Security in the Board Room

CISO Salaries 2020: Does a Changing Role Demand a Change in Pay?

Brian Thomas | January 2, 2020

The role of the chief information security officer (CISO) is undergoing a tectonic shift. 

The first generation of CISOs were high-performing technical professionals promoted to senior leadership. They largely reported to CIOs, and had limited authority in business decisions.

Today’s most progressive CISOs are business-savvy, strategic drivers of growth. They’re responsible for reporting to CEOs or even directly to the Board, and they’re shaping cyber policy across entire organizations. 

CISO reporting structures have changed. CISO skill requirements have changed. Even the education and degree requirements for the role have changed. Is it time that CISO salaries changed as well?

For CISOs and aspiring CISOs, there are several factors to consider when determining whether compensation matches the job. But before we get into that, let’s take a look at the numbers:

How much do CISOs make in 2020?

The average salary for a CISO in the U.S. in 2020 is around $185,000. That’s based on data from several sources, including Mondo, ZipRecruiter, and Salary.com.

[Interested in learning exactly how the role of the CISO is changing? Read the Evolution of the CISO whitepaper.]


While the median CISO salary may be just under $200k, the average CISO salary at Fortune 500 companies is likely much higher. Unfortunately, CISO salaries rarely appear in proxy statements, so they’re not readily available, even for publicly traded companies. 

However, there is some information available on Fortune 500 CIO salaries, which range from just above $200k to over $700k before bonuses, stocks, and options. Because CISOs still tend to fall beneath CIOs in the org chart, we can assume their salaries will likely be in the low to middle part of that range on average. 

Of course, industry, location, and level of experience will all affect a cybersecurity executive’s salary.

CISO salary factors to consider

So there’s a pretty wide range of CISO salaries. Because the role is actively shifting, there’s a pretty wide range of CISO job requirements too. 

If you’re being offered a position or vying for a raise, how can you determine whether you should be in the low or high end of that range? In addition to obvious factors like experience and company size, there are a few external factors to consider.

Reporting structure

One of the first questions a prospective CISO should ask is “Who will I report to?”

Because CISOs are relatively new entrants to the C-suite, many organizations are still figuring out exactly where they should sit in the org chart. 

Across different organizations, CISOs may report directly to the CIO, the CFO, the chief risk officer (CRO), the CEO, or even straight to the Board. 

In 2020, more CISOs will move away from reporting to the CIO, CFO, or CRO, which can limit their ability to effectively secure the organization, and start reporting directly to the CEO or Board, especially in heavily targeted industries like finance and healthcare. 

Experts from financial services infosec organization FS-ISAC support this shift, stating that “free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making.”

Generally speaking, the higher up in the org chart the CISO sits, the higher their compensation should be. A CISO reporting to a CEO is likely to be responsible for much more strategic decision making than a CISO reporting to a CIO, and with that additional risk and responsibility should come additional reward.

Stress and burnout

CISOs and prospective CISOs should carefully consider job stress when entering salary negotiations. 

The CISO position is notoriously stressful; a recent survey focusing on CISO stress found the following: 

  • 91% of CISOs say they suffer from moderate or high stress
  • 88% work more than 40 hours per week
  • 26.5% say job stress impacts their physical or mental health

Burnout is a very real phenomenon among CISOs, and without major changes, the stress of the job is likely to increase as the cyber risk landscape becomes more complicated. 

CISO burnout is caused by a variety of factors, including a disconnect between the expectations of leadership and the requirements of the role. 86% of CISOs believe security breaches are inevitable, but many CISOs still take on an outsized responsibility for data breaches, and 33% of CISOs said they would be fired or disciplined if a significant breach occurred. 

While the business community is (hopefully) moving toward more reasonable, realistic expectations for cybersecurity leaders, CISOs should still assess the risk to their health and wellness when determining whether a compensation package is fair.

An opportunity for growth

The CISO role has changed dramatically, but the transformation isn’t over yet. If history is any indicator, the CISO of the future is likely to be even more strategically focused, even more growth-driven, and have even more authority than even the most progressive CISOs in 2020. 

So while there are downsides associated with CISO positions, there are also opportunities. CISOs who can deliver on the promise of cybersecurity transformation will be in the best position to seize these opportunities and multiply their success.

The Evolution of the CISO White Paper

Suggested Posts

CISO Salaries 2020: Does a Changing Role Demand a Change in Pay?

The role of the chief information security officer (CISO) is undergoing a tectonic shift. 

The first generation of CISOs were high-performing technical professionals promoted to senior leadership. They largely reported to CIOs, and had...

READ MORE »

Most Urgent CISO Skills 2020: Reporting, Avoiding Burnout, More

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in their...

READ MORE »

The Board’s Role in Managing Disruptive Risk: Enter Security Ratings

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate...

READ MORE »

Subscribe to get security news and updates in your inbox.