CISOs are working harder than ever, but their pay isn’t keeping pace
Many CISOs are being asked to take on more responsibility for domains that would normally lie outside of their remit


CISOs have reported the scope of their role has widened to encompass business concerns that extend beyond cybersecurity, but believe their compensation doesn't reflect this.
The 2025 State of the CISO report from IANS Research includes testimony from roughly 800 CISOs on the growing importance of the role, and the simultaneous growth in the role’s complexity and scope of responsibilities.
The report found that in addition to their traditional remit of InfoSec and digital risk, CISOs are increasingly being asked to look after other business domains such as digital strategy.
For example, 90% of CISOs said they had ownership of what might be considered their traditional domains including the organization’s security operations, architecture, and governance, as well as digital risk and compliance.
The majority (between 50 and 90%) also identified other elements of business risk, such as disaster recovery, business risk, and third-part risk management, as well as broader security concerns such as product security as falling under their remit too.
However, IANS noted a series of ‘emerging domains’ that 1-25% of CISOs reported were being added to their workload, including AI, M&A security, change management, IT due diligence, digital transformation, and innovation.
The report found the broader scope associated with the CISO role has not been reflected in their compensation, with just 3% of CISOs attributing salary raises to taking on further responsibilities.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
IANS found that only when switching employers were CISOs more likely to see their additional workload reflected in their pay packet.
For example, 7% of CISOs said their growth in compensation was driven by a change in employers, a move which is often accompanied by taking on a larger role with more responsibilities, and this group received an average increase of 31%.
The vast majority of CISOs (70%), however, indicated any raises they received were annual merit-based increases, which on average were 6%.
CISOs taking ownership of IT unlikely to see meaningful pay rises
IANS identified three distinct segments among respondents in terms of their C-level access and boardroom influence, using the labels ‘strategic, functional, and tactical’.
Strategic CISOs, which accounted for 28% of the group are described as those who report directly to the CEO or at least have a high-ranking position in the C-suite hierarchy, and thus have significant influence across the organization.
This group also enjoys frequent interaction with the board, with quarterly meetings as the minimum, which IANS said promotes “mutual understanding and aligning on strategic priorities between the CISO and top leadership”.
The next group, which made up 50% of respondents, is referred to as the functional CISO. According to IANS’s taxonomy, functional CISOs excel in one of these areas but do not enjoy both C-suite access and boardroom engagement.
RELATED WHITEPAPER
The final 22% of respondents were described as tactical CISOs, who have waning executive-level access to a lower organizational rank and only sporadic boardroom engagements.
Comparing the compensation for these three groups, IANS found strategic CISOs were the best remunerated, with an annual cash compensation of around $545,000, compared to $385,000 for functional CISOs and $291,000 for their tactical counterparts.
IANS noted that CISOs who oversee an organization's security as well as all of its IT functions, referred to as ‘dual CISOs’, are a surefire way to ensure increased compensation.
The study found that dual CISOs at large organizations earn an average total compensation (including equity) of $1 million, whereas those who only take on partial IT oversight are closer to the average of traditional CISOs who manage none of the IT functions ($653,000).
“This would seem to indicate taking on all of IT is highly rewarded, but being given some IT functions opportunistically—perhaps due to the departure of another IT executive or unclear lines of ownership between infosec and IT—is not a reliable path to higher compensation,”the report noted.
Solomon Klappholz is a former Staff Writer at ITPro adn ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
IT professionals aren’t budging on flexible work demands – and more than half say they’ll quit if employers don’t meet expectations
News Analysis from Randstad shows 40% of UK-based IT pros have quit over a lack of flexible work options, while 31% of workers globally have done the same.
By Ross Kelly Published
-
IBM pledges support for UK government cyber skills program
News The CyberFirst Girls competition is aimed at increasing diversity in the cyber security workforce
By Emma Woollacott Published
-
The creator effect: Shaping the future of travel
Whitepaper The way forward for the travel sector
By ITPro Published
-
Westcon-Comstor promotes Rene Klein to lead unified European business
News Westcon-Comstor has announced the appointment of Rene Klein as executive vice president for EMEA.
By Daniel Todd Published
-
How enterprises are adapting to personal liability rules
News With the threat of personal liability for data breaches hanging over CISOs' heads, organizations are increasingly working to minimize the risk.
By Emma Woollacott Published
-
Tech firms eye temps to plug talent gaps
News The tech industry could be set for a spike in temporary hiring, according to a new study from recruitment firm Robert Walters.
By George Fitzmaurice Published
-
Enterprises are doubling down on IT optimization strategies – and it’s delivering huge financial returns
News Organizations that have cracked IT cost optimization and innovation reap the rewards both financially and in terms of time to market.
By Emma Woollacott Published
-
Public sector workers are sweating over AI security threats
News Nearly a third of public sector IT professionals are seriously concerned about the security dangers of AI.
By Emma Woollacott Published