It took a $650,000 salary for Matt Comyns to entice a seasoned cybersecurity expert to join one of America’s largest companies as chief information security officer in 2012. At the time, it was among the most lucrative offers out there.
This year, the company had to pay $2.5 million to fill the same role.
“It’s a full-on war for cyber talent,” said Comyns, a managing partner at executive search firm Caldwell Partners who specializes in information security. “CEOs know that, so they play hardball. Everyone’s throwing money at this.”
The threat of digital breaches — and the fines, lawsuits and occasional executive resignations that sometimes follow — has left companies scrambling to scoop up scarce security experts. The growing compensation packages and broadened responsibilities are a dramatic shift for a group of workers who once confined to obscure IT departments, little more than an afterthought to senior management.
In the 12 months ended August 2018, there were more than 300,000 unfilled cybersecurity jobs in the U.S., according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education. Globally, the shortage is estimated to exceed 1 million in coming years, studies have shown.
That’s coincided with increased frequency and sophistication of digital attacks, which range from disruption of computer systems to extortion and theft of sensitive personal information.
In April, JPMorgan Chase & Co. Chief Executive Officer Jamie Dimon told shareholders that cybersecurity “may very well be the biggest threat to the U.S. financial system.” His counterpart at Bank of America Corp., Brian Moynihan, said previously that the lender’s cybersecurity unit operates with an unlimited budget.
Just last week, Capital One Financial Corp. disclosed that personal data of about 100 million customers had been illegally accessed by a Seattle woman, possibly one of the largest breaches affecting a U.S. bank. The firm’s shares have fallen 8.9% since the intrusion was revealed.
In late July, credit reporting firm Equifax Inc. agreed to pay up to $700 million to settle federal and state investigations into a 2017 hack that compromised sensitive information of more than 140 million people and led to the resignation of the firm’s long-time CEO Rick Smith.
High-profile breaches aside, myriad U.S. companies and employees are the subject of hacker attacks each day. Industry insiders joke that there are two types of companies: Those that have been hacked, and those that haven’t yet discovered that they’ve been hacked.
“If you’re not careful, you can get numb to it,” said Andrew Howard, who leads the enterprise security division of Kudelski Group.
Equifax paid Jamil Farshchi $3.89 million in 2018 to take the job as chief information security officer. He joined from Home Depot, which had hired him in the wake of a 2014 breach that exposed credit-card information belonging to 56 million customers.
While most U.S. firms don’t disclose compensation for top information-security executives, Comyns said big tech firms on the West Coast can pay as much as $6.5 million, most of it in stock. In some cases, direct reports can make around $1 million — more than their bosses typically would have made just a few years ago.
Aware of the challenges of replacing a security chief, many companies take unprecedented measures to keep them, with CEOs often getting involved in the negotiations. In one recent instance, Comyns said, a CISO who considered leaving was told to go home and write down 10 things that would change his decision. The list included a 50% increase in salary and bonus, more than doubling his long-term incentive award, a promotion and a new office. The CEO concurred, and the person stayed.
Hefty raises can pale in comparison with the potential downside. The average cost of a breach for U.S. companies was about $8 million, according to a study from IBM Corp. and the Ponemon Institute. Equifax shows that the cost can be many multiples of that. This week, Marriott International Inc. reported they took a $126 million charge related to a 2018 breach of one of its reservations databases.
Insurance can cover financial expenses, but won’t help restore lost customer trust and a tarnished reputation, said James Lam, a director at E*Trade Financial Corp. who also advises companies on risk management, including cybersecurity.
CEOs may be inclined to spend more because their own jobs and reputations could be on the line. Gregg Steinhafel resigned as CEO of Target Corp. in 2014 after a hacker attack that compromised 40 million credit card accounts rocked the already-struggling retailer.
That episode “got everyone’s attention,” said Kudelski Group’s Howard, and led to scores of companies appointing people with cybersecurity expertise to their boards.
It’s also pushed many companies to expand the responsibilities of information security staff, ensuring that their work spans the entire organization. To Comyns, that means their pay will continue to increase.
“CEOs don’t know what it’s worth until it’s walking out the door,” Comyns said. “Then they stand in the door and say, ‘You’re not going anywhere.'”
(Updates with Marriott breach in 15th paragraph.)