It took a $650,000 salary for Matt Comyns to entice a seasonedcybersecurity expert to join one of America’s largest companies aschief information security officer (CISO) in 2012. At the time, itwas among the most lucrative offers out there.

This year, the company had to pay $2.5 million to fill the samerole.

“It’s a full-on war for cyber talent,” said Comyns, a managingpartner at executive search firm Caldwell Partners who specializesin information security. “CEOs know that, so they play hardball.Everyone’s throwing money at this.”

The threat of digital breaches—and the fines, lawsuits, andoccasional executive resignations that sometimes follow—has leftcompanies scrambling to scoop up scarce security experts. Thegrowing compensation packages and broadened responsibilities are adramatic shift for a group of workers who were once confined toobscure IT departments, little more than an afterthought to seniormanagement.

In the 12 months ended August 2018, there were more than 300,000unfilled cybersecurity jobs in the U.S., according to CyberSeek, a projectsupported by the National Initiative for Cybersecurity Education.Globally, the shortage is estimated to exceed 1 million in comingyears, studies haveshown.

That’s coincided with increased frequency and sophistication ofdigital attacks, which range from disruption of computer systems toextortion and theft of sensitive personal information.

In April, JPMorgan Chase & Co. CEO Jamie Dimon told shareholders thatcybersecurity “may very well be the biggest threat to the U.S.financial system.” His counterpart at Bank of America Corp., BrianMoynihan, said previously that the lender’s cybersecurity unitoperates with an unlimited budget.

Myriad Hacker Attacks Each Day

Just last week, Capital One Financial Corp. disclosed thatpersonal data of about 100 million customers and card applicantshad been illegally accessed by a Seattle woman, possibly one of thelargest breaches affecting a U.S. bank. The firm’s shares havefallen 8.9 percent since the intrusion was revealed.

In late July, credit reporting firm Equifax Inc. agreed to payup to $700 million to settle federal and state investigations intoa 2017 hack that compromised sensitive information of more than 140million people and led to the resignation of the firm’s long-timeCEO Rick Smith.

High-profile breaches aside, myriad U.S. companies and employeesare the subject of hacker attacks each day. Industry insiders jokethat there are two types of companies: Those that have been hacked,and those that haven’t yet discovered that they’ve been hacked.

“If you’re not careful, you can get numb to it,” said AndrewHoward, who leads the enterprise security division of KudelskiGroup.

Equifax paid Jamil Farshchi $3.89 million in 2018 to take thejob of CISO He joined from Home Depot, which had hired him in thewake of a 2014 breach that exposed credit-card informationbelonging to 56 million customers.

While most U.S. firms don’t disclose compensation for topinformation-security executives, Comyns said big tech firms on theWest Coast can pay as much as $6.5 million, most of it in stock. Insome cases, direct reports to the CISO can make around $1million—more than their bosses typically would have made just a fewyears ago.

Avoiding Turnover of the CISO

Aware of the challenges of replacing a security chief, manycompanies take unprecedented measures to keep them, with CEOs oftengetting involved in the negotiations. In one recent instance,Comyns said, a CISO who considered leaving was told to go home andwrite down 10 things that would change his decision. The listincluded a 50 percent increase in salary and bonus, more thandoubling his long-term incentive award, a promotion, and a newoffice. The CEO concurred, and the person stayed.

Hefty raises can pale in comparison with the potential downside.The average cost of a breach for U.S. companies was about $8million, according to a study from IBM Corp. and the PonemonInstitute. Equifax shows that the cost can be many times that. Thisweek, Marriott International Inc. reported that it took a $126million charge related to a 2018 breach of one of its reservationsdatabases.

Insurance can cover financial expenses but won’t help restorelost customer trust or a tarnished reputation, said James Lam, adirector at E*Trade Financial Corp. who also advises companies onrisk management, including cybersecurity.

CEOs may be inclined to spend more because their own jobs andreputations could be on the line. Gregg Steinhafel resigned as CEOof Target Corp. in 2014 after a hacker attack that compromised 40million credit card accounts rocked the already-strugglingretailer.

That episode “got everyone’s attention,” said Kudelski Group’sHoward, and led to scores of companies appointing people withcybersecurity expertise to their boards.

It’s also pushed many companies to expand the responsibilitiesof information security staff, ensuring that their work spans theentire organization. To Comyns, that means their pay will continueto increase.

“CEOs don’t know what it’s worth until it’s walking out thedoor,” Comyns said. “Then they stand in the door and say, ‘You’renot going anywhere.’”

Copyright 2019 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.