CISOs are seeing their compensation continuing to rise, with increases in pay packages outpacing the growth of security budgets despite much-reported reductions in corporate workforces and budgets, according to a study released this week by cybersecurity consultancy
IANS Research and executive search firm
Artico Search.
Looking at the pay packages of 550 CISOs in the United States and Canada, IANS and Artico found that overall CISO compensation over the past 12 months jumped an average of 6.7%, keeping pace with the percentage growth seen in 2023 and 2024. This came as increases in security budgets for organizations slowed to 4% this year, the lowest in five years.
That said, while overall compensation continued to be immune to the tightening security budgets, CISOs saw a slight shift in the makeup of the pay packages, with equity-based compensation growing faster than cash compensation.
The numbers illustrate the increasingly important role that CISOs play in their organizations, both in terms of security as well as revenue, according to
Nick Kakolowski, senior research director at IANS.
“We are seeing a growing contingent of CISOs regarded as executives within the business, leading to compensation growth for the role,” Kakolowski told MSSP Alert. “However, we are seeing a significant divide in the industry. CISOs are increasingly viewed either as directors or executives, with proportionately fewer being regarded at the VP [vice president] level within organizations.”
He added that “AI and rapid digitization are making data more instrumental to revenue generation than ever. This is creating an environment in which the scope of the CISO role is expanding and, for many security leaders, creating opportunities for greater influence in the business.”
A Wide Range of CISO Pay
IANS’ sixth annual
CISO Compensation Benchmark Report also showed a wide disparity in the pay packages, with total yearly compensation for the top 1% of CISOs starting at $3.2 million, or about 10 times the median and 20 times that of the 10% of CISOs at the bottom of the list. Because of the broad span of pay, highly experienced CISOs who head up large security operations at Fortune 100 companies often won’t see their pay reflected in reported averages because their earnings can be up to 10 times higher, the researchers found.
“Similarly, CISOs earlier in their careers often feel the opposite – that the reported averages seem inflated compared with their own earnings and those of CISOs with whom they network,” they wrote in the report.
There are a number of factors that play into this, with equity, the industry the CISOs work in, the scale of the organizations, and their experience top among them. For example, 70% of CISOs are with organizations that offer equity that becomes part of their compensation, with equity accounting for up to 50% of the pay package among top earners.
Tech, Financial Services Pay Best
But that varies by industry: about 70% of those in financial services, retail, and healthcare receive equity, compared with only 20% in education. CISOs in the tech and financial services get the highest average compensation, hitting $844,000 and $744,000, respectively. Top earners also tend to oversee staffs of more than 100 people and budgets north of $50 million, and those with at least eight years of experience can earn 100% more than those with shorter tenures and less varied backgrounds.
In addition, 71% of CISOs receive executive perks, such as coverage under directors and officers insurance – a reflection of the growing legal and reputational risk in the job – deferred compensation plans, executive life insurance and health coverage, and executive training.
CISOs on the Move
There was also more movement among CISOs this year, with 15% of them changing employers, up from 11% in 2024 and the highest level in six years.
“However, switching roles was not always rewarded; those CISOs who stayed at their companies and took on expanded responsibilities saw an average compensation increase of 8.1%, compared to 5% among those who switched jobs,” the researchers wrote.
How companies view the role of CISOs varies. As Kakolowski noted, they’re either seen as directors or executives, but with views rising to the level of vice president, even as CISOs themselves and others in the cybersecurity industry for several years have pushed for companies to elevate the position within their organizational charts.
“More CISOs are being recognized at that [executive] level – and we've seen security executives strengthening their connections with other business leaders,” he said. “There's been progress, but there are also many organizations that still view the CISO role as a back-office functional head and are showing few signs of changing that posture. The gradual disappearance of the VP-level CISO, particularly in relatively small and very large organizations, stands out. Organizations are getting entrenched in how they view security.”
Pay Can Ease Burnout Worry
The report from IANS and Artico also comes at a time of rising concern over the strain CISOs are feeling from the increasing pressure from both the expanding cyber threat landscape and the internal expectations of organizations’ executive leadership and boards of directors.
Reports earlier this month from
Nagomi Security and RSAC highlighted the pressure CISOs feel and the
risk of burning out. The Nagomi report found that almost half of CISOs said burnout had already affected their ability to plan for or respond to incidents, and at least 60% of those surveyed by RSAC said their mental or physical health had been affected by their job.
IANS’ Kakolowski said the level of compensation plays a role in how CISOs view their positions. “Our data shows CISOs with increased scope and commensurate rewards – both in terms of compensation and organizational influence – are satisfied in the role and enjoy how greater responsibility makes it easier to prioritize,” he said. “When CISOs see scope increases without related rewards or support systems, burnout tends to follow. The industry is uneven in creating adequate rewards and support for CISOs as the role expands.”
