CISOs have reported the scope of their role has widened to encompass business concerns that extend beyond cybersecurity, but believe their compensation doesn't reflect this.
The 2025 State of the CISO report from IANS Research includes testimony from roughly 800 CISOs on the growing importance of the role, and the simultaneous growth in the role’s complexity and scope of responsibilities.
The report found that in addition to their traditional remit of InfoSec and digital risk, CISOs are increasingly being asked to look after other business domains such as digital strategy.
For example, 90% of CISOs said they had ownership of what might be considered their traditional domains including the organization’s security operations, architecture, and governance, as well as digital risk and compliance.
The majority (between 50 and 90%) also identified other elements of business risk, such as disaster recovery, business risk, and third-part risk management, as well as broader security concerns such as product security as falling under their remit too.
However, IANS noted a series of ‘emerging domains’ that 1-25% of CISOs reported were being added to their workload, including AI, M&A security, change management, IT due diligence, digital transformation, and innovation.
The report found the broader scope associated with the CISO role has not been reflected in their compensation, with just 3% of CISOs attributing salary raises to taking on further responsibilities.
IANS found that only when switching employers were CISOs more likely to see their additional workload reflected in their pay packet.
For example, 7% of CISOs said their growth in compensation was driven by a change in employers, a move which is often accompanied by taking on a larger role with more responsibilities, and this group received an average increase of 31%.
The vast majority of CISOs (70%), however, indicated any raises they received were annual merit-based increases, which on average were 6%.
CISOs taking ownership of IT unlikely to see meaningful pay rises
IANS identified three distinct segments among respondents in terms of their C-level access and boardroom influence, using the labels ‘strategic, functional, and tactical’.
Strategic CISOs, which accounted for 28% of the group are described as those who report directly to the CEO or at least have a high-ranking position in the C-suite hierarchy, and thus have significant influence across the organization.
This group also enjoys frequent interaction with the board, with quarterly meetings as the minimum, which IANS said promotes “mutual understanding and aligning on strategic priorities between the CISO and top leadership”.
The next group, which made up 50% of respondents, is referred to as the functional CISO. According to IANS’s taxonomy, functional CISOs excel in one of these areas but do not enjoy both C-suite access and boardroom engagement.
RELATED WHITEPAPER
The final 22% of respondents were described as tactical CISOs, who have waning executive-level access to a lower organizational rank and only sporadic boardroom engagements.
Comparing the compensation for these three groups, IANS found strategic CISOs were the best remunerated, with an annual cash compensation of around $545,000, compared to $385,000 for functional CISOs and $291,000 for their tactical counterparts.
IANS noted that CISOs who oversee an organization's security as well as all of its IT functions, referred to as ‘dual CISOs’, are a surefire way to ensure increased compensation.
The study found that dual CISOs at large organizations earn an average total compensation (including equity) of $1 million, whereas those who only take on partial IT oversight are closer to the average of traditional CISOs who manage none of the IT functions ($653,000).
“This would seem to indicate taking on all of IT is highly rewarded, but being given some IT functions opportunistically—perhaps due to the departure of another IT executive or unclear lines of ownership between infosec and IT—is not a reliable path to higher compensation,”the report noted.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
IT professionals aren’t budging on flexible work demands – and more than half say they’ll quit if employers don’t meet expectationsNews Analysis from Randstad shows 40% of UK-based IT pros have quit over a lack of flexible work options, while 31% of workers globally have done the same.
-
IBM pledges support for UK government cyber skills programNews The CyberFirst Girls competition is aimed at increasing diversity in the cyber security workforce
-
The creator effect: Shaping the future of travelWhitepaper The way forward for the travel sector
-
Westcon-Comstor promotes Rene Klein to lead unified European businessNews Westcon-Comstor has announced the appointment of Rene Klein as executive vice president for EMEA.
-
How enterprises are adapting to personal liability rulesNews With the threat of personal liability for data breaches hanging over CISOs' heads, organizations are increasingly working to minimize the risk.
-
Tech firms eye temps to plug talent gapsNews The tech industry could be set for a spike in temporary hiring, according to a new study from recruitment firm Robert Walters.
-
Enterprises are doubling down on IT optimization strategies – and it’s delivering huge financial returnsNews Organizations that have cracked IT cost optimization and innovation reap the rewards both financially and in terms of time to market.
-
Public sector workers are sweating over AI security threatsNews Nearly a third of public sector IT professionals are seriously concerned about the security dangers of AI.
