Skip to main content
Cybersecurity

CISO Pay Exclusive: 7% Rise Amid Sluggish Budgets

CISO Pay Exclusive: 7% Rise Amid Sluggish Budgets

When the person charged with guarding an organization’s digital crown jewels reports a pay increase while the war chest for defending them barely grows, what does that say about risk — and priorities?

According to an IANS study reported by Infosecurity Magazine, average CISO compensation rose 6.7% in 2025 even as cybersecurity budget growth slowed sharply, roughly halving compared with 2024. That juxtaposition — rising pay for chief security officers amid a backdrop of tighter spending — frames the central dilemma facing boards, technologists and regulators today: how to reward scarce leadership without creating a hollowed-out program that can’t execute the strategy those leaders are hired to deliver. The original coverage is available at Infosecurity Magazine.

Background: pay, responsibility and the squeeze

The CISO role has evolved from technical guardian to strategic steward. Modern CISOs are expected to translate technical risk into business impact, brief boards, influence capital allocation and manage incident response — responsibilities that combine technical depth with enterprise-level accountability. That expanded remit helps explain the compensation pressure: demand for experienced leaders outstrips supply, and organizations are willing to pay a premium for proven capability.

At the same time, capital constraints and competing priorities have slowed overall budget growth for security programs. The IANS finding that CISO pay rose about 6.7% in 2025 while budget growth roughly halved year-on-year highlights a disconnect: leadership costs are rising faster than program funding, forcing many security chiefs to do more with less.

What the numbers mean in practice

  • Concentration of investment in talent: Organizations prioritizing experienced leadership may be redirecting limited dollars toward compensation to retain or recruit CISOs, even as spending on tooling, staffing, and third-party services flattens.
  • Operational risk: Smaller or slower-growing budgets can constrain hiring of analysts, reduce investment in telemetry and automation, and delay upgrades — gaps that increase exposure despite stronger leadership at the top.
  • Strategic trade-offs: CISOs may prioritize high-leverage activities (risk quantification, third-party risk, business continuity) over tactical coverage, shifting the shape of defensive programs rather than their scale.

Why this matters — for technologists, policymakers, users and adversaries

Technologists: Security engineers and SOC teams feel the impact directly. A highly paid CISO with an under-resourced team can create frustration and churn among staff who must maintain day-to-day defenses. Experts who map cyber controls to business outcomes argue for investments in context-rich tooling and risk dashboards so limited budgets target the controls that reduce the greatest expected loss; practical guidance along those lines is increasingly common among practitioners and analysts .

Policymakers and regulators: Regulators demand resilience and accountability, often through compliance regimes that increase governance overhead. Compliance obligations can drive hiring of leadership and governance roles, but those requirements don’t always translate into more funds for operational security. That regulatory-compliance tension — “compliance ≠ security” — is a recurring theme in policy discussions and industry commentaries .

Users and customers: For end users, the promise of digital continuity and privacy depends on the execution of security programs, not on headline salaries. If budget constraints reduce monitoring, patching or incident response capacity, user-facing outages or data incidents become more likely even as CISOs receive pay bumps.

Adversaries: Attackers exploit gaps in telemetry, understaffed SOCs, and delayed patching. When budgets tighten, attackers find richer seams: vendor supply chains, cloud misconfigurations and human weaknesses. A highly compensated CISO can help prioritize defenses, but adversaries respond to operational weaknesses regardless of who sits in the C-suite.

Different perspectives on the apparent paradox

  • Boards and executives: From their view, paying up for top talent is insurance against catastrophic incident risk. A senior, experienced CISO may reduce the likelihood and impact of a major breach, an outcome worth compensation premiums.
  • Security leaders: Many CISOs argue that without commensurate investment in staff and tooling, their ability to deliver measurable risk reduction is limited. Compensation alone cannot substitute for effective programs and capabilities.
  • Finance and procurement: Finance leaders face trade-offs across R&D, sales, and security. With macroeconomic pressure or shifting priorities, cybersecurity budgets may be deprioritized even where leadership is seen as critical.

What organizations can do

  • Link spending to measurable outcomes: Translate security activities into business impact using scenario-based loss estimation and clear key risk indicators so budget requests are judged as capital decisions rather than discretionary costs.
  • Prioritize resilience: Focus resources on continuity, recovery testing and supplier risk where the business impact is highest, rather than attempting full coverage with limited funds.
  • Align incentives: Consider tying some element of executive compensation to risk-reduction metrics and resilience objectives so pay reflects outcomes, not just tenure or title.
  • Invest in high-leverage automation and context-rich tooling: Telemetry that maps to business criticality can help smaller teams prioritize effectively and scale their impact .

Counterarguments and caveats

Some observers caution against reading too much into a single-year compensation snapshot. Market adjustments after a period of hiring freezes can produce above-trend raises that normalize later. Additionally, headline averages can mask wide variance: larger enterprises may grant bigger increases while smaller organizations struggle to match market rates.

Conclusion

The IANS finding that CISO pay rose roughly 6.7% in 2025 while budget growth slowed is a revealing snapshot of tensions inside modern enterprises: leadership is costly and scarce, but leadership without resources is incomplete. Boards must decide whether paying a premium for top talent is a short-term hedge or part of a sustained investment in capabilities. Otherwise, organizations risk a future where the person accountable for security has the title and the salary, but not the tools or team to deliver the protection stakeholders expect — and adversaries will readily exploit that gap. In that light, can boards and CISOs together turn higher leadership compensation into measurable, programmatic security gains?

Source: https://www.infosecurity-magazine.com/news/ciso-pay-increases-7-budget-growth/