Back to Blog
Chief information security officer presenting a security risk briefing to a corporate board of directors in a modern boardroom

How to Hire a CISO: 2026 Guide

by
CybersecurityHiringLeadership

Last updated: June 28, 2026

How to Hire a CISO: 2026 Guide

By Mike Carter

To hire a CISO in 2026, decide what the seat actually owns before you open the search, budget $250,000 to $700,000 in total compensation, and plan eight to twelve weeks for a real executive search. The role carries personal legal exposure now, so the offer has to account for that, and the candidates worth hiring will ask about it on the first call. Most of what goes wrong happens before anyone interviews. It happens in how you scope the job.

The chief information security officer is not the job it was five years ago. Same four letters. Different risk entirely. In 2023 the SEC adopted rules that make public companies report a material breach within four business days and describe their security governance in annual filings. Then the SEC charged SolarWinds and its security chief over what they had told investors, and a federal jury convicted Uber’s former head of security for burying a breach. Read those cases together and the message lands hard. The person in this seat now signs their name to risk that can follow them personally. Their name on the filing.

That changes who you can attract and what you have to put in the offer. It also changes why so many of these hires fail. Boards keep wanting a name to point at when something burns down, and they keep handing that name no budget, no authority, and a reporting line three levels deep in IT. Good security leaders see the setup from a mile off. They take the call, ask four questions, and pass. Every time.

I’m Mike Carter, a managing director at KORE1. We run retained CISO searches and build the security teams underneath these leaders, and yes, we earn a fee when you hire through us. So when this guide tells you some companies should bring in a fractional CISO instead, or promote a strong security director and skip the title for a year, that advice costs me money. It stays in anyway. We have placed technology and security leaders since 2005, across more than 30 U.S. metros, and 92 percent of those placements are still in the seat twelve months later. The recruiters who run these searches average over fifteen years on the desk. For a hire this small and this passive, that experience matters more than any sourcing tool I could point you at.

Hiring committee reviewing printed CISO candidate resumes around a boardroom table during an executive search

What You’re Actually Hiring a CISO to Own

A chief information security officer is the executive accountable for protecting everything the company runs on, from cloud accounts and endpoints to the vendor nobody security-reviewed before signing. In practice the mandate covers the security program and its budget, regulatory and audit response, incident response when something breaks, and the risk story the board and, increasingly, regulators hear. They own the framework the program is built on, usually NIST CSF or ISO 27001, plus whatever compliance load your industry forces on you. SOC 2 for the SaaS company. HIPAA for healthcare. PCI DSS if you touch cards.

That is the clean version. The real job is quieter and more political.

A CISO spends most of their week translating technical risk into language a CFO and an audit committee will act on, then fighting for the budget to do something about it. They are not your CIO, who runs the infrastructure and the help desk. They sit closer to risk and exposure than to plumbing. If you want the distinction laid out properly before you write the req, our breakdown of CIO versus CTO versus CISO does that. The short version is that the CISO is the one whose name ends up on the disclosure.

Do You Need a Full CISO, or Something Smaller?

Be honest before you commit to a $400,000 package. Plenty of companies that want a CISO do not yet need one. Most, honestly.

You need a full-time CISO when security has become a board-level risk that nobody owns end to end, when you operate in a regulated industry and a governance gap is a legal exposure, or when a breach would genuinely threaten the business. A 90-person manufacturer who thinks of security as the IT guy’s side project does not need one. They need a competent security director and a budget. A pre-IPO fintech with a nervous board and a SOC 2 audit on the calendar absolutely does. Here are the four shapes this hire usually takes.

OptionWhat you getBest fitRough cost
Full-time CISOA board-facing executive who owns the program, the budget, and the riskRegulated, public, or breach-exposed companies$250K to $700K+ total comp
Fractional / virtual CISOSenior leadership a few days a month for governance and audit prepUnder a few hundred people, board-ready security on a budget$3K to $25K per month
Security directorA hands-on leader running the tooling and the team under the CIOYou need execution now, board narrative later$160K to $230K base
Deputy CISO, promotedAn internal leader the org already trusts, with no ramp timeMature programs with a credible number twoVaries; usually a raise, not a market reset

The fractional path is the one most growth-stage companies overlook. A fractional CISO, sometimes called a vCISO, can build out your governance program, get you through the audit, and tell you what the permanent role should actually look like before you ever commit to a full package. We have placed several of these into companies that needed board-ready security but not a 60-hour-a-week executive, and in more than one case the fractional leader proved the seat was real before we ran the permanent search that replaced them. When you do write the full-time req, our CISO job description template keeps the scope honest.

Decide the Seat Before You Open the Search

Here is the number every hiring committee should sit with. The average CISO lasts somewhere between 18 and 24 months in the role, shorter than almost any other seat in the C-suite. People in the field call it the CISO carousel, and they are not joking when they say it.

That churn is not a talent problem. It is a setup problem, and you fix it before the search, not after. Three decisions do most of the work.

Authority and budget. What does this person actually control? A team, a real program spend, the standing to tell a business unit no when it wants to ship something reckless? If the honest answer to all three is “we’ll sort that out later,” you are not ready to hire a CISO. You are ready to disappoint a good one and start over in eighteen months.

The reporting line. Tuck a CISO under the CIO and you have told the whole org that security is one more thing IT manages, to be funded after the roadmap is paid for. Sometimes that is genuinely fine. Often it caps the role before the person even starts, because the executive who owns shipping fast should not also own the veto on shipping safe. Those two goals fight. Security loses on points. Reporting to the CEO, or a dotted line to the audit committee, says the opposite, that this is a business risk the board intends to watch itself. No answer is universally right. Picking on purpose, instead of by habit, is the whole game. Decide it first.

The liability terms. This is the one that did not exist five years ago, and the one most companies forget until a finalist raises it. More on it below, because it now belongs in the offer itself, not in a side conversation after the handshake.

Write the mandate down in one page before you talk to a single candidate. What they own in year one, what budget they hold, who they can hire, which decisions are theirs alone. If you cannot fill that page, no resume fixes it.

What It Costs to Hire a CISO

Short version here, because the long one is its own guide. There is no clean government figure for this exact title, so the honest proxy is computer and information systems managers, and the BLS puts that median at $171,200 as of May 2024. A real CISO clears that by a wide margin. By a lot. It is an executive seat, and you pay executive money for it.

Total compensation runs $250,000 to $700,000 for most U.S. companies, built from a $230,000 to $400,000 cash base plus equity that does most of the heavy lifting once you pass the midmarket. Public-company security chiefs clear a million. Sometimes more. A first-timer or a fractional leader can land near $180,000. The single biggest mistake I see is budgeting the base and forgetting the equity, which is roughly 70 percent of what closes a senior candidate at any company worth joining. The full breakdown by stage, industry, and city lives in our CISO Salary Guide, and you can pressure-test a specific band against your market with the salary benchmark assistant before you set a number.

One warning. Underprice the seat for the real mandate and you are not saving money. You are scheduling the re-hire.

How to Actually Run the Search

You have scoped the seat, picked the reporting line, and set the band. Now you find the person. This is where fifteen years in a market starts to earn its keep, because the CISOs you want are employed, cautious, and mostly not looking.

First call is build, buy, or rent.

  • Promote from inside. If you have a deputy CISO or a security director the org already trusts, the internal candidate is often the safest bet. They know the systems, the politics, and which vendor contracts are quietly on fire. The risk is whether leadership will treat a promoted peer as a true executive once the title changes.
  • External retained search is the move when you need outside credibility, a program built from scratch, or a name that reassures a board still rattled by a breach. It costs more and runs slower. It also gets you someone who has carried the disclosure and survived the audit before, which for a seat this exposed is worth a great deal.
  • Rent first. A fractional or interim CISO buys you runway, gets the fundamentals in place, and usually shows you what the permanent role should actually be. Some of our best full-time placements started as the interim person who proved the seat had teeth.

Where do these people come from? The regulated industries breed more of them than anywhere else. Finance, healthcare, and defense force governance maturity early, so their security chiefs tend to arrive already battle-tested. Breach survivors are the other pool, and they are worth chasing. A leader who has carried a company through a real incident, a HIPAA audit, or an SEC disclosure has done the exact thing the job exists to do under pressure. That pattern recognition cannot be taught in a bootcamp. Or bought. If you want help reaching them, that is what our CISO staffing desk does, with the broader cybersecurity staffing team building the program underneath.

On timeline, let me set an honest expectation. A CISO is not a fast fill. Plan on eight to twelve weeks from kickoff to a signed offer for a genuine executive search, faster if your board is decisive, longer if it wants to meet every finalist. Anyone promising you a security chief in a couple of weeks is quoting you a fill date, not running an executive search. Hang up. Rush the back half and you are right back to the tenure problem.

Executive interview panel questioning a CISO candidate across a conference table

How to Interview a CISO

Stop screening for tools. The worst CISO loops I watch treat the candidate like a senior engineer, grilling them on firewall rules and SIEM queries. Wrong altitude. You are hiring a leader who sets security strategy and survives the politics around it, not the person who will be tuning Splunk at 2 a.m. Build the loop around four things and score each one on purpose.

  1. Board fluency. Can they translate a technical risk into a dollar figure and a decision a CFO would recognize, without a slide full of acronyms? Ask for a specific time their work changed an executive decision. Listen for whether they answer in risk and revenue or retreat into tooling.
  2. The bad Friday night. Hand them a scenario cold. A serious incident just hit on a Friday night, the facts are still moving, and legal wants to know in an hour whether it is material. Walk me through your next six hours. You are not grading the technical call. You are watching whether they stay calm, communicate up, and know when the lawyers belong in the room.
  3. Builder or operator. Some security chiefs do their best work standing up a first program, writing the first policy, picking the first tools. Others shine taking over a mature function and making it sharper. Ask which they have actually done more than once, then match it to where your program sits today. Drop a first-program builder into a polished Fortune 500 function and they get restless. Send an operator into a company with no program and they wait for a structure that does not exist yet. Neither type is wrong. The mismatch is.
  4. The first 90 days. Make them walk it out loud. If all you hear is “listening tour” and “stakeholder alignment,” that is a flag. The strong ones get concrete fast, naming what they audit first, who they need in week one, and what they refuse to promise until they have seen the actual environment.

One thing most committees skip. Put the finalist in front of the executives they will have to influence but cannot manage, the CFO and the heads of the business units. Those people can quietly starve a security program of cooperation no matter what your org chart says, and they tend to decide about a new executive in the first ten minutes. Watch the room, not the candidate. Not the slide deck. And on certifications, a CISSP or CISM is table stakes at this level, not a differentiator. Nobody pays a premium for the letters. They pay for what the person did while earning them. The deeper technical screen belongs further down the org, the way our security engineer hiring guide handles it.

References, the Offer, and the Liability Terms

Executive references are a different sport. The two names a candidate hands you are pre-cleared cheerleaders, useful but not the point. The real signal is in the backchannel, a former peer who sat through the budget fights, a board member who watched them handle the quarter a breach went public. A recruiter who has worked a market for years can usually make those calls, and that is a real part of what a retained search buys.

Then the offer, and here is where 2026 is genuinely different. The package has to address personal liability, or your finalist walks to a company that gets it. Directors and officers coverage that explicitly names the CISO. Written indemnification. A clear line on who signs the regulatory disclosure and who owns that decision. None of that is salary. All of it is now part of what it costs to fill the seat, and I have watched companies lose finalists on exactly these terms while the comp number was never the issue. Seen it twice. Get them on the table early. Before the handshake. The candidates worth hiring already know to ask.

Structure the rest to close and to retain, which are not the same thing. A signing bonus closes. A real budget, clear decision rights, and a mandate in writing retain. I have seen a company win a competitive CISO on package and lose them fourteen months later on everything the package could not buy.

Newly hired CISO shaking hands with company leadership during onboarding

Onboarding a CISO Who Actually Stays

The hire is not done when they sign. It is done when they are still in the seat at the two-year mark, which, given the carousel, is not a given.

Set them up to win something visible early, a real risk closed or an audit passed clean in the first quarter, proof that security leadership has teeth. Something the board notices. Protect the budget through the first reorg, because that is exactly when new executive functions get quietly gutted. And have the CEO say out loud, in front of the company, that this person owns security and speaks for it to the board. The CISOs who last almost always had explicit, repeated air cover from the top. The ones who flamed out usually had a title and nothing behind it. A nameplate. If you run a direct-hire search and want it built to hold, our direct hire staffing team runs these as retained executive work, not a posting and a prayer.

Straight Answers on the CISO Hire

Do we actually need a CISO, or a security director under the CIO?

A security director if the work is mostly running tools and a team. A full CISO once security is a board-level risk, you are in a regulated industry, or a breach would threaten the business. The deciding test is exposure, not headcount. If nobody would be personally on the hook for a disclosure, you probably need the director and a budget, not the title.

Should the CISO report to the CEO, the CIO, or the board?

If security is a business risk the board cares about, the CEO, often with a dotted line to the audit committee. The CIO can work when security is genuinely an IT-infrastructure concern. Either way, decide on purpose. Park a CISO three levels under a skeptical CIO and you have built about the most reliable path to an early exit there is, because the person who owns uptime also owns the tradeoff that security keeps losing.

Realistically, how fast can we fill a CISO seat?

Eight to twelve weeks for a real executive search, kickoff to signed offer. Faster if your board moves quickly, longer if it wants to meet every finalist or the comp band came in light. The pool is a few hundred credible people nationally and most are passive, so the slow part is reaching and convincing them, not screening resumes.

Internal promotion or outside hire for our first CISO?

Promote internally when you have a deputy or director the org already trusts and the gap is scope, not capability. Go external when you need outside credibility, a program built from scratch, or board reassurance after an incident. Both work. The factor that decides it is rarely talent. It is whether leadership will treat a promoted insider as a genuine executive.

What does a CISO offer need beyond base salary?

Equity, which is most of a senior package, plus the liability terms that are new to this seat. Directors and officers coverage naming the CISO, written indemnification, and a clear answer on who signs regulatory disclosures. Skip those and you lose finalists to companies that included them. The comp number is rarely what kills these offers. The missing protection is.

How do we tell a real CISO from a polished resume?

Make them tell you what broke. A genuine leader will walk you through a breach they managed, an audit they survived, and a budget fight they won or lost. The pretenders stay in frameworks and buzzwords. You will hear it. Specifics under pressure are the whole test, and the moment you ask for the messy story is the moment the room sorts itself out.

Before You Open the Search

The CISO might be the most miscast hire in the modern C-suite, and not because the talent is thin. The talent is real. Companies just keep hiring the name before they have decided what the seat is for, then act surprised when a good leader leaves a job that never had any authority behind the title. The legal stakes only make the cost of getting it wrong higher. Much higher now.

If you want a second set of eyes on the mandate before you write the spec, or you would rather not run a fragile executive search alone, talk to our executive search team. We will tell you honestly whether you need a full CISO, a fractional, or a stronger security director for now. Half the time, the most valuable call we make is telling a company it does not need the seat yet.

Leave a Comment