Rising Importance of CISOs: Navigating Expanded Roles, Strategic Influence, and Compensation Challenges

January 15, 2025 – As the cybersecurity function becomes increasingly integral to organizations, the CISO role continues to grow in importance, complexity and scope of responsibilities. This evolution presents an opportunity for CISOs to expand their strategic influence with top leadership and opens up avenues for professional growth, according to recent report from IANS and Artico Search. “By effectively navigating these changes, CISOs can elevate their impact and unlock new career paths—and, in many cases, achieve even greater job satisfaction and higher compensation,” the report said.
Most CISOs are experiencing a growing scope of responsibilities, expanding into areas beyond information security, such as business risk, broader security functions, IT and digital transformation. This evolution can be challenging to manage and does not always lead to greater satisfaction with career development. However, when managed effectively, expanded scope can lead to greater executive-level access and visibility, opening new opportunities for career advancement—a welcome prospect for tenured CISOs at large public enterprises who have been asking themselves, “What’s next?”
Newly emerging roles in billion-dollar enterprises include the dual CISO/CIO position, with full responsibility over security and IT, effectively reversing the traditional model of IT overseeing security, the IANS and Artico report explains. “Other executive-level opportunities include the chief risk officer (CRO) role, managing enterprise-wide risk and processes, or the emerging chief trust officer role, especially in industries such as financial services or tech, where trust and transparency are critical to business operations and customer relationships,” it said. “Additionally, some CISOs take on board seats at publicly traded companies, providing essential cybersecurity expertise. CISOs often cite executive-level access as a critical ingredient to driving organizational impact and enhancing their effectiveness. Executive-level access enables active participation in strategic business discussions and decision-making, allowing CISOs to discuss security risks with top leadership and align security strategies with overarching business objectives.”
CISO Positioning Within Their Organizations
CISOs often cite executive-level access as a critical ingredient to driving organizational impact and enhancing their effectiveness. “Executive-level access enables active participation in strategic business discussions and decision-making, allowing CISOs to discuss security risks with top leadership and align security strategies with overarching business objectives,” the IANS and Artico report noted. A CISO’s reporting structure plays a significant role in shaping their visibility and influence. CISOs who are part of, or have direct lines to, the C-suite are more likely to participate in strategic conversations compared to peers positioned several layers below the CEO. Similarly, building a trust-based relationship with board members starts with having regular opportunities to engage with them.”
The report found that approximately 39 percent of CISOs hold executive-level titles, including EVP and SVP, which is a gradual increase from 35 percent two years ago. Among these executive-level CISOs, 35 percent at smaller organizations (with annual revenues up to $1 billion) report directly to the CEO, compared to 12 percent at larger enterprises (with revenues exceeding $1 billion). In contrast, just three percent of large-firm director-level CISOs report to the CEO, with more than a third separated from top executives by at least three organizational layers. The report explains that these disparities underscore significant differences in strategic influence and organizational alignment between director- and executive-level CISOs.
How Often CISOs Engage With Their Boards
Currently, 47 percent of CISOs engage with their boards monthly or quarterly. In enterprises with annual revenues exceeding $10 billion, 65 percent of CISOs have at least quarterly board engagement. In contrast, smaller organizations with annual revenues under $400 million lag behind, with 37 percent having monthly/quarterly board engagement and 42 percent meeting with their boards on an ad hoc basis, if at all.
CISO Market Cools: Report Reveals Trends in Demand and Compensation
Following an active market for CISOs in 2021 and 2022, the demand for top security talent softened in 2023 and remained calm through the first half of 2024. During that period, many companies tightened budgets and adopted more-cautious hiring practices, resulting in a quieter market with reduced CISO rotation and fewer aggressive counteroffers, according to recent report from IANS and Artico Search. To find out how these conditions impacted compensation for CISOs, the companies conducted their fifth annual CISO Compensation and Budget Research Study. The report found that the past 12 months have been quiet in terms of CISO rotation. In the 2024 survey, 11 percent of respondents changed employers, similar to the CISO turnover rate of 12 percent for 2023 and in stark contrast to 2022, when 21 percent of respondents made a job switch.
It is clearly more common for CISOs to have board visibility and influence at larger organizations with more-developed risk governance structures and a responsibility to adhere to regulations that require boards to oversee cybersecurity risks. CISOs at smaller, often privately held firms may need to create other opportunities to engage with board members if they don’t engage as often during formal meetings.
“In today’s environment, the alignment of cyber governance and cyber operational programing is critical to a successful program,” said Steve Martano, partner, cyber security practice, at Artico Search. “Enterprise CISOs at large, publicly listed companies should strive to develop relationships with board members outside of formal quarterly board meetings. Whether it’s reporting to a committee, serving on a committee, ad hoc one-on-one meetings, etc., CISOs should utilize the macro environment and focus on security to continue developing a rapport with their company’s board members.”
Related: The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
“CISOs who successfully navigate the complexities of the C-suite and the boardroom command higher salaries,” said Matt Comyns, president and co-founder of Artico. “These CISOs drive more visibility by adding value in business risk conversations and decisions, are viewed on-par with other peers in the C-suite, and are considered strategic business executives, rather than technology leaders.”
How Broader Scope Impacts Compensation
As CISOs assume a broader scope of responsibilities, questions arise about how these changes influence compensation and whether job satisfaction differs for CISOs in expanded roles compared to those in more-traditional setups. The IANS and Artico report addressed the compensation question by analyzing survey data that asked CISOs about their wage growth, specifically the percentage increase in their compensation over the past 12 months and the primary driver of that change. The data shows wage increases associated with assuming additional responsibilities are rare, with only three percent of CISOs attributing their raises to taking on larger scope. For this group, the average wage growth was 13 percent.
Meanwhile, seven percent of CISOs reported their comp increases were primarily driven by a change in employers—a move often accompanied by taking on a larger role with more responsibilities. This group experienced an average increase of 31 percent. The majority of CISOs (70 percent) indicated their raises were annual merit increases, averaging six percent. Given that many of these CISOs have mentioned in conversations that their responsibilities have grown, this data suggests most are not explicitly (nor significantly) financially rewarded for the expansion of their scope.
“Not all increases in scope directly lead to an increase in compensation,” Mr. Martano said. “Taking on added responsibilities, such as digital risk or physical security, aligns naturally with the digital evolution of security, enabling a CISO to drive more efficiency and influence in their organization. While this increase in responsibility may lead to greater operational efficiency, this scope is generally not tied to a significant increase in compensation. On the other hand, a promotion to chief security officer, or a dual CISO/CIO role or CISO/chief digital officer role, is generally associated with a compensation boost, as these domains redefine the role and its expectations in a meaningful way.”
“When thinking about expanded scope of responsibility, CISOs should consider how the additional scope is viewed by the organization and the market,” said Mr. Martano. “The best added sets of responsibility for a CISO drive a more-efficient program and provide access to cross-functional stakeholders, allowing security leaders to work more closely with leaders outside of security and become increasingly embedded in business operations. CISOs can use added responsibilities to elevate their programs and their brands to become more marketable in the next role.”
To read the full report click here!
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Executive Editor – Hunt Scanlon Media