Key Takeaways
- Median CISO base salary at private companies runs $290,000 to $310,000 in 2026 according to IANS Research and Artico Search, while public company CISOs earn $400,000 to $420,000 in base with total cash compensation approaching $520,000 when bonuses are included.
- Fully loaded annual employment cost for a CISO earning $325,000 in base reaches $430,000 to $490,000 when payroll taxes, executive benefits, equity administration, and overhead are included.
- Executive search fees for a CISO role typically run 30 to 35% of first-year compensation, adding $97,000 to $175,000 to the cost of a hire, with average time-to-fill stretching 90 to 180 days.
- CISO average tenure is 2.5 to 3 years, significantly shorter than most C-suite roles, and each replacement cycle costs an estimated 1.5 to 2.0 times annual base salary when search fees, vacancy cost, and ramp time are factored in.
- Fractional and virtual CISO services cost $5,000 to $25,000 per month depending on scope, representing 50 to 80% savings over a fully loaded full-time CISO for companies that do not yet need a dedicated security executive.
- The global cybersecurity workforce gap stands at 4.8 million unfilled positions according to (ISC)2, creating a persistent talent shortage that inflates CISO compensation 15 to 25% above comparable C-suite roles in non-technical functions.
Most boards approve a CISO search based on base salary alone. That figure captures less than two-thirds of what the hire will actually cost in the first year. Add executive search fees, sign-on bonuses, equity grants, D&O insurance adjustments, benefits, and the cost of a 90-to-180-day search while the seat sits vacant, and the true first-year investment for a mid-market CISO clears $550,000 to $700,000 before the first security review is complete.
The figures below draw from the IANS Research and Artico Search 2025 CISO Compensation and Hiring Trends report, the (ISC)2 2024 Cybersecurity Workforce Study, Heidrick & Struggles executive search data, Korn Ferry compensation surveys, BLS Occupational Employment Statistics, Glassdoor, ZipRecruiter, and Equilar executive compensation benchmarks. Whether you are budgeting for your first CISO, benchmarking a current package, or evaluating a fractional model, the data here is specific enough to anchor real decisions.
What CISOs and CSOs Actually Earn: Base Salary by Company Size and Sector
Role Definitions
The terms Chief Security Officer (CSO) and Chief Information Security Officer (CISO) are used interchangeably at most companies, though they carry different scope at larger enterprises. A CISO focuses exclusively on information security: data protection, cybersecurity strategy, risk management, compliance, and incident response. A CSO at a larger organization may hold both information security and physical security responsibilities under one title.
For compensation purposes, the two roles are benchmarked together except at companies with revenue above $5 billion, where a CSO with both mandates typically earns 15 to 25% more than a CISO with an information-security-only scope.
The BLS classifies most CISOs under Occupational Code 11-3021, Computer and Information Systems Managers. The median annual wage for this broad category is $169,510 as of the May 2024 Occupational Employment Statistics release. That figure includes IT managers at all levels and understates what a dedicated C-suite security executive earns. The top 10% of workers in this category earn more than $239,200, and working CISOs at public companies are concentrated well above that threshold.
Salary by Company Revenue and Employment Stage
The IANS Research and Artico Search 2025 CISO Compensation and Hiring Trends report, based on responses from 547 active CISOs across the United States, is the most granular public benchmark available. Key findings:
| Company Type | Median Base Salary | Median Total Cash Compensation |
|---|---|---|
| Private company (all sizes) | $301,000 | $368,000 |
| Public company (all sizes) | $413,000 | $521,000 |
| Private, under $100M revenue | $243,000 | $289,000 |
| Private, $100M to $500M revenue | $305,000 | $374,000 |
| Private, $500M to $1B revenue | $351,000 | $443,000 |
| Public, under $1B market cap | $358,000 | $452,000 |
| Public, $1B to $10B market cap | $421,000 | $538,000 |
| Public, above $10B market cap | $489,000 | $641,000 |
Source: IANS Research and Artico Search, 2025 CISO Compensation and Hiring Trends (547 US CISO respondents).
Year-over-year, median CISO base salary grew approximately 9% from 2024 to 2025, outpacing general executive compensation growth of 5 to 6% over the same period. The gap reflects the sustained undersupply of qualified security executives relative to demand.
Salary by Industry Sector
Industry vertical has a significant effect on CISO compensation because regulatory exposure, breach liability, and the strategic importance of security differ sharply across sectors.
| Industry Sector | Median CISO Base Salary |
|---|---|
| Financial services and banking | $365,000 to $475,000 |
| Healthcare and life sciences | $295,000 to $390,000 |
| Technology and software | $310,000 to $450,000 |
| Defense and government contracting | $260,000 to $370,000 |
| Retail and consumer goods | $245,000 to $335,000 |
| Manufacturing and industrials | $235,000 to $310,000 |
| Professional services | $255,000 to $345,000 |
| Nonprofit and education | $185,000 to $270,000 |
Source: Korn Ferry 2025 CISO Compensation Survey; Heidrick & Struggles 2024 CISO Report.
Financial services CISOs earn a significant premium because they face the most demanding regulatory environment (PCI-DSS, SOX, GLBA, FFIEC), the highest breach penalties, and scrutiny from both regulators and boards that treat cybersecurity as an enterprise risk management issue rather than an IT function. Healthcare CISOs face a similar dynamic under HIPAA and the increasing frequency of ransomware attacks targeting patient data.
Salary by Experience and Credentials
| Experience Profile | Typical Base Range |
|---|---|
| First-time CISO (promoted from VP/Director) | $210,000 to $290,000 |
| CISO with 3 to 7 years in the role | $290,000 to $390,000 |
| Serial CISO (multiple companies, post-breach credibility) | $380,000 to $520,000 |
| CISO with board reporting and public company experience | $420,000 to $600,000+ |
| CISO at Fortune 500 level | $500,000 to $800,000+ |
Credentials that carry a measurable premium include CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CRISC, and an MBA or advanced degree in technology management. CISSP holders in executive roles command 12 to 18% more than non-credentialed peers at comparable organizations, according to (ISC)2 workforce data.
Total Compensation: Bonus, Equity, and Long-Term Incentives
Base salary is the floor, not the ceiling, of CISO compensation at most companies above $50 million in revenue. Annual cash bonuses and long-term equity awards frequently add 50 to 150% on top of base for executives at public companies.
Annual Performance Bonuses
CISO annual cash bonuses are typically structured as a percentage of base salary tied to cybersecurity program metrics, board-level risk reduction goals, and company-wide financial performance:
| Company Type | Target Bonus as % of Base | Typical Range |
|---|---|---|
| Private company, under $100M revenue | 15 to 20% | $36,000 to $58,000 |
| Private company, $100M to $500M revenue | 20 to 30% | $61,000 to $92,000 |
| Public company, under $1B market cap | 30 to 50% | $107,000 to $179,000 |
| Public company, $1B to $10B market cap | 40 to 75% | $168,000 to $316,000 |
| Public company, above $10B market cap | 50 to 100% | $245,000 to $489,000 |
Source: IANS Research and Artico Search 2025; Korn Ferry CISO Compensation Survey 2025.
Equity Compensation
Equity is where CISO total compensation diverges most sharply from CISOs at different company stages. At pre-IPO companies, CISOs often receive 0.1 to 0.5% of equity on a four-year vesting schedule. At public companies, restricted stock unit (RSU) grants are the norm.
| Company Stage | Equity Structure | Estimated Annual Value |
|---|---|---|
| Seed to Series B startup | 0.15 to 0.5% equity, 4-year vest | Illiquid, dependent on exit |
| Series C to pre-IPO | 0.05 to 0.15% equity, RSUs | $150,000 to $600,000+ at target valuation |
| Public, small-cap | Annual RSU grant | $75,000 to $200,000/year |
| Public, mid-cap | Annual RSU grant | $175,000 to $450,000/year |
| Public, large-cap / Fortune 500 | Annual RSU grant | $400,000 to $1,500,000+/year |
Source: Equilar CISO Pay Trends; Korn Ferry 2025.
Equilar analysis of proxy disclosures at S&P 500 companies shows that CISO total compensation including equity averaged $2.1 million in 2024 at large-cap companies, with a wide range from $900,000 to over $5 million for CISOs at companies where security is considered a competitive differentiator (financial services, cloud infrastructure, defense technology).
Sign-On and Retention Packages
Because CISO tenure averages only 2.5 to 3 years and the search process is long, companies frequently sweeten offers with sign-on bonuses and retention agreements. Sign-on bonuses typically run $50,000 to $200,000, structured as a clawback if the executive departs within 24 months. Retention bonuses of $75,000 to $300,000 are payable at the 18- to 24-month mark. Some agreements also include partial acceleration of unvested equity if the CISO is terminated without cause, which protects the executive from absorbing transition risk when a breach or strategic pivot triggers a leadership change.
The True Cost of a CISO: Fully Loaded Employment Cost
Fully Loaded Cost at Three Salary Points
The employer's cost of a CISO extends significantly beyond the salary check. For every dollar of base salary, a C-suite executive typically costs the employer an additional 30 to 50 cents in taxes, benefits, overhead, and non-cash compensation. The table below models three scenarios: a first-time CISO at a mid-size private company, an experienced CISO at a growth-stage company, and a senior CISO at a public mid-cap.
| Cost Component | Scenario A: $250K Base | Scenario B: $325K Base | Scenario C: $450K Base |
|---|---|---|---|
| Base salary | $250,000 | $325,000 | $450,000 |
| Employer payroll taxes (FICA + FUTA) | $21,500 | $26,000 | $33,000 |
| Health/dental/vision (executive tier) | $20,000 | $22,000 | $25,000 |
| 401(k) match (4 to 6%) | $10,000 | $13,000 | $18,000 |
| Life and D&O insurance incremental | $8,000 | $12,000 | $18,000 |
| Paid leave value (25 days + 10 holidays) | $35,000 | $45,500 | $63,000 |
| Annual performance bonus (paid) | $42,500 | $78,000 | $180,000 |
| Equipment, travel, security clearance | $8,000 | $10,000 | $15,000 |
| Professional memberships and conferences | $5,000 | $6,000 | $8,000 |
| Total fully loaded annual cost | $400,000 | $537,500 | $810,000 |
Sources: IRS Publication 15 (2025); Kaiser Family Foundation 2024 Employer Health Benefits Survey; BLS Employer Costs for Employee Compensation; IANS Research 2025.
Note: equity grants are excluded from the table because they are non-cash at private companies and valued separately at public companies. At public mid-cap companies where RSU grants average $250,000 per year, Scenario C's total annual cost including equity exceeds $1,050,000.
Executive Search Fees and Time to Fill
Search Firm Fees
CISO is one of the most competitive and specialized searches in the executive talent market. All major placements at mid-market and enterprise companies go through retained executive search firms. Contingency arrangements are rare because the candidate pool is largely composed of passive candidates who are not actively applying to job postings.
| Search Model | Fee Structure | Cost Range on $325K Base |
|---|---|---|
| Retained executive search (standard) | 30 to 33% of first-year cash comp | $97,500 to $107,250 |
| Retained search with retained success fee | 33 to 35% of first-year cash comp | $107,250 to $113,750 |
| Internal HR-led search with specialist sourcer | Direct costs only | $30,000 to $60,000 |
| Interim placement while search runs | $150 to $350/hour for interim CISO | $60,000 to $140,000 for 6-month gap |
The leading CISO search firms in 2026 include Heidrick & Struggles, Spencer Stuart, Korn Ferry, Russell Reynolds Associates, and a number of cybersecurity-focused boutiques. Retained search fees are typically split into three equal installments: at engagement start, at candidate shortlist delivery, and at offer acceptance.
Time to Fill
Heidrick & Struggles data from 2024 and 2025 CISO placement activity shows a median time-to-fill of 107 days from search launch to accepted offer. Fast-fill searches in the lower quartile close in 72 days; searches in difficult markets run 163 days or more.
Several factors push searches past the median. Narrow sector specialization requirements, such as needing a financial services CISO with SWIFT regulatory experience, immediately shrink the candidate pool. Board-level interview requirements add rounds. Competition from peer company CISO searches running simultaneously forces longer response timelines on candidates weighing multiple offers. And at public companies, RSU grants require compensation committee approval before an offer can be finalized, adding two to four weeks to the process.
During a 107-day search on a $325,000 base, the vacancy cost in foregone output is approximately $95,000 at salary-equivalent. Add the retained search fee and interim coverage, and the one-time cost of a CISO search routinely runs $175,000 to $300,000 before the new hire arrives.
Onboarding and Ramp Time
A newly placed CISO is not operating at full effectiveness on day one. The first 90 days are spent conducting a security posture assessment, meeting the board and key stakeholders, inventorying technology assets and risks, and mapping the regulatory obligations the company faces. Full-productivity CISOs report needing 90 to 180 days before they feel they have genuine command of the environment.
During that ramp, security programs may see slowed decision-making, deferred vendor renewals, and delayed risk remediation projects. The cost of reduced output during ramp is difficult to quantify precisely but is a real operational consideration, particularly when the CISO role was previously vacant due to a departure under adverse circumstances.
Tenure, Turnover, and Replacement Cost
CISO Tenure Is Short
The CISO role carries the shortest average tenure of any C-suite function. Heidrick & Struggles' 2024 CISO report found average tenure of 2.6 years across US companies of all sizes. By comparison, average CEO tenure runs 6 to 8 years and CFO tenure averages 4 to 5 years.
The drivers of short tenure are well-documented:
- A CISO who oversees a material breach faces personal reputational damage that makes internal recovery difficult even when the organization keeps them
- The role demands continuous high-stakes vigilance with 24/7 incident response accountability and growing board scrutiny, which burns through executives faster than most C-suite positions
- CISOs with a strong track record get aggressively recruited by competitors, often at 30 to 50% total compensation increases
- CISOs hired to build programs at security-immature organizations tend to leave once the gap between their program ambitions and the organization's actual budget becomes unbridgeable
Annual Turnover Rate
The CISO voluntary and involuntary turnover rate runs approximately 25 to 30% per year based on Heidrick & Struggles and LinkedIn workforce data for US companies above $100 million in revenue. A 30% annual turnover rate on a position with a 107-day average time-to-fill means companies are managing CISO transitions on average every 3.3 years, and the search-to-productivity cycle occupies roughly 9 to 15 months of every employment cycle.
Replacement Cost
| Replacement Cost Component | Estimate |
|---|---|
| Executive search fee (30 to 33% of $325K base) | $97,500 to $107,250 |
| Vacancy carry cost (107 days) | $95,000 |
| Interim/fractional CISO during search | $60,000 to $120,000 |
| Onboarding and ramp cost (90 days reduced output) | $40,000 to $80,000 |
| Security program disruption (deferred projects) | $50,000 to $150,000 |
| Total estimated replacement cost | $342,500 to $552,250 |
Equivalent to approximately 1.05 to 1.70 times annual base salary at the $325,000 midpoint.
The replacement cost calculation above excludes breach risk amplification during a leadership gap. Companies without a CISO or with an interim CISO are statistically more vulnerable to incidents that are not detected or escalated on normal timelines. IBM Security's Cost of a Data Breach Report 2024 found the average cost of a US data breach at $9.36 million, making even a marginally elevated breach probability during a transition period a significant financial risk.
Fractional and Virtual CISO: Cost and Capability Comparison
What a Virtual CISO Costs
The virtual CISO (vCISO) or fractional CISO model engages an experienced security executive on a part-time, retainer basis. The engagement covers strategic security leadership, board reporting, policy governance, vendor oversight, and regulatory compliance work without the overhead of a full-time C-suite hire.
Fractional CISO pricing in 2026 by company complexity and engagement level:
| Engagement Profile | Monthly Retainer | Annual Cost |
|---|---|---|
| Advisory only (4 to 8 hours/month) | $5,000 to $10,000 | $60,000 to $120,000 |
| SMB fractional (1 day/week, policy + compliance) | $8,000 to $15,000 | $96,000 to $180,000 |
| Growth-stage active engagement (2 to 3 days/week) | $12,000 to $20,000 | $144,000 to $240,000 |
| Mid-market near-full-time fractional | $18,000 to $30,000 | $216,000 to $360,000 |
Source: vCISO market rate data; Optiv, CyberSaint, and independent vCISO provider pricing surveys, 2025-2026.
Hourly rates for vCISO work from independent practitioners run $300 to $600 per hour depending on credentials, sector specialization, and the seniority of board access required.
Full-Time vs. Fractional: Direct Cost Comparison
| Cost Component | Full-Time CISO (Mid-Market) | Fractional CISO (Active Engagement) |
|---|---|---|
| Base compensation | $325,000 | $0 (included in retainer) |
| Employer payroll taxes | $26,000 | $0 |
| Executive benefits | $55,000 | $0 |
| Annual performance bonus | $78,000 | $0 |
| Service fee / retainer | $0 | $180,000 ($15,000/month) |
| Search and onboarding (amortized over 2.5 years) | $138,000 | $0 |
| Total annual cost | $622,000 | $180,000 |
| Fractional savings | $442,000 (71% less) |
Sources: IANS Research 2025; vCISO market data; IRS Publication 15 (2025).
The comparison above reflects an active engagement at $15,000 per month. The savings compress as the fractional engagement hours increase. At $25,000 per month, the fractional model costs $300,000 annually, which is still less than the fully loaded cost of a full-time CISO, but the gap narrows significantly and the board's access to dedicated leadership is still materially less than a full-time arrangement.
When the Fractional Model Works and When It Doesn't
The vCISO model works best for organizations that need board-level security reporting, written security program documentation, vendor risk management, and compliance framework alignment but do not need an executive-level security presence in the building more than a few days per week.
It works well for:
- Companies under $50 million in revenue without a regulated data mandate
- Companies completing SOC 2, ISO 27001, or HIPAA certification for the first time
- Companies that recently hired a strong security manager and need strategic leadership above that person
- PE-backed companies preparing for exit and needing to pass security diligence
The fractional model strains under:
- Active ransomware response or post-breach remediation requiring on-site presence
- Board or investor reporting cadences that require availability beyond retainer hours
- Companies with more than 500 employees where security culture requires internal leadership visibility
- Regulated industries with consent orders or MRA remediation requiring a named executive accountable to regulators
The Cyber Talent Shortage Premium
Scale of the Gap
The (ISC)2 2024 Cybersecurity Workforce Study found a global gap of 4.8 million unfilled cybersecurity positions, with the US gap estimated at approximately 530,000 positions. The gap at the executive level is structurally more acute because the pipeline from senior practitioner to CISO is long and narrow. A CISO with enterprise experience, board presentation credentials, a verified track record through a material incident, and the communication skills to operate at the C-suite level is genuinely rare.
What the Shortage Costs You
Korn Ferry analysis quantifies the cybersecurity talent shortage premium at senior levels:
- CISO compensation has grown at 8 to 12% per year for the past five consecutive years, compared to 4 to 6% for C-suite peers in non-technical functions
- The premium a company must pay above its internal compensation bands to attract a passive CISO candidate runs 25 to 40% above the candidate's current total cash
- Companies that attempt to fill the CISO seat from an internal security manager without a CISO track record pay 20 to 30% below market on the first hire, then absorb replacement search costs when that person transitions out of the role in 12 to 18 months due to scope mismatch
Certifications and the Shortage
The CISSP remains the most widely required credential for enterprise CISO roles. (ISC)2 reported approximately 156,000 active CISSP holders in the United States as of 2024. Demand for credentialed security executives significantly outpaces supply in financial services, healthcare, and critical infrastructure, which is one structural reason CISO compensation in those sectors runs 20 to 30% above the all-industry median.
CISO Salary by Geography
City and regional labor markets create meaningful variation in CISO base salaries. The highest-cost markets carry premiums of 20 to 35% above the national median:
| Metro Market | CISO Salary Premium / Discount vs. National Median |
|---|---|
| San Francisco / Bay Area | +30 to +40% |
| New York City | +25 to +35% |
| Seattle / Bellevue | +20 to +28% |
| Washington, DC / Northern Virginia | +15 to +25% |
| Boston / Cambridge | +12 to +20% |
| Chicago | +5 to +12% |
| Austin, TX | 0 to +8% |
| Dallas / Fort Worth | -3 to +5% |
| Atlanta, GA | -5 to 0% |
| Phoenix, AZ | -8 to -3% |
| Midwest and Southeast non-hub cities | -10 to -20% |
Source: Glassdoor CISO salary data (2025); ZipRecruiter CISO compensation data (2025-2026).
Northern Virginia commands a premium in the national security and defense contracting corridor, where TS/SCI clearance holders are scarce and cleared CISO demand is acute. Bay Area and New York premiums reflect both general cost of living and the concentration of financial technology, venture-backed companies, and regulated enterprises in those markets.
When to Hire a Full-Time CISO vs. Use a Fractional Arrangement
The decision between a full-time CISO and a fractional engagement is primarily a question of security program maturity, regulatory obligations, board visibility expectations, and budget. The table below provides practical guidance, not a rigid rule.
| Scenario | Recommended Approach |
|---|---|
| Under $10M revenue, no regulated data | Part-time security consultant or IT manager with CISO coaching |
| $10M to $50M revenue, early compliance needs (SOC 2, HIPAA) | vCISO at advisory retainer ($5K to $10K/month) |
| $50M to $150M revenue, active security program needed | Active fractional CISO ($12K to $20K/month) or first-time full-time CISO hire |
| $150M to $500M revenue, material regulatory obligations | Full-time CISO required; fractional is a bridge at best |
| Public company or heavily regulated (FINRA, HIPAA, CMMC) | Full-time CISO, typically with deputy or VP of Security staff |
| Post-breach remediation or consent order | Full-time dedicated CISO; fractional does not satisfy regulatory expectations |
| Pre-IPO (12 to 18 months out) | Full-time CISO with public company readiness experience |
The most common and costly mistake at the $50M to $150M stage is believing a fractional arrangement satisfies the board's and investors' expectations for dedicated security leadership. A security incident during that window with only a fractional CISO on contract creates both a remediation challenge and a governance narrative problem that a full-time hire would not.
For related research on cybersecurity team costs and executive time allocation, see the research on the cost of hiring a cybersecurity analyst, CISO time management statistics, and the cost of hiring a chief of staff.
Key Takeaways
- The median CISO base salary at private US companies is $301,000 in 2026 per IANS Research and Artico Search, with total cash compensation averaging $368,000. Public company CISOs earn $413,000 in median base and $521,000 in total cash.
- Fully loaded annual employment cost for a CISO earning $325,000 in base runs $537,000 to $622,000 per year when payroll taxes, executive benefits, annual bonus, and amortized search fees are included. Equity grants add $150,000 to $500,000 or more at mid-cap public companies.
- Executive search fees for a CISO run 30 to 35% of first-year cash compensation, adding $97,000 to $175,000 to the cost of a hire. Average time-to-fill is 107 days, creating a six-figure vacancy cost on top of search fees.
- CISO tenure averages 2.6 years, the shortest of any C-suite role. Each replacement cycle costs an estimated $342,000 to $552,000 in search, vacancy, interim coverage, and ramp costs, equivalent to 1.0 to 1.7 times annual base salary.
- Fractional vCISO services cost $5,000 to $30,000 per month depending on engagement scope, representing 50 to 75% savings over a fully loaded full-time CISO for companies that do not require dedicated executive security leadership on a daily basis.
- The global cybersecurity workforce gap of 4.8 million per (ISC)2 2024 data creates a persistent talent scarcity premium of 8 to 12% per year in CISO compensation growth, making this one of the fastest-appreciating C-suite roles in the market.
Frequently Asked Questions
What does a Chief Security Officer earn in 2026?
A CISO at a private US company earns a median base salary of $301,000 according to IANS Research and Artico Search 2025 data. Total cash compensation including annual bonus averages $368,000. Public company CISOs earn significantly more, with a median base of $413,000 and median total cash of $521,000. Compensation varies substantially by company size, industry sector, and geography, with financial services and technology companies paying the highest premiums.
What is the fully loaded cost of hiring a CISO?
At a $325,000 base salary, the total annual employment cost including payroll taxes, executive-tier benefits, annual performance bonus, and overhead runs $537,000 to $622,000. If the company grants equity (standard at public companies), the total cost including RSU grants adds $150,000 to $500,000 per year. One-time recruiting and onboarding costs add $175,000 to $300,000 to the first-year investment.
How much does a fractional or virtual CISO cost?
Virtual CISO retainers in 2026 range from $5,000 to $10,000 per month for advisory-only engagements to $12,000 to $20,000 per month for active program leadership at growth-stage companies. Near-full-time fractional arrangements at mid-market companies run $18,000 to $30,000 per month. The fractional model saves 50 to 75% compared to a fully loaded full-time CISO for companies that need strategic security leadership without daily executive presence.
How long does it take to hire a CISO?
Heidrick & Struggles data from 2024 and 2025 CISO placements shows an average time-to-fill of 107 days from search launch to accepted offer. Difficult searches, particularly those requiring sector-specific regulatory credentials or board-level presentation experience, can run 150 to 180 days. Most companies use a retained executive search firm for CISO placements because the candidate pool is largely passive.
How long do CISOs stay in their roles?
Average CISO tenure is approximately 2.6 years according to Heidrick & Struggles, compared to 4 to 5 years for CFOs and 6 to 8 years for CEOs. The short tenure reflects a combination of breach liability exposure, burnout from continuous high-stakes vigilance, aggressive competitive recruiting, and frequent misalignment between security program ambition and organizational budget. Companies with strong board support for security investment, clearly defined decision rights, and executive-level peer relationships tend to retain CISOs significantly longer than the average.
What drives higher CISO salaries?
The factors that most consistently move CISO compensation above the median are company revenue and regulatory complexity, prior breach response experience at a publicly disclosed incident, CISSP or CISM credentials, public company board reporting experience, financial services or healthcare sector background, and location in a top-cost market. A serial CISO with public company experience and verified post-breach leadership credibility commands compensation at the top of the range: $450,000 to $600,000 or more in base salary at mid-cap companies.
Sources: IANS Research and Artico Search, 2025 CISO Compensation and Hiring Trends Report (547 US CISO respondents); (ISC)2 2024 Cybersecurity Workforce Study; Heidrick & Struggles, 2024 CISO Survey and Placement Data; Korn Ferry 2025 CISO Compensation Survey; Equilar, CISO Pay Trends in S&P 500 (2024); Bureau of Labor Statistics Occupational Employment Statistics, May 2024 (SOC 11-3021, Computer and Information Systems Managers); Glassdoor CISO Salary Data (2025); ZipRecruiter CISO Compensation Data (2025-2026); Kaiser Family Foundation 2024 Employer Health Benefits Survey; IRS Publication 15 (2025 tax rates); IBM Security, Cost of a Data Breach Report 2024.
