This is an alternative model to understand the Information Security maturity level of a medium/large company. This is based just on my experience in companies and therefore it's to be used just as a reference. Salaries are for London based permanent employees. I don't pretend this model to be very accurate but can be used as a starting point to understand the maturity with one simple question: who will lead the information security?
1) Network and security manager (base salary £50k to £70k), this person comes from the network background and probably has none or very little experience in security.
The company has no security culture and does not even imagine what information or cyber security means. They will deploy security appliances and maybe buy some external services without understanding really the value of them.
2) Information Security Manager (base salary from £70k to £85k), this person has usually previously no experience in leading Informaton Security teams.
The company has a very little security culture and some security intiatives/projects are delivered.
3) Head of Information Security (base salary around £100k+20% bonus), this person has 0 to 2 experiences in leading Information Security.
The company starts to take security a bit more seriously. The company starts to have a security strategy with multiple projects.
4) Group Head or Director of Information Security (base salary from £120-130k + 20/30% bonus to £150k), this person has at least 2-3 previous experiences leading Information Security.
The company understood Information Security is important even if probably the senior management (CEO) has still no interest in the Information Security and still think Information Security is a "technical" thing for "technical" people.
5) Chief Information Security Officer (CISO, salary from £130k up to £250/300k + bonus). This person has a deep experience and is able to communicate difficult concepts in an easy and clear way to non-technical people.
The company has understood Information Security should be embedded in every process and the senior management (CEO and the board) would like to be informed on the Information Security.