Before the flood of ransomware attacks, robocalls or data breaches, not all hospitals had chief information security officers. Now, these security executives are in high demand, and salaries are skyrocketing to attract candidates, according to a July 29 report by The Wall Street journal.
CISOs in the United States earned a median base salary of $509,000 in 2021, a large jump from $473,000 in 2020, a survey of 354 CISOs by Heidrick & Struggles found. With equity grants and bonuses, that number is bumped to $936,000, compared to $784,000 in 2020.
"There's a lot more demand and the supply hasn't exactly increased," said Omar Khawaja, CISO at Pittsburgh-based Highmark Health.
Several ransomware attacks have put cybersecurity front and center. "There's a very tangible and direct business disruption. It's hard to ignore," he said.
Healthcare companies on tight budgets may have to hire someone on a lower salary with less experience, said Errol Weiss, the chief security officer at Health Information Sharing and Analysis Center, a group that shares cyber threats at healthcare companies.
"We've got so many unfilled positions out there, it's just not possible to find that experienced CISO," he said.
More than a third (38 percent) of CISOs report to the CIO, who then reports to the CEO, the Heidrick & Struggles report found. Many companies are doing away with that reporting method to create a streamlined flow of communication about cybersecurity.
There can also be tensions between CISOs and CIOs if cybersecurity initiatives clash with innovation projects. Due to this relationship, CISOs often prefer roles where they report directly to the CEO, the report said.