Companies with $1 billion in revenue or less might want to give a heads-up to HR to kickstart the search for a new CISO — because according to a study from IANS Research, your current CISO might be out the door within a year.
The 363 CISOs in SMBs surveyed for the 2025 Small and Mid-Market CISO Compensation and Budget Benchmark Report feel the same pressures as their counterparts in large enterprises — assuming more business- and risk-related responsibilities across their organizations — but with less compensation and tighter budgets.
“In many companies, it’s the CISO’s job to align cybersecurity priorities with business objectives and make their value visible across the organization,” says Shane Barney, CISO at Keeper Security.
“Success also means enabling the organization to move fast while staying secure – embedding cybersecurity into business operations in a way that doesn’t slow down innovation or growth. And perhaps most importantly, success is when cybersecurity becomes integral to the company’s identity and brand.”
It is constrained budgets that will likely drive CISOs at SMBs out of their current positions. 100% of the survey’s CISOs who said their budgets aren’t big enough plan to leave their positions within a year.
As cybersecurity has become more foundational to business, CISO compensation even among SMBs has reached record highs — averaging $415,000. But that’s far below the average $700,000 CISOs in larger companies pull down. While CISOs at $20 billion-plus companies pull down $1.1 million on average, with those at the top averaging more than $1.4 million, only 5% of those at SMBs make a cool million, fueled by equity grants.
The IANS research shows that SMB CISOs might not command the same respect. Only 40% hold executive titles, but many still have to manage expanded portfolios that include fraud prevention, privacy, IT and AI governance, IANS said, “often without added support.”
And the same percentage — 40% — report minimal or no access to the full board, though nearly two-thirds do claim participation in board subcommittees or governance structures.
Perhaps the lure of greener pastures at larger companies, where CISOs are not only better compensated but are more likely to have greater access to their boards, will prompt disgruntled SMB CISOs to take their talents elsewhere.
But all the CISOs I spoke with underscore that it’s not just compensation that keeps CISOs engaged and convinces them to stay put.
“Compensation alone doesn’t define the value of a CISO. What’s more critical is investing in the right team, tools and strategy,” said Barney. “A well-funded CISO with an under-resourced security team won’t be effective. The focus should be on building organizational capability, not just boosting top salaries.”
While Deepwatch CISO Chad Cragle believes any CISO just in the role for the money has “already lost sight of what really matters,” he agrees that “without the right team, tools, or board access, burnout is inevitable.” Real impact, he contends, “only happens when security is valued and you’re empowered to lead.”
Perhaps that stands as evidence that SMBs that want to retain their talent or attract others should treat the CISO holistically. “True professional fulfillment and long-term happiness in the CISO role stems from the opportunities for leadership, personal and professional growth, and, most importantly, the success of the cybersecurity program itself,” says Black Duck CISO Bruce Jenkins. “When cyber leaders prioritize the development and execution of a comprehensive, efficient, and effective program that delivers demonstrable value to the business, appropriate compensation typically follows as a natural consequence.”
Concerns around budget constraints is that all CISOs at this point (private AND public sector) have been through zero-based budget reviews several times. If the CISO feels unsafe and unable to execute, they will be incentivized to find a safer seat with an org more prepared to invest in security programs.
According to Trey Ford, CISO at Bugcrowd, CISOs seeking a new position during the current economic uncertainty face challenges. “The demand side shows a lower number of roles, and an increase of in-house searches,” he says. “This will ultimately show more churn, in that specialty CISO search firms both better align candidates, and set them up for enduring success and longer tenures once onboarded.”
Organizations have the “opportunity to harness the strategic, analytical and problem-solving skills in addition and cross functional relationships that a successful CISO will have developed,” says Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue.
Boosting Worth
CISOs can boost their worth by developing deep technical and business understanding as well as soft skills. “While leveraging technical subject matter experts within the team is crucial for informed decision-making,” Jenkins says, “a top-tier CISO should possess a diverse background.”
They include:
- A foundational understanding of IT infrastructure, operations and enterprise architecture.
- Insight into secure coding practices, application security and the software development lifecycle.
- Knowledge of business operations, supply chain and critical processes to identify and protect key assets.
- An appreciation for how security impacts customer acquisition, retention and overall market strategy.
- Knowledge across various security domains, including risk management, governance, compliance, incident response and security architecture.
Among the soft skills necessary, says Barney, are:
- Translate technical risk into business impact. Use data to connect investments to real-world financial, reputational and operational risks.
- Tell relatable stories. Threat intelligence and industry-specific examples help make risks tangible and urgent.
- Frame cybersecurity as a business enabler. Security isn’t just a cost – it’s a driver of business continuity, resilience and customer trust.
Organizations have the “opportunity to harness the strategic, analytical and problem-solving skills in addition and cross cross-functional relationships that a successful CISO will have developed,” says Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue.
