's Research. So they're bringing their research capabilities, their analytics around that. And we're bringing our full net coverage of all of market. We had 800 CISOs participate this year from all different sectors and walks of life and different backgrounds to be able to say, okay, well now we have a sample size.
we can actually give you what your peers are doing. We can actually do some really legitimate benchmarking where it's not just a sample size of ADCs. So it's okay, we have one or two that look like you. No, we have like 30 or 40 that look like you. Or tell us what parameters you want and we can go and do those data cuts. Some of the surprising things, I guess, I think it was a lot of validation and security doesn't happen in a vacuum. And even though we saw big spikes coming out of the pandemic, the height of the pandemic too,
for hiring, compensation and counter offers and multiple offers, security tracks the market. And so when the market is sputtering along and not really in lockstep, like it was in 21 and beginning of 22, the budgets and the compensation are affected by that. And while we're seeing increases in all of those pieces, they were increasing at a decreasing rate. So now the question is, okay, if we go into 2025, we have a more healthy economy and general macro environment with
interest rates being lowered, inflation numbers cooling, and just a general more business friendly environment. What does that do to security? What does that do to the market? I think one of the most surprising things that we saw is that attrition is really low, but it's not necessarily because everybody is happy and satisfied in their role. 80 % of the people that we talked to practically said, I would jump for something else. I just haven't found that discernibly better something else. And so I even tell CISOs,
think about your teams and think about your leadership underneath you or two layers underneath you, or even from an engineering perspective and an IC perspective, you may be looking at a program that's had record low attrition. What's really driving that? Are people really that happy or is this just, well, this is a good port in a storm. It's good enough for now. My comp is good enough for now. My team's good enough for now. My mandate's good enough for now. That's something that I think really requires some self-reflection and thinking about locking people up, not only financially, but in terms of opportunity.
Steve Martano (11:37.313)
for 25 and 26 so that you're not behind the eight ball as companies start to hire and things like this. Because the first people to start the hiring now are the ones who are going to have their pick of who's available. Waiting six months or eight months and the top people that you may want to pursue may no longer be available or they may be more expensive or they may have just taken another job and they may not be considering it.
Matt (12:00.088)
How much have you guys gone into in terms of maybe you call it the psychology or mental health well-being of CISOs? This is something that was talked quite a bit about over the last two years, just in terms of, you mentioned a decade ago, you guys didn't even really consider the senior leader a true leadership role, right? And I would say that was the case in probably all but some of the largest companies in the world.
Now that they have been elevated in many cases to either right below the board level or at that level, I think there's pressures that come and stresses that come naturally along with it. But I'm curious from your perspective, have you seen or have you guys looked at that piece of it to see if there's any kind of correlation or just any thoughts on that?
Steve Martano (12:48.011)
Yeah, so we have a satisfaction component to our survey and it hasn't changed too considerably over the last few years. But anecdotally, I will say that we're at an inflection point where there's a lot more stress on the role. CSOs are being asked to do more with less. The scope creep conversation is definitely real and people have mandates for much more than just information security at this point and maybe budgets and compensation that doesn't necessarily match that.
But where we see the satisfaction and you talk about mental health, you talk about just general, I feel in alignment with what my organization is doing. We find that that is when the CISO is in lockstep with the leadership team, with the board. They're getting the right amount of time, the right amount of reps with those groups so that you think about security from a governance perspective. Okay, here are your marching orders. Here's the budget and resourcing to be able to do that. And then operationally running a really strong.
So the most satisfied CISOs and those who feel like they're in a great spot say, I don't have to fight for budget. I align it with what the business is doing. I talk about what we need. And I think that that's been a transition over time because it used to be security is the no group. Well, you can't do that. And there was getting in the way. And then it went too far the other way, which was we're the business enablement group. You could do anything. That sounds great. And that's not really our job either. So it's finding that mix of, yes, we can do this. And here are the security implications of
And here are the budget requirements and resourcing requirements for that. So it's not a no because, and it's not just, yes, let's do it. It's yes, and here's what we need to do to do that effectively. Or it's yes, and here's how our risk posture has changed. Or it's yes, and here's how we think about risk in the context of this discussion. And I think that that's really different than what the conversations were and how CSUS thought about this five years ago. And that alignment really helps. I think we saw a major dip.
with the SEC requirements that came out about a year and a half ago, because I think that there are practitioners who said, gosh, I was really hoping that there would be a requirement to have a security practitioner on a board. And we did some research around that and that didn't happen. And the SEC basically said, this is an operational challenge at its heart. There are governance implications of it. That's not necessarily the worst thing. And I think that we think about security as a team sport, getting alignment with the board, getting alignment with cross-functional peers.
Matt (14:48.366)
Yeah.
Steve Martano (15:14.151)
And this is a great opportunity. And so the CISOs out there who recognize that opportunity and take the most of it and actually meet the board and meet the C-suite where they are. The board and C-suite can't just stay up here and say, well, I don't understand why our CISO doesn't have the right business acumeners communicating in this way or that way. They need to enable practitioners to go get better. What types of programming, what types of training, what types of mentoring. And then the CISO has to aspire to do that as
So it's a meeting of the minds in the middle that really helped drive satisfaction. And I think the best mental health of, I'm not on an island, right? This is a team sport. We're working on this together. I know what my mandate is. I'm funded properly. this, we're reprioritizing things because the funding doesn't match what we're expected to do. The people who are most dissatisfied is when there's a misalignment and a misunderstanding, it's everything I say gets sanitized. My leadership doesn't really know the risks of the organization or they do and they seem like they're...
they're a little bit apathetic or they're open to those risks. There also has to be a personal risk tolerance alignment with the general organization. Some individuals are more risk averse than others and finding that right job for you will lead to more satisfaction.
Matt (16:24.686)
Sounds like there would be a correlation with just the overall organizational culture, right? I've been in organizations where the cultures are just difficult. Let's put it that way. To put it nicely, they're difficult. It seems like there are different factions in the company. And certainly, when I think of those roles that I've had, some of the largest companies I've worked for, those are just ones where there just seems to be misalignment across the organization. And you're just going to have stress from that alone, right?
And yet then I have, I've got some colleagues that are in some, you know, large companies, but not, you know, some of the largest, maybe call it, know, fortune 1000. And they've got amazing alignment from the board to the CISO all the way down through the security organization where they've built such rapport and trust with the rest of the organization that there was a scenario when they were rolling out DLP a couple of years ago that they said, Hey, can we roll this out faster? And when do you hear that? I mean,
Steve Martano (17:21.887)
Hahaha
Matt (17:22.683)
I was actually the only time I've ever heard it in my 20 plus year career that a CEO literally said to the security team and because they showed the value of it, right? And they didn't try to roll it out all at once and basically block everything that often happens. But they rolled it out in a way where they communicated and educated very far in advance. What were the values? Why were they doing it? Here are the benefits. And they were able to show like, hey, look at the stuff we're catching.
And that's when the conversation came after about six months. can we, can we, can you guys roll this out faster? It seems like there's a lot of value and you're really protecting the organization. And there again, that, that Steve is a fairly rare example of, of alignment, but it's also that specific organization that I'm referencing. They're one that they just have a phenomenal culture in general.
Steve Martano (18:13.013)
Yeah, and I think that something that can't be understated is having a good pulse on the level of change that your organ is in the speed of change that your organization is open to is super important. And it sounds like in this example, a really well orchestrated change management program of we see it, we hear you. Here's what's going on. Let's let's move this forward quickly. Let's let's do this prudently, but diligently and diligently. I think that
The change management piece can't be understated because it's also you as a CISO have to find champions in the organization. You can't go it alone. And so the more that you could do to develop a rapport with the head of product, the CFO, the general counsel, the business leaders who have influence and the CEO and the COO, that's where you're going to have the most satisfaction. And that's where you're going to be able to make the most progress in the shortest amount of time because you align that change management with the culture of the organization.
And yes, that's driven largely from the top down and how your CEO and COO talk and think about change management. But that's all bottoms up too, because if you're working cross-functionally, security, like we said, doesn't happen in a vacuum. There are cross-functional implications of it. And so being able to go to a group and say, yes, you're giving up autonomy, but you're giving up autonomy in order to gain efficiency or gain something else. And that's the conversation that typically resonates really well in an organization. To a point where I've heard CESA say, yeah, that group that was really hesitant to talk to us is now saying,
What else can we give you? Because that worked out really well before. And we're also just creating more efficiencies in our group, which is enabling us to be more productive and more effective.
Matt (19:46.392)
So one thing I want to go back to, we touched on it briefly, was that the survey showed that most security leaders experienced not a lot of attrition in 2024. However, I think there was some anticipation perhaps in the report that said that that may shift as we come into 2025. Maybe go a little bit deeper on that. Like what do you think is driving that change? And then let's talk a little bit more about how organizations could possibly prepare for that.
Steve Martano (20:15.371)
I think we go back to our economics roots, right? So we have a supply and demand challenge, both. So you have organizations that are hesitant to bring in somebody new in an environment where there's belt tightening happening all over. They're asking their teams to do more with less while also seeing very little attrition. So they're saying, this is fine. It's fine for the short term, probably, but that's not the long-term solution. You also have a challenging economic environment where many CISOs are saying, where I am,
Again, the budget is okay enough. I have enough influence. It's not ideal, but it's good enough for now. Let me let the macro trend settle a little bit before I actually go headlong into a search. Not to mention that, again, going back to the demand, there's not a whole lot of activity out there to be looking at anyway. Now we saw spikes over the year. We had a busier summer than you would expect in this type of environment. There's a spike right around the end of June and July. So organizations were like, well, like we have to do something at some point.
Then we saw a low right before the election and then our business took off. We've had a very robust cycle between the end of the election and today just because I think not because necessarily the result, but just that there is a result. And what do markets really, yeah, what do markets really just like? It's uncertainty, right? So at least, okay, we know what it is. It probably also helps that this is administration that optically is going to be less regulatory focused, which just means that there's more movement.
Matt (21:28.192)
certainty. Right.
Steve Martano (21:41.015)
there'll be more &A, there'll be fewer challenges in court related to that &A. And we're also seeing an increase in IPOs and S1s and things like that. Many of our clients and many people in the market pulled back those S1s a couple of years ago just because they didn't think that they'd see the value there. It was the wrong point in time. So they had to do a little bit of a reset and maybe we're there for 25 or 26.
Matt (22:04.92)
So let's look at it this way. if I'm a senior security leader or CISO, maybe I've been at my company for three to five years and I feel like what I came here to accomplish, I've done. I've built a rapport and I'm ready for that next challenge. I've had a conversation with number of my colleagues and that's kind of where they're at. You know, they're starting to look. How can leaders effectively use the data in your report to advocate for themselves?
And maybe, you know, for their teams as well. And you can take that from maybe a couple of different perspectives. It could be from securing a larger budget. It could be influencing leadership decisions or maybe protecting their role in a increasingly complex environment. How can leaders effectively use the data in your, in your research?
Steve Martano (22:51.351)
Yeah, so let's talk about the internal piece first, because that's where people find themselves today. There's a banking CISO that I know in the Midwest who called me and said, I've been at my company for eight years. We all recognize that you fall further further behind market the longer that you stay in an organization, because you're not getting that 30 % increase, that 20 % increase that you would get right off the bat with the move. So you do two moves in five years, and you're going to likely increase your comp pretty substantially. Your reputation may take a hit from a 10-year perspective, but you'll be optimizing your earnings.
So he said to me, can you help me take what you have and the data that you have and get me to market where I should be? And he was maybe 15 or 20 % under market. Well, we looked at his peer group. We looked at the company's peer group. We did some data analysis around, OK, how much assets under management? How many people? What does the organization look like? What's the global remit and complexity of the organization? He took all of that data, packaged it up himself, went into his leadership team. He got a 40 % increase in compensation.
Now, I'm not going to guarantee that everybody who's listening to this does that and you get 40 % increase, but it was well thought out. was researched. was, listen, I'm not looking to leave, but these are the types of roles that are out there that I am getting calls on and you should know that. And let's put it on you company to figure out how you value me and how you think about this. Because I'm not inclined to take these calls, but it would be irresponsible for me not to considering the disparity in compensation. So I think that that's a good framing and how you can use our data.
to go internally and say, here's what's happening around us and here's what I'm getting calls on. We should all be aware of that, right? If an organization says we really love our CISO, we don't want them to leave, then they're probably being recruited by somebody else because they're a really great CISO and you don't want them to leave, right? So being really honest about that. I think the other thing in terms of team compensation, we have a very robust set, particularly of one level below the CISO. So you're head of architecture and engineering, you're head of GRC.
benchmark yourself and do the same thing so that you can get ahead of that conversation so that the high performers on your team aren't tempted to go take these calls, look at something else and say, look, we recognize that you're under market. We're going to give you this bump to get you closer to that. But not only that, but there are non-financial incentives as well. Why don't you engage in this committee or that committee or get involved in this cross-functional project or that cross-functional project to show we see you as a next generation leader. We're not just going to keep you in security. We want you to gain broader exposure.
Steve Martano (25:18.869)
which will be good for your organization and your program and also make that person more marketable because there are many really strong CISAs that I know who say, hey, listen, I don't want to lose this person on my team, but they're ready and I'm not going anywhere anytime soon. And as a good leader, it would be not right for me to just keep that person where they are. They really should go out and go be ahead of security somewhere. Because I think about this in terms of baseball managers or football coaches where
The best CISOs are the ones that are training the next generation down. And it's that group of people that are just, they have the lineage, they have the pedigree, they have the right training, they have the soft skills, and then they go out and they do the same thing. And there still, I think, are not enough really strong practitioners out there to fill all of these seats. And so the more that we can get mentoring and the more that we can continue to nurture those that are in the level two or the level three.
Who are those people on your team? What are you doing to nurture them? What do you see as their trajectory? And does that align with their own aspirations? Because if it does, think about strategies to get them there. And yeah, you might lose somebody in the short term, but those relationships hopefully are longer term and they run deeper than just the transactional operational.
Matt (26:29.422)
Is there a way that, know, and my experience is, very similar with the exception of maybe one or two companies that I worked at. most of them just kind of did the, you know, the cost standard cost of living, you know, one, two, three, you know, something very, very small over the course of, of our time there. And yet there was maybe one or two companies that I could tell that they actually did the research, not just, not, not once a year, but twice a year, every six months they were looking and they were trying to keep you basically to market if you are a high performer.
Right. But I think that's rare. I'm curious in your experience, there, you know, if you were speaking to the, you know, the people team at a large company and let's say this organization has a really good culture and they're trying to not just have a good culture, but also to keep their highest performers. How would you, what kind of advice would you give them? Maybe let's keep it specific to cybersecurity.
Steve Martano (27:22.785)
Yeah, so before we even talk about compensation, I would say, is this person engaged? Do they feel supported? Do they have a team that is happy and productive and efficient? And do they feel like the organization risk tolerance is aligned with what they're able to do from an operational perspective? Because the compensation, in many cases, is secondary to that.
Matt (27:47.446)
Hmm.
Steve Martano (27:47.543)
There's a very large scale bank that everybody listening probably knows what it is and they've had a CISO search open for a year. They've had four CISOs in span of five or six years. They're paying top of market. Why can't they get somebody in the job? Right? That's part of it, but they're also, yeah, that is part of it. But if you said to somebody, we'll give you X millions of dollars, work 80 hours a week, there are going to people that opt into that. The question is, am I going to work 80 hours a week and be successful?
Matt (27:59.662)
Because they don't want to work 80 hours a week.
Matt (28:12.216)
Sure.
Matt (28:15.532)
Hmm.
Steve Martano (28:15.701)
Or am I going to work 80 hours a week and in six months be completely frustrated and feel like that was a waste of time? And so there's a satisfaction element to this beyond just the compensation. So let's start there. So, okay, yes, we have alignment there. Our satisfaction scores are good. This leader is well-perceived by cross-functional peers. The reputation of security has increased. We're running a strong program. Everybody seems like they're in alignment and things are going as well as they can operationally. Okay, great. Now let's do some benchmarking.
what's out there that this person would be a credible candidate for and where is their compensation coming in and what does that structure look like? And are you competitive to that? You don't have to necessarily be over it. You don't have to necessarily be at it, but are you competitive to it? And that's how I would strategize with an HR team or a talent team to say, it's all these different pieces, but let's think about this holistically so that you keep the people that you want to keep.
Matt (29:13.038)
So you've spoken about leveraging budget data to advance security programs. What are maybe some key metrics that CISOs and security leaders should use to justify budget increases or just maybe getting it to where they believe their peers are?
Steve Martano (29:29.431)
Sure, yeah. So most of the clients that read this report, most of the... We asked this question a couple years ago, how do you report on this? It's mostly in terms of budget compared to IT. That's going to change over time because we're seeing a convergence of the IT and the security function. And we're seeing an IT function that's becoming more commoditized and less complex and less difficult to navigate from a vendor perspective, where security is the exact opposite of that. And so...
with the increase of scope and security and we find that a good number of people have responsibility for all of IT and a larger contingency has responsibility for some of IT, whether it's digitalization, cloud, transformation, infrastructure, whatever the case may be. So that metric may change over time. So again, I would think about the different buckets. So majority of CSO budget is going toward compensation and going toward talent and recruiting.
And then thinking about other areas of, how is that increasing over time? But just generally thinking about the alignment with the business goals, I keep going back to that too. If you're going through a major digital transformation and your security budget is flat, that doesn't make sense, right? So thinking about what's happening at the company high-scale strategic perspective, and how does that impact the security program budgeting? How much of it is project-based? How much of it is contractor-based?
We're talking generalities here because we have a wide audience, but thinking about, what do I actually need to achieve what we say we're going to achieve over the next 12 to 18 months?
Matt (31:04.59)
It seems like this kind of goes back to the conversation we were having a couple of minutes ago about just alignment in general, that if you try to align your security budget, and it's not aligned rather to the rest of the organization in terms of what's happening, it's going to be difficult to justify. I think at this stage of maturity in most organizations call it again, Fortune 1000 organizations. I think it's difficult to do and to work with that without having that alignment. I had a guest on
think it was probably two or three months ago, Chris Hatton or you might know him. He's also a fellow, IAN's practitioner. And he was just talking about, you know, it's so important to, for senior leaders to align themselves with other senior leaders in the organization. And again, if you're, know, if you're someone listening to this podcast who maybe is new to cyber, you're probably thinking, well, of course, like, why wouldn't you do that? But I think the history of the role is that it was seen as kind of
I don't want to say independent, but they almost felt like so many leaders that I worked with over the years really felt like they were almost fighting against the organization to help manage and reduce risk. So yeah, I'm curious your thoughts on that.
Steve Martano (32:13.911)
Well, yes, and I would also add, be a pragmatic corporate citizen in an environment where everybody's being asked to decrease their budget. Don't ask for a 60 % increase, right? Be thoughtful about what you're asking and be very wary of doing things that are really outside of lock and step of what the rest of the organization is doing because the perception, or wrongly, that is that
Matt (32:26.403)
you
Steve Martano (32:41.087)
my gosh, this person is naive. They don't even recognize what's happening across the rest of the organization. And that's a reputation that's very difficult to overcome. So just think about what your peer group is being asked to do. And I heard many examples over the last year and a half of, yeah, everybody was told that they need to cut 10%. They said to me, look, just find one or two headcount that you think is superfluous or that you could do without in this environment. Okay, that's not ideal. But we still see security, again,
Matt (33:08.067)
Right.
Steve Martano (33:10.867)
scaling and growing at a decreasing rate than before. But part of that too, is that previously organizations were still undergoing this major cyber transformation. At this point, the baseline level of operational security has been elevated to a point where most companies don't need to do their major cyber transformation that they did five or six years ago. There's incremental and maybe transformative change in other areas related to perhaps AI or things like this. But the program build
is there. And I think the organization and hopefully a strong leader can say, yes, we have a program that is aligned with market that aligns with our risk tolerance. There's going to be some increases over time as there is with all functions and as the company scales as well. But by and large, we know what we need to do to achieve what we need to achieve.
Matt (33:57.122)
What's one common misconception about cybersecurity leadership that you'd like to debunk based upon your research in the last decade?
Steve Martano (34:05.303)
So here's an interesting one for you that that to be a large scale company see so that you need to have a cyber background We have seen see says at fortune 20 companies that are Transformation officers or digitalization officers who have no cyber to speak of now that's bucking the trend Most see so still come up through security engineering and operations and the technical side of security some have been developers earlier And that's frankly what our clients are mostly looking for
But there are so many different paths to the top job that I think it further proves our point that we have in some of our board research, that we have in some of our comp research. It's that diversity of experience and being in different buckets and pools over the course of your career, be it industry-wise or be it functional, will really serve you well because it just, the perception is that, this isn't just a security person who's been running security budgets with security teams their whole life.
They understand and they've been embedded in other parts of the business. And I think that that's really valuable if somebody wants to continue to go up to the chain and continue to advance their own personal brand and the brand of
Matt (35:13.806)
Yeah, I would, I would tend to agree the more that, you know, I've been in the startup world now for the last probably five to six years. And that has given me a lot more visibility into all just different areas of the business. And really the conclusion that I've come to probably just in the last two to three years is that the actual cybersecurity experience at that top leadership level is, not that important. And I know that too many practitioners listening are probably like, what, can you say that? But it's really that.
operational experience that I think is required to run an efficient and effective cybersecurity program, especially if you're an organization that has any kind of scale, operational experience, understanding key metrics, what to track, efficiency, effectiveness. That's the only way you scale any part of any business, right? And cybersecurity is not unique. I know we like to think that we are unique and special and different from every other discipline.
But the truth is when it comes to operational excellence, it's not. And in fact, that's what gets, think a lot of many cybersecurity organizations in trouble is that they can't do the basic things very well. I've mentioned this before, but even something that is as basic as patching, not being able to do that consistently well is what gets many organizations in the headlines, right? You find out they had some system that was running some, you know,
ancient operating system that either no longer has patches or had a patch, you know, for three years that was just never patched. Being able to do those basic things well, I really think is what distinguishes senior cybersecurity leaders at this stage.
Steve Martano (36:57.143)
Yeah, and so, and how do you do that, right? Because if you're talking about at the highest level, you need to have that strategic acumen and you need to be really strong on prioritization. We talked about cross-functional influence and change management. So to be able to do that, you really need to have strong people on your team that you can entrust to drive that operational excellence because you're not going to be in the weeds doing it. And so it's giving up the operational piece of it.
Matt (37:15.854)
That's right.
Steve Martano (37:21.175)
to the people that you know will do it properly in order to elevate yourself and your brand so that you can be spending more time with product team, you can be spending more time with the legal team, the financial team, the general managers of the organization, and your customers as well. So we think about, okay, back when we talked about 10 years ago, what head of information security was external talking to a customer, talking to a client? None, basically, right? Very few. And now for most large scale organizations, that's a requirement.
Matt (37:43.682)
Yeah, for sure.
Steve Martano (37:49.427)
It may not happen every day, but there's an expectation that it will happen. And it's now a business differentiator. And there are organizations that they want to know that the table stakes of security make sense for their organization and the risk tolerance. But organizations are going through third party risk management programs that are looking more deeply at their supply chain network, their vendor universe, and all of this. And that has implications across the board for security programs pretty much everywhere.
Matt (38:15.512)
So I think we've all had people in our lives that have been mentors, maybe officially unofficially, but they've influenced us professionally and maybe even personally. I'm curious who's been the biggest professional influence in your life. What did you learn from them?
Steve Martano (38:31.329)
Sure, well, I started my career earlier at one of the big four consulting firms at Russell Reynolds and many of the people there that taught me how to do search are retired at this point and they were very instrumental in helping me talk about operational excellence, how to actually do a search and how to go through that project, project management, things like this. But it was really, it's Matt Cummins, our co-founder and Mercedes Shaffield-Taylor, our CEO, who are just so client-centric and so client-first. And their whole approach is,
Do the right thing as far as relationships, line people up, expand those universes. We are connectors as recruiters. You don't need to have a contract to make a great introduction from person A to company A when you think there's great alignment. If they hire that person, that will come back tenfold later. Do the right thing and be really candidate focused and client focused and find your niche and be an advisor. And Matt is so good at this and Mercedes as well. Well, let's talk about your
Matt (39:14.807)
Hmm.
Steve Martano (39:28.833)
company. Okay, you're maybe a client, you're not a client, you were a client, whatever the case may be. There's no revenue attached to this specific conversation. But let's try to be helpful to each other. And what can I provide you that's helpful to you? And I think that being a servant of the industry and of the candidate pool and the talent pool and all of this, this is why we do our Comp and Budget Survey as well. We need everybody to get aligned on the proper and real time information that's out there so that we can all be better.
so that organizations are going after the right pool of candidates and candidates are going after the right jobs to find alignment. And so it's just, there's a reason that I've always scaled down in my career in terms of size of companies that I've worked for, but I just think that my colleagues are so high touch with candidates and clients and that's where the real value is. There's value in a search, that's how we make our money. But we try to help people all the time and I tell people, if you're looking at an offer, it doesn't matter if it comes from us or not.
I want to make sure that you're thinking about liability protection in the right way. I want to make sure you're asking the right questions on equity. It helps everybody when people are asking the right questions and doing the
Matt (40:35.406)
So how do you stay sharp? Your industry, just like everyone else's, changes rapidly. How do you personally stay sharp?
Steve Martano (40:42.795)
Yeah, it's a lot of reading. It's a lot of talking to people. I spend all of my time talking to practitioners pretty much. Clients and practitioners, that's how I spend all of my time. What are you thinking about? What are you worried about? What are you planning for 2025? What concerns you most about 2025? And I think that going to these conferences, I was at Health ISAC last week, I was at FSISAC in October, being at these different industry conferences and understanding what are they talking about, what's most important to them.
And just getting a pulse of the market and getting some certainty around, OK, well, now I've heard this in four different places. This is obviously going to be a thing to 2025. This is going to be a topic we're going to talk about. I also have relationships with reporters as well to get a sense of what are they working on. We do a lot of work with The Wall Street Journal. They cover all of our reports. It used to be that we would pitch them what we're doing. Now they come to us and say, hey, when's that report coming out? We know that this is about the time, which is nice. It's good validation for us for sure. I also ask them when I talk to them,
Matt (41:34.574)
That's always a good thing.
Steve Martano (41:40.149)
What other things are you working on? Anything that I can help, can I line you up with the source? Is there anybody you want to talk to that I have access to that either on the record or off the record? Let them figure that out. You want to talk to somebody? You know, I could probably make that happen. Somebody want to get a perspective out there. They want to put their name on it. All the better, right? So having access there. And so I have a pulse into what's being worked on in the background that that's likely to come out next. And we can get ahead of that as well and have a perspective on that, which is really helpful to our candidates and our clients.
Matt (42:10.99)
This has been a far ranging interview. love it. Is there anything else that I should have asked you or that you wanted to cover?
Steve Martano (42:18.071)
No, think, look, think that stay positive and those who are are admiring in a job that maybe they're not long for for the next couple of years, I think that there will be more activity in the market in 2025. But I think that the best advice to people who are thinking about something different is be selective in looking and pursuing for jobs that align with your background where you are a differentiated candidate. And so do some self-reflection and really figure out
Figure an organization is going to interview eight to 10 people. Are you a top 10 candidate for the role in which you're pursuing? There could be stretch roles in there as well. But when you're undergoing your search, really be thoughtful about that. And you'll be much, much more inclined to be moving forward in process and have your resume reviewed and things like this.
Matt (43:02.412)
I love it. Well, Steve, thanks for coming on the show. This has been really awesome and very insightful. Thank you. See you.
Steve Martano (43:07.649)
Thanks, Matt. Great to be here. Good to chat.