Wall Street multiplies pay for security executivess

For some on Wall Street, crime means more pay.

Big banks, jarred by escalating cyber-attacks, have more than doubled compensation for top computer-security specialists in two years, often beyond $1 million, according to five recruiters. Senior cybersecurity executives, who earned $200,000 to $500,000 five years ago, can draw more than $2 million, said Jeanne Branthover at Boyden Global Executive Search Ltd. in New York. Roles such as chief information security officer now get pay similar to managing directors in other areas including trading and investment banking, recruiters said.

Attacks on banks including JPMorgan Chase & Co. have cast light on the industry's vulnerability. Firms are vying for people with a strong security background who can talk directly with boards, governments and technologists. Banks are offering raises of 20 percent to 50 percent to wrest talent from one another, said Robert Iommazzo, a founding partner at executive recruiter SEBA International in New York.

"Many times you have to actually poach and/or steal talent from your competitors, because there's such a dearth of us," said Tom Kellermann, chief cybersecurity officer at Trend Micro Inc. in Irving, Texas.

Wall Street already is struggling with mounting costs after the financial crisis, including pressure to bolster compliance staff, adapt to new rules and end legal claims. Expanding cybersecurity departments is a special challenge as scarcity makes it harder to attract and retain top personnel.

Good Hackers

"You have to find people who think like hackers who have come onto the good side," said Sameer Sait, head of information security at Springfield-based Massachusetts Mutual Life Insurance Co. "The cost of getting those folks has skyrocketed."

JPMorgan, the largest U.S. bank, said Oct. 2 that hackers had stolen contact information for 76 million households and 7 million small businesses, without getting account numbers and passwords. The incident followed an exodus of key tech executives to other firms. The New York-based bank may double its $250 million annual cybersecurity budget within five years, Chief Executive Officer Jamie Dimon, 58, said this month.

Bank of America Corp. and Citigroup Inc. also have said they're investing in cybersecurity. Spokesmen for the three banks declined to comment on pay.

While consumers are becoming inured to hackers obtaining credit-card numbers from retailers, the stakes are especially high for banks and brokerages, which guard customers' cash, investments, Social Security numbers and financial data, such as spending habits and trading strategies.

Special Bonuses

Art Ehuan, a managing director at professional services firm Alvarez & Marsal, said he gets calls a few times a month from companies hunting for senior cybersecurity personnel. Many clients are just realizing they need top security managers.

"I've never seen it this busy in terms of businesses trying to identify particular folks," he said.

As firms expand budgets, some are awarding computer- security personnel special bonuses that can reach $20,000 for completing a project, said Branthover, head of Boyden's financial-services practice. One client, whom she wouldn't identify, was promoted four times in two years, quadrupling that person's pay, she said.

The focus on security disrupts broader trends within technology divisions. Firms have been outsourcing routine tech work to cheaper personnel elsewhere, said MassMutual's Sait. Because of the sensitive, complex nature of cybersecurity, companies are forced to keep those operations in-house.

Gaining Clout

"When the cost of labor goes up, we say, 'Let's go to India,'" he said. "We have not matured with our systems and processes where we can say, 'Let's set up a security operation center in India.'"

Cybersecurity chiefs also are gaining stature within banks. Ten years ago, a chief information security officer was relegated to the back-office in the service of revenue- generating divisions, said Vikram Bhat, a principal at Deloitte in Parsippany, New Jersey. "Today it's a prominent role," he said.

If security chiefs don't report to someone high enough in the firm, regulators may express concern the executives lack access and authority to react to risks quickly, Bhat said. That also means leaders are under pressure to heed their advice.

"Suddenly, the board room and the C-suite are being held accountable for security issues," said Gary Owen, a director at consulting firm Promontory Financial Group LLC in New York.