Should CISO Compensation Include Equity?

Anyone who has spent significant time in the world of cybersecurity understands that there is no way to eliminate risk. As such, some of the most commonly accepted security concepts seem to revolve around assessing and managing risk. At some point, most security leaders are also expected to determine what they consider to be acceptable risks and then take responsibility for ensuring their organization is taking the necessary steps to mitigate risks to stay aligned with that acceptable level. At higher echelons of any organization, the C-Suite and the Board rely on their trusted security professionals to make these critical decisions about risk while acting in the best interest of the enterprise, ensuring levels of effort and spending align with mitigating risk to an acceptable level. But, are most security professionals really incentivized to make the best objective security decisions for their organization?

CISO Success and Compensation Packages

In theory, assessing the success or failure of a security professional should be tied to the security organization’s success or failure in protecting the enterprise against the threats they are paid to protect against…right? Well, the answer isn’t that cut and dried. According to a 2022 survey by executive search firm Heidrick & Struggles, the median cash compensation for a Chief Information Security Officer (CISO) is $584,000. Bonuses and equity drive the median total compensation package up to $971,000. That means, on average, $387,000 (39.9%) of CISO compensation is tied to bonuses and equity…and those bonuses are often (if not always) tied to budgetary goals instead of security metrics. Additionally, according to the same report, the median hiring bonus for new CISOs was $400,000 in equity. That much equity - between the hiring bonus and annual compensation - means that most CISOs are disproportionately impacted by the performance of their company’s stock.

Can CISOs Impact Stock Prices?

When looking at the relationship between corporate security and corporate stock price, one might think that security breaches would hurt the stock price. If that assumption were true, CISOs would be highly motivated to prevent breaches as a means of protecting and growing the value of their equity in the company. That logic leads to creating compensation packages with a large percentage of the compensation tied to equity because it aligns with creating the best possible security posture for a company. In theory, that all makes a lot of sense. It may even explain why CISO compensation packages are routinely designed with massive equity. The problem is that this is all based on the flawed assumption that security and stock price are tightly aligned. I’ll explain that in a moment. But first, let’s examine how CISOs can impact stock prices through old-school economic principles of revenue and cost.

To impact the bottom line (i.e., profit), companies need to increase revenue (increasing profits through volume) or increase margin (increasing profits per unit sold by reducing cost for the same output). While CISOs have little to do with revenue or margins, they can impact corporate costs through their management of security budgets for technology, people, and facilities.

According to Gartner, worldwide Information Technology (IT) spending will exceed $4.6T dollars this year and, according to their reporting last year, mid and large-sized companies should spend 4.1% of their annual revenue on IT. This means that a CISO can certainly have an impact on corporate profits - and thus stock prices - if they are frugal. Additionally, and not surprisingly, the compensation packages for many CISOs include bonuses tied to staying within (or under) their allotted budget.

Real World Example

“Bank A” has $24.3B in annual revenue. If an IT budget should be 4.1% of corporate revenue, as suggested by Gartner, that would allocate $996M to the CISO. If that CISO decided to underspend by 25%, they could save $249M which would go directly to the corporation’s bottom line. Since “Bank A” reports $5.6B in annual profits, an additional $249M in annual profit would represent a 4.4% increase that would likely be significant enough to positively impact a corporate stock price.

In the above example, if the “Bank A” CISO fit within the median compensation packages described earlier they would have $1M (or more) in equity. By underspending, the “Bank A” CISO could secure their bonus and likely five or six figures in additional annual compensation through equity growth. At the same time, it is very unlikely that anyone could confidently determine the impact such frugality would have on Bank A’s cybersecurity posture because few, if any, companies can calculate risk with such granularity. In essence, there is little risk to the CISO who underspends, but great potential reward. Knowing all of that, why would anyone think that CISOs prioritize spending enough to build world-class security over frugality? Is it the lingering notion that data breaches hurt stock prices, meaning CISOs will want to prevent those? Well, let’s see if that logic holds up to scrutiny. (Spoiler Alert: It doesn’t)

Security Doesn’t Consistently Impact Stock Prices

I promised earlier that I would dig deeper into the flawed logic behind designing CISO compensation packages with massive equity. Let’s take a look at some commonly agreed-upon concepts and competing facts. For instance, a recent report from Harvard Business Review (HBR), a highly-respected publication, stated that:

“Publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion. Even more concerning is the fact that it took 46 days, on average, for these companies to recover their stock prices to pre-breach levels, if they were able to do so at all.”

That reporting makes a strong case for the value of building great security programs that prevent data breaches, at least for publicly traded companies. With data breaches so common, and the average financial loss measured in billions of dollars, it seems obvious, right? Unfortunately, the HBR reporting is demonstrably flawed (sorry, Harvard) because it was based on four-year-old data they failed to update.

• The originator highlighted that their data was skewed by one outlier and even provided better data, yet HBR omitted that vital context
  • Removing one breach (Facebook) from the data reduced the average market cap loss by 85% (from $5.4B to $762M)
• HBR stated that Equifax's (breached in 2017) stock value had not recovered
  • It has since recovered (after 33 months), gone on to reach multiple all-time highs, and is now valued at 164% of the pre-breach price
  • HBR also tied Moody’s 2019 downgrade of Equifax’s credit rating to the 2017 breach despite lacking strong evidence those were related
• The HBR report stated that Okta lost $6B in market valuation the week they announced a security incident but failed to mention:
  • Okta’s stock had already lost 40% in the year PRIOR to the breach
  • Okta’s stock gained 20% in the three months after the breach
• The Marriott breach was quoted as causing a 5.6% drop in stock price
  • HBR failed to note that those losses were erased within weeks¹

The 2020 breach reported by Marriott did MUCH more damage to the stock, yet it still recovered (again, within weeks) and is now trading at more than three times its previous value

In addition to those examples, several other major breaches in recent years resulted in temporary (if any) stock losses with record stock values following soon after.

• First Financial Corporation suffered a 6% stock drop after a May 2019 breach
  • The stock recovered within days and went on to several all-time highs
• Capital One’s stock price was virtually unaffected by a July 2019 data breach 
• After announcing a data breach of LinkedIn in 2021, parent company Microsoft didn’t experience any noticeable stock price change

While this is not enough evidence to state conclusively that data breaches don’t greatly impact stock prices, it is enough to weaken the theory that security has the kind of outsized impact on stock prices that many consider to be an accepted fact. These examples even suggest that large global enterprises - some of the most desirable targets for cybercriminals - are nearly immune to stock harm from bad cybersecurity even after multiple, highly-publicized data breaches. Since those companies pay their CISOs the most, and have the largest IT budgets, those CISOs have the most to gain by underspending on security.

What is the Answer?

To help CISOs prioritize security over profit, publicly traded companies could:

1. Change how CISO compensation packages are structured
2. Change how CISO success is measured
3. Change how CISOs are held accountable when things go wrong

Compensation Structure

Shrink the connection between stock prices and CISO compensation to reduce the temptation for a CISO to act in ways that favor corporate stock value over corporate security. This may mean increasing base compensation or tying contingencies (like bonuses) to security performance measurements instead of budget.

Measuring Success

Expanding on the subject of performance measurement, tie the measurement of CISO effectiveness to objective standards of organizational security and maturity. Regular, outside assessments of organizational success that focus on meeting, exceeding, and maintaining maturity targets should be included in this process.

Furthermore, when and if an organization suffers a security incident, an objective, third-party assessment should be conducted to determine the cause of the incident and the effectiveness of the response to the incident. That assessment should include:

• How risk was calculated prior to the incident, who owned that risk, and whether the incident fell within the accepted risk parameters
• The maturity of the processes in place to prevent and respond to the incident
• Adherence to existing processes for preventing and responding to incidents
• Spending associated with the risk that led to the incident, and if it was aligned with the prioritization of risk in previous assessments
• What role, if any, negligence played in the incident
  • This could be from leadership, management, or individual contributors
• The effectiveness of the discovery and remediation of the incident as compared to pre-existing standards
• A damage assessment

Accountability

Finally, and most controversially, hold CISOs accountable for security breaches when objective assessments demonstrate that a CISO failed to properly prevent an incident, whether through failure to maintain proper maturity standards, failure to assess risk accurately, or failure to allocate resources appropriately.

This is NOT to say it’s time to go on a witch hunt against CISOs. Every organization has or will be compromised. That is the cost of doing business in an interconnected world. Not all compromises are reasonably preventable. But, if a leader is negligent - or puts personal gain ahead of creating and maintaining the best security organization - they should face the consequences of those choices. If not, why is the median compensation package for a CISO in the United States nearly $1M per year?

Last Thoughts

While the recommendations above would put CISOs in a better position to focus on security and ensure accountability for those paid to own that risk, none of those steps are likely to happen…because CISOs aren’t the problem. Corporations likely create these CISO compensation packages - incentivizing profit over security - with intent. Boards pressure CISOs to underspend and then reinforce that priority through these compensation packages because they’ve made the cold calculation that it is cheaper to respond to security incidents than to prevent them. Those corporate leaders want to spend enough to please regulators (who they lobby against) or create a plausible story for how hard they tried to prevent the inevitable breach when it happens. Not a penny more. It’s what many refer to as “security theater.”

But don’t blame the corporations…and definitely don’t blame the CISOs. Look in the mirror instead. The responsibility for changing all of this rests with consumers who, increasingly numb to cybersecurity breaches, continue to do business with companies that have been compromised. When consumers respond to companies’ failure to protect their data and privacy by taking their business elsewhere, those companies will see their revenue, profits, and stock prices drop. THAT is what motivates corporations to change. Until then, expect more of the same because the primary mission of every corporation is to make money. Period. That is not a moral judgment. It is just an economic fact.