Role x Industry April 2, 2026

Cybersecurity Executive Hiring: CISO and Security Leadership

Q: What does a CISO earn in 2026?

CISO base salary in 2026 ranges from $300K to $420K at mid-market companies and $380K to $520K at large enterprises. Total compensation including bonus and equity ranges from $450K to $750K. CISOs at financial services firms and healthcare organizations earn a 10-15% premium due to regulatory requirements.

Q: Is there a CISO talent shortage?

Yes. The CISO talent shortage is severe. There are approximately 3,500 open CISO positions in the US at any given time, against a qualified candidate pool of roughly 15,000 sitting CISOs. Time-to-fill for CISO searches averages 105 days, the longest of any VP+ role. 35% of CISO searches are re-opened within 18 months.

Q: Who does the CISO report to?

Reporting structures are evolving. In 2026, 42% of CISOs report to the CIO, 28% report to the CEO, 15% report to the General Counsel, and 15% report to the CFO or COO. The trend is toward CEO or board-level reporting. SEC rules requiring cybersecurity expertise on the board have elevated the CISO's organizational position.

Q: What background do CISO candidates need?

Most CISOs have 15-20 years of progressive cybersecurity experience, including hands-on technical roles and management positions. Common certifications include CISSP (held by 72% of CISOs), CISM (45%), and CRISC (28%). An MBA or MS in Cybersecurity is held by 38%. Business acumen is increasingly valued alongside technical depth.

Q: Why do CISOs have high turnover?

Average CISO tenure is 2.5 years, the shortest of any C-suite role. High turnover is driven by burnout (cited by 58% of departing CISOs), inadequate budget and authority (45%), and board/CEO misalignment on security investment (38%). CISOs who report to the CEO have 40% longer tenure than those who report to the CIO.

The CISO role is broken. Average tenure is 2.5 years. The talent shortage is severe. Burnout is epidemic. And demand is growing 28% year-over-year as boards wake up to the reality that cybersecurity is an executive-level function, not an IT subcategory. For executive recruiters, this means both opportunity and complexity.

Cybersecurity executive hiring is unlike any other function in the VP+ market. The candidate pool is tiny relative to demand. The technical requirements are deep. The organizational politics around reporting structure are unsettled. And the personal toll of the role creates a retention problem that generates repeat searches for the same position.

This report covers the CISO and VP Security hiring landscape in 2026, with the data and context recruiters need to build a cybersecurity executive practice.

The ExecSignals intelligence value chain — turning raw hiring signals into actionable market intelligence

The Talent Shortage

The numbers tell the story. There are approximately 3,500 open CISO positions in the US at any given time. The total pool of qualified candidates (currently sitting CISOs with the experience to lead a security function) is roughly 15,000. That is a ratio of 4.3 qualified candidates per open position, compared to 12-15 candidates per position for most VP+ roles.

Time-to-fill reflects this shortage. The median CISO search takes 105 days, the longest of any VP+ role. CEO searches take longer (130 days), but that is by design. CISO searches take long because the candidates do not exist in sufficient quantity.

CISO Market Data

105 days

Median time-to-fill for CISO searches. The longest of any VP+ role, driven by a severe talent shortage. Only 4.3 qualified candidates exist per open CISO position, compared to 12-15 for most executive roles.

The shortage is self-reinforcing. Companies that cannot find a CISO elevate a VP or Director into the role without the experience or support structure needed to succeed. The promoted leader burns out in 18-24 months. The company runs another search. The cycle repeats.

Compensation

CISO compensation has increased rapidly as companies compete for a limited talent pool. Current benchmarks:

Mid-market companies ($500M-$5B revenue): $300K-$420K base. $450K-$580K total comp.
Large enterprise ($5B+ revenue): $380K-$520K base. $550K-$750K total comp.
Financial services (regulated): 10-15% premium over general industry. $420K-$580K base at large institutions.
Healthcare: $320K-$430K base. Growing rapidly as HIPAA enforcement intensifies.
Technology companies: $350K-$480K base + significant equity. Total comp at pre-IPO companies can exceed $800K.

The compensation trend is consistently upward. CISO base salaries increased 8% year-over-year in 2025, nearly double the 4.2% increase for all VP+ roles. This trend will continue until the supply-demand imbalance eases, which is not projected to happen before 2028 at the earliest.

Reporting Structure: The Organizational Debate

The CISO reporting structure is the most debated organizational question in cybersecurity. Where the CISO sits in the hierarchy determines their authority, their budget, and their tenure.

Current reporting structures in 2026:

Reports to CIO: 42% of CISOs. This is the legacy structure. The problem: the CIO's incentives (system uptime, digital transformation speed) often conflict with the CISO's mandate (security controls that slow things down).
Reports to CEO: 28% of CISOs. Growing rapidly. CEO-reporting CISOs have 40% longer average tenure, larger budgets, and more organizational authority.
Reports to General Counsel: 15% of CISOs. Common in heavily regulated industries where cybersecurity is viewed as a legal/compliance function.
Reports to CFO or COO: 15% of CISOs. Less common but found in organizations where the primary concern is operational risk management.

The trend is clear: CISOs are moving up the org chart. SEC cybersecurity disclosure rules, which require companies to report material cybersecurity incidents within four business days, have elevated cybersecurity to a board-level concern. Boards want direct access to the CISO, which is difficult when the CISO is two levels below the CEO.

For recruiters, the reporting structure is the first question to ask in a CISO engagement. A CISO reporting to the CEO at $380K is a fundamentally different role than a CISO reporting to the CIO at $380K. The first is a strategic executive. The second is a senior manager. Position the search accordingly.

Candidate Profiles

The CISO candidate profile has evolved from pure technologist to business-facing executive. The modern CISO needs:

Technical depth (non-negotiable). 15-20 years of progressive cybersecurity experience. Hands-on background in at least three of: network security, application security, cloud security, identity management, incident response, and security architecture. Technical credibility with the engineering team is essential because a CISO who cannot evaluate technical decisions loses the team's respect immediately.

Business acumen (increasingly required). The ability to translate security risk into business terms for the board and CEO. This means quantifying risk in dollar terms, prioritizing investments based on business impact, and framing security as a business enabler rather than a cost center. MBA or equivalent business education is held by 38% of CISOs and is increasingly preferred.

Communication skills (differentiator). The CISO who can present to a board of directors, translate a zero-day vulnerability into a business risk statement, and manage crisis communications during a breach is worth a significant premium over the CISO who can only speak to a technical audience.

Regulatory knowledge (industry-specific). Financial services CISOs need FFIEC, SOX, and PCI expertise. Healthcare CISOs need HIPAA and HITECH. Government-adjacent CISOs need FedRAMP and NIST frameworks. The regulatory component narrows the candidate pool further because certifications and experience are industry-specific.

The Burnout Problem

CISO burnout is not a soft concern. It is the primary driver of the talent shortage and the primary reason for the 2.5-year average tenure. The data on CISO burnout in 2026:

58% of CISOs cite burnout or stress as a reason for their most recent job change.
45% cite inadequate budget and authority to do the job effectively.
38% cite misalignment between the board's security expectations and the resources provided.
32% cite 24/7 on-call demands and the inability to disconnect.

For recruiters, understanding burnout dynamics is essential for two reasons. First, it affects sourcing: passive CISO candidates who are burned out at their current company are more receptive to outreach, but they may be looking for a different type of role (advisory, fractional, vendor-side) rather than another full-time CISO position. Second, it affects candidate evaluation: a CISO who left their last role after 18 months due to burnout is not necessarily a poor performer. They may be an excellent CISO who was under-resourced. Context matters.

Search Strategy for CISO Roles

Expand the aperture. Given the severe talent shortage, rigid candidate specifications will produce zero-candidate searches. Consider VP of Security candidates who are ready for the CISO title. Consider candidates from adjacent domains (VP of IT with a security emphasis, Director of Security at a larger company). And consider fractional or interim CISOs for companies that cannot wait 105 days for a full-time placement.

Sell the role, not just the company. CISO candidates evaluate the role as much as the company. They want to know: What is the reporting structure? What is the security budget? Does the CEO take security seriously? Has the company had a breach, and if so, how was it handled? The recruiter who can answer these questions credibly wins the candidate's engagement.

Address compensation expectations early. CISO candidates know their market value. They know the shortage. They will not entertain below-market offers. Ensure the client's compensation expectations are aligned with market reality before beginning the search. A client offering $280K for a CISO in 2026 is not going to fill the role.

Factor in the board. CISO searches increasingly involve board members in the interview process. Coordinate with the client to ensure board availability during the interview stage. A CISO candidate who meets the CEO but not the board audit committee chair may not accept the offer because they cannot evaluate the board's commitment to security.

The Fractional and Virtual CISO Market

Not every company can afford or attract a full-time CISO. The fractional CISO market has grown 45% year-over-year as mid-market companies and startups seek part-time security leadership. A fractional CISO typically works 10-20 hours per week at a rate of $250-$400 per hour, providing strategic oversight, board reporting, and incident response planning without the $500K+ total comp of a full-time hire.

For recruiters, fractional CISO placements represent a growing revenue stream. The placement fee structure is different (typically a flat fee of $20K-$40K or a percentage of the first-year engagement value), but the client relationship is the same. Many fractional CISO engagements convert to full-time searches within 12-18 months as the company grows and the security function matures. The recruiter who places the fractional CISO is the natural choice for the eventual full-time search.

Get cybersecurity VP+ leads every Monday

ExecSignals tracks CISO and security leadership hiring. Your first week is free.

Send Me the Brief

Frequently Asked Questions

What does a CISO earn in 2026?

$300K-$420K base at mid-market, $380K-$520K base at large enterprise. Total comp: $450K-$750K. Financial services and healthcare pay 10-15% premiums.

Is there a CISO talent shortage?

Yes, severe. Approximately 3,500 open positions against 15,000 qualified candidates. Time-to-fill averages 105 days. 35% of searches are reopened within 18 months due to turnover.

Who does the CISO report to?

42% report to CIO, 28% to CEO (growing rapidly), 15% to General Counsel, 15% to CFO/COO. CEO-reporting CISOs have 40% longer tenure and larger budgets.

What background do CISO candidates need?

15-20 years of cybersecurity experience. CISSP (72%), CISM (45%), CRISC (28%). MBA or MS in 38%. Business communication skills are the differentiator at the executive level.

Why do CISOs have high turnover?

Average tenure is 2.5 years, shortest of any C-suite role. Burnout (58%), inadequate budget (45%), and board misalignment (38%) are the primary drivers.