On average, chief information security officers (CISOs) in small and medium-sized companies earn $415,000 a year. But what they’re asked to do is far from easy.
Some have it even better, with the top 25% of CISOs earning at least $470,000, and the top 5% reaching the seven-figure range.
The findings are based on a survey by IANS Research and Artico Search. The survey included more than 860 CISOs, 363 of whom work at small and mid-market organizations (with annual revenue of up to $1 billion).
“These organizations typically face greater resource constraints than their larger counterparts, which can limit investments in cybersecurity programs, tools, and talent. Their relative lack of sophisticated cyber defenses makes them more vulnerable to increasingly sophisticated cyberattacks,” the 2025 Small and Middle Market CISO Compensation and Budget Benchmark Report reads.
CISO's job satisfaction is proportional to their salary, which is expected. However, the main reason for frustration usually isn't the level of compensation, but rather salaries remaining stagnant over time.
“This tells us CISO satisfaction is more closely tied to salary growth, rather than absolute pay levels, with stagnant salaries negatively impacting satisfaction,” the report said.
In large corporations, CISOs have the “luxury” of focusing on information security, strategy, and business risk. However, the smaller the organization is, it seems, the more its CISO has to take on. For example, in really small companies, they basically take care of all things IT.
“In small (less than $50M) organizations, CISOs typically have a broader span of control: for instance, 85% own enterprise risk management, 64% are responsible for physical security, 51% oversee fraud, and 68% have full or partial responsibility for IT,” the report reads.
Whether satisfied or not with their jobs, many CISOs seem ready to move on to the next career chapter. Twenty percent say they are unhappy and plan to change jobs in the next 12 months. Even those who are okay with their jobs are either open to new opportunities or undecided about staying where they are.
“Midmarket CISOs are being asked to do more with less, stretching across IT, risk, and compliance while navigating flat org charts and limited visibility,” said Steve Martano, Partner at Artico Search and IANS Faculty Member.
“The best CISOs are embracing these challenges as stepping stones to enterprise leadership, but they need support and recognition to stay.”
Your email address will not be published. Required fields are markedmarked