Connect with us

Hi, what are you looking for?


CISO Strategy

CISO Pay Increases Are Slowing – a Look Behind the Figures

How much do CISOs make? Survey provides compensation trends for Chief Information Security Officers, but don’t take surveys at full face value.

CISO Verizon, AT&T

CISO compensation levels are growing more slowly than recent years. Security budget increases are even more deflated this year.

The details are provided in a new survey provided by information security advisory specialist IANS Research and high-level recruitment firm Artico Search. In April 2023, more than 600 US and Canadian security executives were queried for the fourth annual CISO Compensation and Budget survey (PDF summary). The companies concerned varied in size, sector, and location.

The headline takeaways from this survey are: the average CISO total compensation increase was at 11% (down from 14% in the previous year); 20% of CISOs did not receive a raise (double that of the previous year); and retention and equity packages were received by only 12% (down from 21%) and 8% (down from 24%) of CISOs respectively.

Nick Kakolowski, Senior Research Director at IANS, comments, “Commensurate compensation increases aren’t extending into the middle and lower quartiles of the market. We expect CISOs to seek change as a result – something evidenced in 75% of respondents saying they are considering a job change in the next 12 months.” It is worth noting, however, that compensation is only one of several causes that lead CISOs to change jobs (something SecurityWeek calls The CISO Carousel). It’s a stretch to link this carousel directly and solely to compensation.

It is further worth considering the 2023 Security Budget Benchmark Report that was produced by IANS/Artico partnership and compiled in September 2023. According to this report, security budgets have increased by 6% “following double-digit increases in 2020 and 2021”. In greater detail, more than one-third of CISOs (37%), “reported flat or declining security budgets, year-over-year.”

“More than one-third of security budgets are typically dedicated to staff compensation, so when budgets are tightened, it has an effect on CISO compensation,” says Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice. This partly explains the lower than usual compensation increases. He adds, “Until the market opens up with more options, we recommend that CISOs work on their marketability by strengthening their personal brand, elevating their competence in business acumen and their executive presence to position themselves strongly with prospective employers.”

But the reality of the situation is that while CISO compensation is not increasing as fast as in previous years, it is still increasing at a faster rate than the overall security budget – and that same compensation package is taking even more out of the security budget.

Rather than “strengthening their personal brand”, most CISOs are likely more concerned with a well-known CISO problem: how to accomplish more with less.

Advertisement. Scroll to continue reading.

SecurityWeek has some concerns with the overall validity of surveys in general (see Can You Trust Security Vendor Surveys?). For example, areas not well covered in this survey include the compensation difference between small-firm and large-firm CISOs, and the relationship with additional responsibilities. 

Does a CISO who is also a board member receive higher compensation? Does a combined CISO/CTO, or CISO/CIO, or a Field CISO receive different compensation? The respondents to this survey are described as ‘security executives’ – does this include CSOs? CSOs are sometimes also responsible for elements of physical security as well as cybersecurity, and the additional responsibility could, or perhaps should, be reflected in the compensation received. It is not clear whether different CISO job descriptions affect differences in compensation increases.

Such concerns do not negate the survey itself — but we urge all security people to not immediately take surveys at full face value. Our own preference is to talk to individual CISOs about their role and responsibilities — and the huge difference between different types of CISO can be seen in SecurityWeek’s CISO Conversations series.

Related: The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

Related: Mismanagement Driving Cybersecurity Skills Gap: Research

Related: Why Some CISOs Fail

Related: CISO Conversations Series

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Chief Information Security Officers from, FreedomPay, and Tassat about their role and experience as CISOs.

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

SecurityWeek talks to Dennis Kallelis (CSO at Idemia) and Jason Kees (CISO at Ping), two of industry’s identity giants. The idea, as always, is...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.