CISOs have reported the scope of their role has widened to encompass business concerns that extend beyond cybersecurity, but believe their compensation doesn't reflect this.
The 2025 State of the CISO report from IANS Research includes testimony from roughly 800 CISOs on the growing importance of the role, and the simultaneous growth in the role’s complexity and scope of responsibilities.
The report found that in addition to their traditional remit of InfoSec and digital risk, CISOs are increasingly being asked to look after other business domains such as digital strategy.
For example, 90% of CISOs said they had ownership of what might be considered their traditional domains including the organization’s security operations, architecture, and governance, as well as digital risk and compliance.
The majority (between 50 and 90%) also identified other elements of business risk, such as disaster recovery, business risk, and third-part risk management, as well as broader security concerns such as product security as falling under their remit too.
However, IANS noted a series of ‘emerging domains’ that 1-25% of CISOs reported were being added to their workload, including AI, M&A security, change management, IT due diligence, digital transformation, and innovation.
The report found the broader scope associated with the CISO role has not been reflected in their compensation, with just 3% of CISOs attributing salary raises to taking on further responsibilities.
IANS found that only when switching employers were CISOs more likely to see their additional workload reflected in their pay packet.
For example, 7% of CISOs said their growth in compensation was driven by a change in employers, a move which is often accompanied by taking on a larger role with more responsibilities, and this group received an average increase of 31%.
The vast majority of CISOs (70%), however, indicated any raises they received were annual merit-based increases, which on average were 6%.
CISOs taking ownership of IT unlikely to see meaningful pay rises
IANS identified three distinct segments among respondents in terms of their C-level access and boardroom influence, using the labels ‘strategic, functional, and tactical’.
Strategic CISOs, which accounted for 28% of the group are described as those who report directly to the CEO or at least have a high-ranking position in the C-suite hierarchy, and thus have significant influence across the organization.
This group also enjoys frequent interaction with the board, with quarterly meetings as the minimum, which IANS said promotes “mutual understanding and aligning on strategic priorities between the CISO and top leadership”.
The next group, which made up 50% of respondents, is referred to as the functional CISO. According to IANS’s taxonomy, functional CISOs excel in one of these areas but do not enjoy both C-suite access and boardroom engagement.
RELATED WHITEPAPER
The final 22% of respondents were described as tactical CISOs, who have waning executive-level access to a lower organizational rank and only sporadic boardroom engagements.
Comparing the compensation for these three groups, IANS found strategic CISOs were the best remunerated, with an annual cash compensation of around $545,000, compared to $385,000 for functional CISOs and $291,000 for their tactical counterparts.
IANS noted that CISOs who oversee an organization's security as well as all of its IT functions, referred to as ‘dual CISOs’, are a surefire way to ensure increased compensation.
The study found that dual CISOs at large organizations earn an average total compensation (including equity) of $1 million, whereas those who only take on partial IT oversight are closer to the average of traditional CISOs who manage none of the IT functions ($653,000).
“This would seem to indicate taking on all of IT is highly rewarded, but being given some IT functions opportunistically—perhaps due to the departure of another IT executive or unclear lines of ownership between infosec and IT—is not a reliable path to higher compensation,”the report noted.
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
US data center power demand forecast to hit 106GW by 2035, report warnsNews BloombergNEF research reveals a sharp 36% jump in energy forecasts as "hyperscale" projects reshape the American grid
-
Government CIOs prepare for big funding boosts as AI takes hold in the public sectorNews Public sector IT leaders need to be mindful of falling into the AI hype trap
-
Tech consulting market tipped to surpass $400bn in global revenue in 2026News A new report from Source Global Research reveals an increased appetite for tech consulting services as businesses look to upgrade hardware and tools
-
Chief data officers believe they'll be a 'pivotal' force in in the C-suite within five yearsNews Chief data officers might not be the most important execs in the C-suite right now, but they’ll soon rank among the most influential figures, according to research from Deloitte.
-
UK firms are pouring money into AI, but they won’t see a return on investment unless they address these key issuesNews An SAP report projects increased AI investment, but cautions that too many organizations are taking a fragmented approach
-
Varonis snaps up AI email security specialist SlashNextNews The vendor will integrate SlashNext’s phishing and social engineering detection capabilities into its Data Security Platform
-
Proofpoint's acquisition spree continues with Nuclei dealNews The vendor will integrate Nuclei’s compliance archiving and data-enrichment capabilities into its human-centric security platform
-
‘Employees aren’t having it’: European workers are pushing back on the US-style ‘always on’ work culture – many are worried about the rise of ‘hustle culture’ and a third would quit if forced back to the officeNews New research shows European workers are pushing back on the 'always on' culture and fear US-style corporate policies creeping into workplaces.
-
‘There is no law of computer science that says that AI must remain expensive and must remain large’: IBM CEO Arvind Krishna bangs the drum for smaller AI modelsNews IBM CEO Arvind Krishna says smaller, more domain-specific AI models have become the most efficient and cost-effective options for enterprises.
