State of the CISO 2025 Report

Only 47% of CISOs engage with their boards on a monthly or quarterly basis, and 42% meet with their boards on an ad hoc basis, if at all.

90% of CISOs have ownership of their organization’s security operations, architecture, governance, as well as digital risk and compliance.

Between 50% and 90% of CISOs identified other elements of business risk, such as disaster recovery, business risk, and third-party risk management, as well as broader security concerns such as product security, as falling under their remit.

70% of CISOs indicated any raises they received were annual merit-based increases, which on average were 6%.

Dual CISOs at large organizations earn an average total compensation (including equity) of $1 million, whereas those who only take on partial IT oversight are closer to the average of traditional CISOs who manage none of the IT functions ($653,000).

Strategic CISOs have an annual cash compensation of around $545,000, compared to $385,000 for functional CISOs and $291,000 for their tactical counterparts.

1-25% of CISOs reported that emerging domains including AI, M&A security, change management, IT due diligence, digital transformation, and innovation were being added to their workload.

3% of CISOs attribute their raise to taking on larger scope, while others see it reflected in merit increases.

7% of CISOs said their growth in compensation was driven by a change in employers, and this group received an average increase of 31%.