CISOs have reported the scope of their role has widened to encompass business concerns that extend beyond cybersecurity, but believe their compensation doesn't reflect this.
The 2025 State of the CISO report from IANS Research includes testimony from roughly 800 CISOs on the growing importance of the role, and the simultaneous growth in the role’s complexity and scope of responsibilities.
The report found that in addition to their traditional remit of InfoSec and digital risk, CISOs are increasingly being asked to look after other business domains such as digital strategy.
For example, 90% of CISOs said they had ownership of what might be considered their traditional domains including the organization’s security operations, architecture, and governance, as well as digital risk and compliance.
The majority (between 50 and 90%) also identified other elements of business risk, such as disaster recovery, business risk, and third-part risk management, as well as broader security concerns such as product security as falling under their remit too.
However, IANS noted a series of ‘emerging domains’ that 1-25% of CISOs reported were being added to their workload, including AI, M&A security, change management, IT due diligence, digital transformation, and innovation.
The report found the broader scope associated with the CISO role has not been reflected in their compensation, with just 3% of CISOs attributing salary raises to taking on further responsibilities.
IANS found that only when switching employers were CISOs more likely to see their additional workload reflected in their pay packet.
For example, 7% of CISOs said their growth in compensation was driven by a change in employers, a move which is often accompanied by taking on a larger role with more responsibilities, and this group received an average increase of 31%.
The vast majority of CISOs (70%), however, indicated any raises they received were annual merit-based increases, which on average were 6%.
CISOs taking ownership of IT unlikely to see meaningful pay rises
IANS identified three distinct segments among respondents in terms of their C-level access and boardroom influence, using the labels ‘strategic, functional, and tactical’.
Strategic CISOs, which accounted for 28% of the group are described as those who report directly to the CEO or at least have a high-ranking position in the C-suite hierarchy, and thus have significant influence across the organization.
This group also enjoys frequent interaction with the board, with quarterly meetings as the minimum, which IANS said promotes “mutual understanding and aligning on strategic priorities between the CISO and top leadership”.
The next group, which made up 50% of respondents, is referred to as the functional CISO. According to IANS’s taxonomy, functional CISOs excel in one of these areas but do not enjoy both C-suite access and boardroom engagement.
The final 22% of respondents were described as tactical CISOs, who have waning executive-level access to a lower organizational rank and only sporadic boardroom engagements.
Comparing the compensation for these three groups, IANS found strategic CISOs were the best remunerated, with an annual cash compensation of around $545,000, compared to $385,000 for functional CISOs and $291,000 for their tactical counterparts.
IANS noted that CISOs who oversee an organization's security as well as all of its IT functions, referred to as ‘dual CISOs’, are a surefire way to ensure increased compensation.
The study found that dual CISOs at large organizations earn an average total compensation (including equity) of $1 million, whereas those who only take on partial IT oversight are closer to the average of traditional CISOs who manage none of the IT functions ($653,000).
“This would seem to indicate taking on all of IT is highly rewarded, but being given some IT functions opportunistically—perhaps due to the departure of another IT executive or unclear lines of ownership between infosec and IT—is not a reliable path to higher compensation,”the report noted.
