CISOs have reported the scope of their role has widened to encompass business concerns that extend beyond cybersecurity, but believe their compensation doesn't reflect this.
The 2025 State of the CISO report from IANS Research includes testimony from roughly 800 CISOs on the growing importance of the role, and the simultaneous growth in the role’s complexity and scope of responsibilities.
The report found that in addition to their traditional remit of InfoSec and digital risk, CISOs are increasingly being asked to look after other business domains such as digital strategy.
For example, 90% of CISOs said they had ownership of what might be considered their traditional domains including the organization’s security operations, architecture, and governance, as well as digital risk and compliance.
The majority (between 50 and 90%) also identified other elements of business risk, such as disaster recovery, business risk, and third-part risk management, as well as broader security concerns such as product security as falling under their remit too.
However, IANS noted a series of ‘emerging domains’ that 1-25% of CISOs reported were being added to their workload, including AI, M&A security, change management, IT due diligence, digital transformation, and innovation.
The report found the broader scope associated with the CISO role has not been reflected in their compensation, with just 3% of CISOs attributing salary raises to taking on further responsibilities.
IANS found that only when switching employers were CISOs more likely to see their additional workload reflected in their pay packet.
For example, 7% of CISOs said their growth in compensation was driven by a change in employers, a move which is often accompanied by taking on a larger role with more responsibilities, and this group received an average increase of 31%.
The vast majority of CISOs (70%), however, indicated any raises they received were annual merit-based increases, which on average were 6%.
CISOs taking ownership of IT unlikely to see meaningful pay rises
IANS identified three distinct segments among respondents in terms of their C-level access and boardroom influence, using the labels ‘strategic, functional, and tactical’.
Strategic CISOs, which accounted for 28% of the group are described as those who report directly to the CEO or at least have a high-ranking position in the C-suite hierarchy, and thus have significant influence across the organization.
This group also enjoys frequent interaction with the board, with quarterly meetings as the minimum, which IANS said promotes “mutual understanding and aligning on strategic priorities between the CISO and top leadership”.
The next group, which made up 50% of respondents, is referred to as the functional CISO. According to IANS’s taxonomy, functional CISOs excel in one of these areas but do not enjoy both C-suite access and boardroom engagement.
RELATED WHITEPAPER
The final 22% of respondents were described as tactical CISOs, who have waning executive-level access to a lower organizational rank and only sporadic boardroom engagements.
Comparing the compensation for these three groups, IANS found strategic CISOs were the best remunerated, with an annual cash compensation of around $545,000, compared to $385,000 for functional CISOs and $291,000 for their tactical counterparts.
IANS noted that CISOs who oversee an organization's security as well as all of its IT functions, referred to as ‘dual CISOs’, are a surefire way to ensure increased compensation.
The study found that dual CISOs at large organizations earn an average total compensation (including equity) of $1 million, whereas those who only take on partial IT oversight are closer to the average of traditional CISOs who manage none of the IT functions ($653,000).
“This would seem to indicate taking on all of IT is highly rewarded, but being given some IT functions opportunistically—perhaps due to the departure of another IT executive or unclear lines of ownership between infosec and IT—is not a reliable path to higher compensation,”the report noted.
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Google tells some remote workers to return to the office or risk losing jobsNews Google has warned remote workers will need to return to the office or else lose their jobs, according to reports.
-
Women show more team spirit when it comes to cybersecurity, yet they're still missing out on opportunitiesNews While they're more likely to believe that responsibility should be shared, women are less likely to get the necessary training
-
Young tech professionals are shunning a full-time return to the office – unless it pays moreNews Young tech professionals who entered the workforce post-pandemic expect on-site work to be paid more than remote options.
-
Osney Capital unveils UK's first seed fund for cybersecurity startupsNews VC firm Osney Capital has launched the UK’s first specialist cybersecurity seed fund, saying it plans to back 30 companies at the seed and pre-seed stage.
-
IT professionals aren’t budging on flexible work demands – and more than half say they’ll quit if employers don’t meet expectationsNews Analysis from Randstad shows 40% of UK-based IT pros have quit over a lack of flexible work options, while 31% of workers globally have done the same.
-
IBM pledges support for UK government cyber skills programNews The CyberFirst Girls competition is aimed at increasing diversity in the cyber security workforce
-
The creator effect: Shaping the future of travelWhitepaper The way forward for the travel sector
-
Westcon-Comstor promotes Rene Klein to lead unified European businessNews Westcon-Comstor has announced the appointment of Rene Klein as executive vice president for EMEA.
-
How enterprises are adapting to personal liability rulesNews With the threat of personal liability for data breaches hanging over CISOs' heads, organizations are increasingly working to minimize the risk.
