Last updated: June 28, 2026
Reading this to set a budget, not to negotiate your own package? Our CISO staffing desk runs these executive searches end to end, with the broader cybersecurity staffing team behind it.
CISO Salary Guide 2026
Last updated: June 25, 2026 | By Gregg Flecke
A CISO in the United States earns $250,000 to $700,000 in total compensation in 2026, built from a $230,000 to $400,000 cash base plus equity that adds 30 to 50 percent at venture-backed and public companies. Below that band sit fractional and first-time security chiefs near $180,000. Above it, public-company CISOs clear $1 million, and a handful pass $3 million once stock vests.
I’m Gregg Flecke. I place security leaders at KORE1, and the CISO is the one search where the salary sites mislead you by design. Not on purpose. By design. Most of them report cash. A real CISO package is half equity once you get past the midmarket, so a site that prints $385,000 and a site that prints $184,000 can both be describing the same executive. One counted the stock. One didn’t.
That gap, cash versus total, is where most CISO budgets break before the first interview. The second place they break is liability. I will get to that, because in 2026 it shows up as an actual line in the offer.
We bill when you hire a security leader, so weigh what you read accordingly. I will still tell you when a fractional arrangement beats a full-time hire, because for plenty of companies under a few hundred people, it does. The numbers here come from the IANS Research and Artico Search CISO Compensation Benchmark, Glassdoor, Salary.com, PayScale, and the executive pipeline we run ourselves. Where they disagree, I will say which one to trust for the role in front of you.
What a CISO Is Actually Paid to Own
A Chief Information Security Officer owns the security of everything the company runs on. The cloud accounts. The laptops. The vendor contract somebody signed without a security review. That is the job on paper. The paycheck answers a smaller question. How much risk does this person lift off the board, and how much do they carry themselves?
Who do they answer to? A CISO who reports to the CIO and runs a tooling program is one job. A CISO who sits in front of the audit committee, signs off on regulatory disclosures, and gets named in the breach post-mortem is a different job with the same four letters. The second one is paid two hundred grand more, and the market knows the difference even when the org chart pretends it doesn’t. Same title. Different planet.
So two people, identical resumes on paper, can sit $300,000 apart. The split is scope and exposure. One manages a team and a budget. The other carries personal and regulatory risk every quarter the company stays public. Pay follows the risk, not the headcount. Always has.
CISO Total Compensation in 2026
Start with the headline, then take it apart. Glassdoor puts CISO median total pay near $321,000. Salary.com lands at roughly $385,000. PayScale, which leans toward cash base and smaller employers, shows about $184,000. The IANS and Artico survey, drawn from 566 CISOs across the US and Canada, found total compensation rose 6.7 percent in 2025, with most respondents between $250,000 and $700,000 and the top earners past $3.1 million. That ceiling is real. Rare, but real.
Why the spread? Three reasons, and they all matter.
The first is equity. Seventy percent of CISOs now get stock, and for top earners it can run half the package. A cash-only source misses that entirely, which is how you get a $200,000 swing between two reputable sites describing the same role. Neither is lying.
Second, the title is mush. “CISO” covers a 12-person security org at a Series A startup and a 300-person global function at a bank. Aggregators average those into one number that describes neither.
Third, the market moved fast. After a wave of public breaches, companies that got hit, or watched a competitor get hit, started paying 20 to 30 percent over their original budget to lock down a credible leader. The 2023 number is already stale. Throw it out.
| Component | Typical Range | Notes |
|---|---|---|
| Cash base | $230,000 to $400,000 | The number salary sites usually report |
| Annual bonus | 20% to 50% of base | Tied to program goals and audit results |
| Equity (annualized) | $0 to $600,000+ | Near zero at small private firms, dominant at public ones |
| Total compensation | $250,000 to $1M+ | Median near $321,000 to $385,000 |
CISO Salary by Company Size and Stage
This is the table to actually budget from. Company stage moves a CISO offer more than city, more than industry, more than years in the chair. A first security leader at a Series A SaaS company and a CISO at a public enterprise are not competing for the same person, and they should not be reading the same number.
| Company Stage | Cash Base | Equity / Upside | Typical Total Comp |
|---|---|---|---|
| Seed / Series A startup | $180,000 to $240,000 | Real ownership, illiquid | $200,000 to $300,000 + upside |
| Series B to C growth | $230,000 to $300,000 | $50,000 to $150,000 | $300,000 to $450,000 |
| Midmarket private | $250,000 to $350,000 | Varies widely | ~$415,000 average |
| Enterprise private | $300,000 to $400,000 | $100,000 to $300,000 | $450,000 to $700,000 |
| Public company | $350,000 to $450,000 | $200,000 to $600,000+ in RSUs | $700,000 to $1M+ |
The midmarket line carries the headline average. IANS and Artico pegged small and midmarket CISO total compensation near $415,000, with the top 5 percent reaching seven figures on the back of equity grants. That average hides a lot. A 150-person fintech with a SOC 2 audit and a nervous board pays very differently than a 150-person manufacturer who still thinks security is the IT guy’s side project.
CISO Pay by Industry
Regulation sets the floor. The heavier the compliance load and the bigger the blast radius of a breach, the more a board will pay to put a name on the risk.
| Industry | Typical Total Comp | What Drives It |
|---|---|---|
| Technology / SaaS | $350,000 to $700,000+ | Equity-heavy, highest average |
| Financial services / banking | $300,000 to $550,000+ | Regulation, audit, breach exposure |
| Healthcare | $250,000 to $400,000 | HIPAA load, tighter budgets |
| Retail / manufacturing | $220,000 to $350,000 | Lighter regulatory pull |
| Government / public sector | $180,000 to $280,000 | Capped bands, mission pull instead of cash |
Finance and tech trade the top spot depending on how you count. Banks pay the bigger cash base. Tech wins on total once the stock is in, which is why a CISO will leave a comfortable bank seat for a pre-IPO software company and a pile of options that might be worth nothing. Might. That bet is its own kind of compensation, and the people who take it know exactly what they are doing.
CISO Pay by City
Geography matters less for a CISO than for almost any other security role, because the job is senior enough to be priced nationally. It still moves the number at the edges.
San Francisco and the Bay Area run highest, followed by New York, Seattle, and the Washington, D.C. metro, where federal and defense work keeps demand thick. Expect those markets to sit 15 to 30 percent over the national figure. Austin, Denver, and Atlanta land in the middle and have been climbing as security teams chase lower-cost hubs. Remote pulls an offer toward the national median, but less than you would hope. A strong CISO in Charlotte is fielding calls from New York and the Bay at the same time, and they price themselves accordingly. Geography barely dents it.
The Liability Premium Nobody Budgets For
Here is the part of the package that did not exist five years ago, the single line item that explains why CISO pay kept climbing right through 2025 even as salaries for the analysts and engineers underneath them flattened out across the rest of the security org.
In 2023 the SEC adopted cyber disclosure rules that require public companies to report a material breach within four business days and to describe their security governance in annual filings. Around the same time, the SEC charged SolarWinds and its security chief over breach-related disclosures, and a federal jury convicted Uber’s former security head for covering up an incident. The cases moved in different directions in court. The message to the market did not. The job now carries personal exposure.
So the smart candidates negotiate for it, and the smart companies offer it before being asked. Directors and officers insurance that explicitly names the CISO. Written indemnification. A clear line on who signs the disclosure and who owns the decision. None of that is salary, exactly. All of it is part of what it costs to fill the seat in 2026, and a company that fumbles those terms loses finalists to one that doesn’t. I have watched it happen on a live search. Twice.
The Fractional CISO Option
Not every company needs a full-time security executive, and pretending otherwise burns money. A fractional CISO, sometimes called a virtual CISO, brings senior security leadership a few days a month for a fraction of a full package. For a Series A company that needs board-ready security and a SOC 2 report, not a 60-hour-a-week executive, the math is hard to argue with.
| Engagement | Typical Price | Best Fit |
|---|---|---|
| Hourly advisory | $250 to $500 / hour | One-off projects, audit prep |
| Retainer, light scope | $3,000 to $9,000 / month | Under 200 employees, low compliance load |
| Retainer, mid scope | $8,000 to $15,000 / month | Series A to B, board and audit prep |
| Retainer, heavy scope | $15,000 to $25,000 / month | Active compliance, ongoing board reporting |
| Full-time CISO (for reference) | $250,000 to $500,000+ / year | Enterprise, regulated, full ownership |
A fractional engagement runs $36,000 to $144,000 a year for leadership that would cost three to five times that full-time. The catch is bandwidth. A vCISO splits attention across several clients, so when a real incident hits at 2 a.m., you are sharing them. Fine for governance and audits. A poor fit the day you are actually breached and need one person whose only job is your company.
What Actually Moves a CISO Offer
Picture two finalists with matching resumes and the same CISSP on the wall. The board offers one of them a number near the floor of the band. The other clears half a million without flinching. That gap has almost nothing to do with tenure.
Board fluency. A CISO who can sit in front of the audit committee and translate risk into dollars without a slide full of acronyms is worth a premium most boards will pay without blinking. That skill is rarer than the technical depth, and it is the one that closes the gap.
Regulated-industry scars come next. A candidate who has carried a company through a real breach, a HIPAA audit, or an SEC disclosure has done the thing the job exists to prevent and survive. Pattern recognition you cannot teach. They name their number, and they get close to it.
Then there is the quiet one. Has this person built a program from nothing, or only inherited a mature one? A builder who stood up that program, wrote the first policy, and chose the first tool is a different hire than a steward who took over a polished Fortune 500 function and kept it humming for years without ever letting anything break. Neither is better. They are priced for different problems, and matching the wrong one to your stage is how you overpay and still miss.
Certifications help at the margin. A CISSP or CISM is table stakes at this level, not a differentiator. Nobody pays a premium for the letters. They pay for what the person did while earning them.
How to Budget a CISO Hire You Can Defend
Begin with the mandate, not the title, exactly the way our guide to hiring a CISO lays it out. Write down what this person owns in year one. Board reporting? Then you are buying an executive, and the floor is real. A tooling program under the CIO? You can hire a senior security director for a good deal less and give them the CISO title later.
Then price the total, not the base. Pull a cash figure from two sources, add the bonus target, and estimate the equity honestly, because that is where half the package lives at any company worth working for. Our salary benchmark assistant gives you a starting band in a couple of minutes, and if you are weighing the search as a direct hire, our direct hire staffing team runs these as retained executive searches. For the wider role ladder underneath the CISO, the companion read is our cybersecurity salary guide.
One number we do not usually advertise. The 92 percent of KORE1 placements still in seat at twelve months did not stay because we found cheap people. They stayed because the package matched the scope. Underprice a CISO for the real mandate and you are not saving money, you are scheduling the re-hire, and an executive search you run twice costs more than the premium would have. A CISO search is not a 17-day fill either, the way our IT roles average. Plan on six to ten weeks for a real one, longer if the board wants to meet finalists.
Common Questions About CISO Pay
So what does a CISO actually cost in 2026?
Budget $250,000 to $700,000 in total compensation for most US companies, with a cash base of $230,000 to $400,000 and equity on top. Public-company CISOs clear $1 million. A first-time or fractional security chief can land near $180,000.
Why do salary sites disagree by two hundred grand on this role?
Most of them report cash and ignore equity, which is half a senior CISO’s package. Add a fuzzy title that spans a startup and a bank, and you get reputable sites describing the same job with numbers that are $200,000 apart. Read total comp, by stage.
Is a fractional CISO actually enough?
For a lot of companies under a few hundred people, yes. A vCISO at $8,000 to $15,000 a month covers board-ready governance, audit prep, and a SOC 2 push. Where it breaks is incident response. When you are breached, shared attention is the wrong arrangement.
Does the SEC disclosure rule really change what I pay?
It does, indirectly. Personal liability pushed credible CISOs to demand directors and officers coverage, indemnification, and a comp premium for carrying the risk. Companies that breached or watched a rival breach started paying 20 to 30 percent over budget to fill the seat.
How much more does a public-company CISO make than a private one?
Often double, almost entirely in equity. A private enterprise CISO might total $450,000 to $700,000. The same person at a public company clears $700,000 to over $1 million once RSUs vest, with the extra carrying real regulatory exposure attached.
What pushes a CISO offer to the top of the band?
Board fluency and regulated-industry experience, not certifications. A leader who has carried a company through a real breach or an SEC disclosure and can talk risk to directors in plain dollars commands the premium. The CISSP is assumed at this level, not rewarded.
When It Pays to Bring in a Search Partner
You do not need a recruiter for every executive hire. If your board already knows three credible CISOs and one is ready to move, call them yourself and skip the fee. It happens, and when it does, good.
Where we earn it is the search that stalls, the comp band that came in light, or the role where the qualified pool is a few hundred people nationally and most of them are quietly happy where they are. KORE1 has placed technology and security talent for twenty years, our recruiters average more than fifteen years in the field, and we run CISO searches as retained executive work, not a job-board post and hope. If your security leadership search has been open longer than a quarter, the offer or the sourcing is off. Usually the offer. Talk to a recruiter, hand it to our CISO staffing desk to run, or compare notes with our roundup of the top cybersecurity recruiting firms first.