CISOs are getting paid more and moving less – and experience counts. Average annual compensation packages for these cybersecurity leaders is more than $550K; and ‘top’ CISOs’ earnings can be above $1 million a year.
IANS Research and Artico Search queried 755 CISOs (699 of whom work in the US and Canada) for their fifth annual CISO Compensation Report. The key finding is that annual compensation for US CISOs is now $565K. The top 25% of earners receive more than $620K, the top 10% receive more than $1M, and the top 1% receive around $3M.
Reaching the upper brackets of remuneration is not easy. It’s a complex combination of the company vertical and the CISO’s experience. For example, the highest total remuneration package ($721K) is found in the tech sector; followed by financial services ($705). The cash element of these packages is reversed, with financial services paying $495K and tech paying $407K. Education retains its vocational element, since the total remuneration is a ‘meager’ $243K.
Experience is also important. “Two-thirds of CISOs with top-quartile compensation have at least eight years’ tenure, 69% have held the top security job at multiple companies and 61% have cross-industry experience,” notes the report. “Our CISO compensation analysis found tenured CISOs (with eight to 15 years of CISO experience) who held CISO or senior security leader positions at more than two companies enjoy a 61% compensation advantage over CISOs who haven’t changed employers during their tenure as CISO.”
The report also notes that fewer companies are seeking a new CISO, and fewer CISOs are seeking a new company: CISO rotation dropped from 21% in 2022 to a projected 11% in 2024. It isn’t clear whether the slower CISO churn reflects the general post-pandemic economic situation (if you’ve got a job, hang on to it), or indicates a growing maturity in the security marketplace.
Nevertheless, 75% of CISOs are still considering or open to new opportunities: CISOs remain open to a move, but fewer do so. This may be related to watching the balance between potential pay increases from moving and retention incentives for staying. Thirty-one percent of CISOs reported a compensation boost through changing employers in 2024, while an equal 31% reported an incentive boost for staying. The report’s remuneration analysis also suggests that changing companies (provided it is not too frequent) may boost future earnings capacity.
One thing is clear – the complexity and responsibility of the CISO role is continuing to grow. “Over the last ten years, we’ve consistently seen the security function elevated to a business function rather than a back-office cost center,” comments Steve Martano of the IANS Faculty and a partner at Artico Search. “Consequently, we’re seeing CISOs command perks aligned with executive leadership team benefits. This may include severance clauses, being named on the D&O insurance and equity-heavy compensation packages.”
It’s taken a long time, but despite the title ‘Chief IS Officer’, it is only relatively recently that businesses have been treating CISOs as genuine and full members of the C-Suite. This is further confirmed by the increasing inclusion of the CISO in the company Directors and Officers (D&O) insurance; which, in turn, may have been spurred by the SEC’s 2023 growing willingness to hold individual CISOs liable for their security actions or failures. The SEC’s power has since been confused by SCOTUS overturning the Chevron Doctrine in July 2024; but it is very likely that these events have made companies realize the full importance of the CISO to their business.
Related: Microsoft Names Deputy CISOs, Governance Council to Manage Security Push
Related: CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From Qualys
Related: LinkedIn Hires Former Twitter Security Chief Lea Kissner as New CISO
Related: When Convenience Costs: CISOs Struggle With SaaS Security Oversight
