I sit in a security executive seat at a large technology company, and I am in active CISO interview loops right now, which means I am seeing live offers, comparing notes with peers doing the same, and watching what companies actually put on paper in mid-2026. This guide is the market as it looks from inside those conversations, not as it looks in a survey PDF.
The short version: CISO compensation has a wider spread than almost any other executive function. Two people with the same title and similar scope can be $600K apart in total comp, and the difference usually comes down to company stage, equity structure, and how badly the company needed to fill the seat. If you only remember one thing, remember that the number that matters is total compensation modeled over four years, not base salary, and that most published numbers quietly ignore the components where the real money lives.
Where These Numbers Come From, and Why Salary Surveys Mislead
Everything in this guide comes from three sources: offers and ranges I have seen directly in my own current searches, compensation conversations with peer security executives who share real numbers, and posted ranges on live executive requisitions. These are typical observed ranges, not averages. Nobody, including the survey vendors, has a statistically clean sample of CISO pay, and anyone who quotes you an “average CISO salary” to the dollar is selling precision that does not exist.
Salary surveys mislead in three specific ways. First, title inflation contaminates the sample: a huge share of people who answer “CISO” on a survey are directors with a title bump running eight-person teams, which drags the reported median far below what a real executive seat pays. Second, surveys lag. Data collected in 2024, published in 2025, quoted in 2026 describes a market two hiring cycles old, and executive comp moves faster than that. Third, and most important, surveys are terrible at equity. They either exclude it, self-report it inconsistently, or value it at grant-date paper numbers. At growth-stage and public companies, equity is half or more of the package, so a survey that fumbles equity is not measuring CISO compensation at all, it is measuring base salary with noise.
One more distortion worth knowing about: posted salary ranges on job requisitions anchor low by design. Pay-transparency laws force companies to publish a range, so they publish the full internal band for the level, including where an internal promotion would land. External executive hires almost always come in above the midpoint, and frequently above the posted top, once the sign-on and equity are layered in. A posted “$350K-$420K” on a public-company CISO req tells you the internal band, not what they will pay the candidate they actually want.
The Anatomy of a CISO Package
Base salary is the smallest interesting number in the package, and it is the most rigid one. Companies protect base bands because every other executive’s comp is indexed to them, so you will fight hard for an extra $20K of base and get it maybe half the time. The flexible money is everywhere else.
Bonus is where first-time executives consistently misread the mechanics. A “50% bonus target” is not a promise of 50%. Almost every company pays executive bonuses on a company-wide multiplier: the board scores overall performance, applies a factor from roughly 0.7x to 1.3x, and your security KPIs affect at most a small individual modifier. In practice your bonus tracks revenue performance, not security performance. This cuts both ways: you can have a flawless year and get paid 80% of target because sales missed, or a rough year and get 110% because the company crushed its plan.
Equity is where stage matters most. At a Series B-C startup you are negotiating a percentage of the company in options, typically vesting over four years, and its value is a lottery ticket with a real but minority chance of paying out. At pre-IPO growth companies you get RSUs or options priced off a 409A valuation or the last round, worth something on paper and nothing until liquidity. At public companies you get RSUs with a knowable dollar value and, at the largest ones, performance stock units tied to multi-year targets.
Here is the equity detail that catches nearly everyone: the year-three refresh cliff. Your initial grant is usually front-loaded and vests over four years, and many companies have no automatic refresh policy for executives. If nobody grants you additional equity by year two or three, your annual vest falls off a cliff right as you hit peak effectiveness in the role, and your real total comp drops 30-40% in year four. Sophisticated candidates negotiate a written refresh expectation, or at minimum a comp-committee review commitment, before signing. Almost nobody does.
One more bonus mechanic worth pricing: the proration trap. Start in September and your first-year bonus is prorated to a third of target, unless you negotiate a first-year guarantee or a full-year floor, which companies grant routinely when asked and never volunteer. Between proration and the company multiplier, the realistic expected value of “target bonus” in year one is often half the headline number, which is exactly why the sign-on exists.
Sign-on bonuses at this level exist to buy out what you are leaving behind: unvested equity, a bonus you would forfeit, sometimes a deferred payout. $50K-$250K is common, usually paid in one or two tranches with a 12-month clawback. It is the easiest money in the negotiation to get and the easiest to forget to ask for.
Finally, the protection terms are also money, and for a CISO they are not optional. Severance with change-of-control language, a board-approved indemnification agreement, and confirmed coverage under the company’s D&O policy including Side A coverage that protects you personally when the company cannot or will not: these determine whether an incident that was not your fault costs you a year of income and six figures of legal fees. Price them accordingly. The full treatment of how to actually negotiate all of this lives in the CISO compensation and negotiation guide; this guide is about what the market pays, that one is about how to get it.
Typical US Ranges by Company Stage, Mid-2026
These are typical ranges I am currently observing across live searches, peer offers, and posted executive requisitions in the US market. Individual offers land outside these bands in both directions, and equity values for private companies are paper numbers until an exit.
| Company stage | Base salary | Bonus target | Equity shape | Realistic total comp |
|---|---|---|---|---|
| Startup, Series B-C | $250K-$320K | 0-25%, often none | 0.4%-1.0% in options, 4-year vest | $275K-$400K cash, plus high-variance equity upside |
| Growth / pre-IPO | $300K-$380K | 25-40% | RSUs or options, $200K-$500K/yr on paper | $550K-$850K on paper, cash portion $375K-$530K |
| Public mid-cap | $350K-$450K | 40-60% | RSUs, $250K-$500K/yr vesting | $650K-$1.1M |
| Large enterprise / F500 | $400K-$550K | 50-100% | RSU/PSU mix, $400K-$900K/yr | $900K-$1.6M+ |
Geography still matters, though less than it did. These bands describe major-market and remote-national roles; Bay Area and New York seats routinely price 10-15% above them, and companies with location-tiered bands will try to slot a remote executive into a lower tier, which is negotiable at this level even when the recruiter insists it is not.
Two notes on reading this table honestly. The startup row is the only one where “realistic total comp” and the offer letter diverge wildly: value startup equity at zero for lifestyle decisions and as a call option for career decisions, and read the startup versus enterprise trade-off guide before convincing yourself the equity makes up the cash gap. And the F500 row has a long right tail: banks, top-tier tech, and companies rebuilding after a public breach go meaningfully above it.
Vertical Modifiers: Same Title, Different Money
Industry moves these bands more than most candidates expect.
Financial services pays a genuine premium, commonly 20-40% above the equivalent tech seat, because regulators have made the role unavoidable and the personal accountability regimes are real. The money comes with a heavier bonus weighting and, at big banks, deferred compensation that vests over years and functions as a retention leash. Fintech splits the difference: tech-style equity with finserv-style scrutiny.
Healthcare providers sit on the other end. Hospital systems and provider networks routinely pay 20-30% below the market for equivalent scope, run thin equity or none, and justify it with mission and stability. Healthtech and payers pay closer to tech rates. If you take a provider seat, you are buying regulated-industry depth to sell later, and you should price that consciously.
AI labs are their own market. Base salaries look ordinary, but equity grants at the frontier labs have paper values that dwarf everything else in this guide, with variance to match: the same grant is worth zero or generational money depending on outcomes nobody can model. Treat lab offers as a separate asset class, not a comparable.
Then there are incident-premium seats. A company hiring its first post-breach CISO, under a consent decree, or rebuilding after the last CISO departed publicly is a distressed buyer. Search firms struggle to fill these roles, candidates are scarce, and the ones I have seen close carry a 20-30% premium plus unusually strong protection terms, because the candidates who can do the job know exactly what to demand. These seats pay well precisely because they are dangerous; the offer red flags guide covers how to tell a well-paid turnaround from a well-paid trap.
Title Deltas: CISO vs VP of Security vs Head of Security
At identical scope, the title changes the money. A VP of Security running the same team, budget, and board exposure as a CISO typically earns 15-30% less in total comp, and the gap lives almost entirely in equity and bonus target, because the executive equity tier is gated on officer-level titles at most companies. “Head of Security” is even less standardized: it can mean the de facto CISO at a 2,000-person company or a senior director at a 200-person one, and comp follows the reality underneath, minus the discount for ambiguity.
There is a structural reason for the gap that is worth understanding before you negotiate. At most companies, the security leader’s band is set relative to the executive they report to, not relative to their C-suite peers. A CISO reporting to the CIO gets slotted one level below the CIO’s band, which lands them one to two levels below the CFO and CTO in the comp architecture even when their personal risk exposure is higher than either. This is the security-versus-peer-CxO gap, it is slowly closing at companies where security is existential, and it is one of the strongest arguments for negotiating reporting line as a comp issue, not just a status issue. The full breakdown of when the title difference matters and when it is cosmetic is in the VP of Security versus CISO guide.
The UK and EU Comparison
If you are calibrating against the UK or EU, apply a large haircut to everything above. A London CISO seat at an equivalent company typically pays 30-50% below the US number in total comp, with smaller equity and much smaller bonuses, partially offset by stronger statutory protections, notice periods, and healthcare you are not paying for. Frankfurt, Amsterdam, and Paris generally sit below London, with financial services again the exception that pays closest to parity. NIS2 and DORA are pushing demand up faster than supply across the region, which is slowly dragging comp upward, but the structural gap is not closing on any timeline that should affect your planning. The UK and EU CISO market guide covers the ranges, the regulatory drivers, and the cross-border arbitrage plays in depth.
What Moves You Within a Range
Stage and vertical set the band. Four things I consistently see move individual candidates to the top of it.
Scope evidence. Not team size on a resume, but proof you have owned the whole problem: budget you controlled, functions that reported to you, decisions that were yours alone. Companies pay the top of the band for people who have already operated at the scope of the open seat, and discount everyone extrapolating upward.
Regulated-industry depth. Candidates who have operated under real regulatory supervision, banking, healthcare, government, carry a premium into every subsequent role, including unregulated ones, because boards read it as evidence you can survive scrutiny.
Board fluency. The ability to run a board conversation without a translator is rare enough that it shows up in comp. Candidates who can show artifacts of it, board papers, audit committee cadence, get read as executives; candidates who cannot get read as senior engineers and priced that way.
Incident scar tissue. Having run a real incident end to end, disclosure decisions included, is the single most liquid credential in this market. Nobody wants to be your first breach.
The inverse list matters too. Certifications move nothing at this level, a long tenure at one company reads as a question rather than an asset, and a resume of two-year CISO stints gets silently priced down even when every departure had a good story. The market pays for evidence you finish what you start.
Using These Numbers Without Anchoring Yourself
The purpose of market data in a negotiation is to set your floor privately, not to open the bidding. The moment you quote a range, you have anchored the conversation at its midpoint at best. Let the company put the first number on the table, evaluate it against the bands above, and negotiate the components in the right order: equity and protections first, because they move the most, base last, because it moves the least. The negotiation guide walks through the sequencing, the scripts, and the terms in detail.
And keep the comp conversation connected to the job itself. The strongest negotiating position is a candidate who has clearly already started doing the work: bring a point of view on the first two quarters, informed by something like the 90-day plan, and use the templates to arrive with artifacts instead of adjectives. Companies pay the top of the band for the candidate who makes the job feel already underway. The numbers in this guide tell you what the seat is worth. Whether you get that number depends on whether you can make them believe you are the one who fills it.