Demand for CISOs and cybersecurity leadership has surged to the busiest level seen in years, and compensation is following. Companies that historically delayed or avoided hiring a dedicated security leader are entering the market at the same time, creating urgency, higher price tags, and a sharper need to understand what the role actually pays today. The compensation data in Riviera Partners’ 2026 CISO Hiring Blueprint reflects that shift, drawn from searches we’ve run, with offers extended, accepted, and closed.
Why 2023 Comp Benchmarks Underprice the Role Today
Organizations that spent years treating the CISO hire as optional are now entering the market simultaneously, and that volume has driven compensation meaningfully higher.
If your internal compensation reference is from 2023 or earlier, you’re underpricing the role. We see it constantly: a candidate goes quiet between the second and third round, the hiring team scrambles for an explanation, and the number turns out to be the answer.
Related: The CISO Mandate Isn’t One-Size-Fits-All: How the Role Changes Across VC, PE, and Public Companies
What the Data Shows
The blueprint breaks out compensation across the cybersecurity leadership stack: by company type (VC-backed, PE-backed, and public), role level (Chief/SVP for the CISO seat, VP/Head for the bench underneath), and company size. The VP/Head benchmarks cover the functional leaders most companies hire alongside or before the CISO: security engineering, product security, GRC, and detection. Here’s how those segments translate in practice:
- VC-backed companies. Chief/SVP-level CISOs at companies with $100M+ in revenue see median total cash compensation that has climbed notably, with equity grants reflecting the risk and growth profile of the stage. At sub-$100M revenue, companies are often making first-time CISO hires, and candidate expectations here need to be calibrated against a builder mandate: a leader stepping in to stand up the function rather than scale an existing one.
- PE-backed companies. PE CISOs often carry a defined governance and risk-rationalization mandate, which affects both the candidate profile and how compensation is structured. Equity in this context typically reflects estimated gross exit value rather than an initial grant, which changes how you present the opportunity to candidates.
- Public companies. Chief/SVP-level roles at large-cap public companies are now regularly benchmarked against other C-suite executives rather than against technical leadership. Disclosure obligations, board engagement, and regulatory complexity push CISO scope and compensation higher.
- Late-stage private companies. The surprise in this market is how aggressive later-stage venture-backed companies have become. The long-private generation (Stripe, SpaceX, Databricks and their peers) normalized private-company RSU structures that pay like public companies without the liquidity. That template has spread, and companies still offering traditional options grants are losing CISOs in the final round to packages they didn’t know they were competing against.
Beyond Base Salary
Total cash is only part of the picture. Sign-on bonuses, annual incentive structure, and equity mechanics each play a role in whether an offer is actually competitive. The blueprint covers bonus frequency and target sizing by company type, which helps calibrate what a complete package needs to look like before you go to market.
Compensation as a Signal
Compensation carries a signal beyond the dollar value. It tells a candidate where security actually sits in your priorities, regardless of what the job description says. A below-market offer signals that security is a cost center; a stretched offer with well-structured equity signals it’s a priority. Candidates weigh that signal alongside the number when they compare competing offers.
Where Comp Goes From Here
Compensation pressure looks likely to continue. Faster-growing late-stage venture and young growth public companies are currently outpacing others in their ability to pay. Companies outside those categories will likely need to rethink equity design, particularly the mix of cash and long-term incentives, to stay competitive for senior security leaders against late-stage private and growth-public bidders.
Full percentile breakdowns across all company types are in the 2026 CISO Hiring Blueprint.
Frequently Asked Questions
How much does a CISO make in 2026?
CISO compensation has moved meaningfully higher as companies that delayed the hire enter the market at once. Pay varies by company type (VC-backed, PE-backed, public, late-stage private), role level, and company size, and total cash is only part of the picture — sign-on bonuses, annual incentive structure, and equity mechanics all determine whether an offer is competitive. Riviera Partners’ 2026 CISO Hiring Blueprint contains the full percentile breakdowns drawn from closed placements.
Why might my CISO compensation benchmark be out of date?
If your internal reference point is from 2023 or earlier, you are underpricing the role. AI governance pressure, SEC disclosure rules, and a wave of delayed hires have pushed compensation up fast. A common symptom is a strong candidate going quiet between the second and third roun; the number is usually the reason.
What is driving CISO pay higher in 2026?
Late-stage private companies have become especially aggressive, using private RSU structures that pay like a public company without the liquidity. Companies still offering traditional options grants are losing finalists to packages they did not know they were competing against.
Related: How the CISO Mandate Shifts Across Company Stages
Related: How to Structure a Security Organization That Scales
About Riviera Partners
Riviera Partners is a global executive search firm focused exclusively on technical leadership, including product, engineering, IT, AI/ML/Data, and cybersecurity.