Skip to main content
Guides Role salaries 2026 CISO Salary in 2026 — TC Bands by Company Stage and Equity Anchors
Role salaries 2026

CISO Salary in 2026 — TC Bands by Company Stage and Equity Anchors

10 min read · April 25, 2026

CISO compensation in 2026 depends less on title alone and more on company stage, breach exposure, board visibility, and equity risk. Use these TC bands, equity anchors, and negotiation checks to pressure-test an offer.

CISO Salary in 2026 — TC Bands by Company Stage and Equity Anchors

CISO salary in 2026 is really a total compensation question: base, bonus, equity, severance protection, and how much personal risk the role carries. The title can mean three very different jobs. At one company the CISO owns security strategy, board reporting, incident response, compliance, cloud risk, customer trust, and a 40-person team. At another, the “CISO” is the first security leader asked to fix SOC 2, vendor reviews, and production access with two engineers and no budget. This guide gives practical TC bands by company stage and equity anchors so you can judge whether an offer matches the scope.

CISO salary in 2026: quick TC summary

For U.S.-market roles, a real CISO offer in 2026 usually lands somewhere between $300K and $1.5M+ in annualized total compensation. The lower end is common at early venture-backed startups where equity is the upside and cash is constrained. The upper end is common at public technology, fintech, healthcare, infrastructure, and AI companies where security is board-level risk and the CISO is an executive operator. A narrow cash-only view is misleading: the difference between a fair and weak offer is often a 2x change in equity, not a $20K change in base.

| Company stage | Typical base | Bonus target | Equity anchor | Practical annual TC | |---|---:|---:|---:|---:| | Seed / Series A | $220K-$300K | 0-20% | 0.40%-1.25% | $260K-$550K risk-adjusted | | Series B / C | $260K-$350K | 10-30% | 0.15%-0.60% | $350K-$750K risk-adjusted | | Series D / pre-IPO | $300K-$425K | 20-40% | 0.03%-0.25% | $500K-$1.1M | | Public tech / fintech | $350K-$525K | 30-75% | RSUs or PSU grants | $700K-$1.8M+ | | Regulated enterprise | $325K-$500K | 30-60% | RSUs/cash LTI | $600K-$1.4M | | Non-tech corporate | $275K-$425K | 25-50% | Smaller LTI | $450K-$900K |

These are offer-pattern estimates, not promises. Geography, company risk, board maturity, team size, and current security posture can swing the number hard. A CISO inheriting a breach, a bank charter, a federal customer base, or AI data governance risk should not price the role like a normal VP Security opening.

How company stage changes the CISO offer

Stage is the first filter because it determines how much of the package can be paid in cash versus future value. A seed or Series A company may genuinely be unable to pay a $450K base, but it can still make a serious executive offer by giving meaningful ownership, board access, a clean security budget, and a written path to refresh grants. A public company has the opposite profile: cash and liquid RSUs should be strong because the upside is less asymmetric and the accountability is more formal.

At Seed and Series A, ask whether the company actually needs a CISO or a founding head of security. If you are building the program, hiring the team, handling customer security reviews, setting policies, and sitting in executive meetings, the title can be valid. If the company only needs compliance execution, a lower cash package may be fair, but the CISO title may create reputational risk. Equity below 0.25% at this stage is light for a true executive unless valuation is already unusually high.

At Series B and C, the role becomes more operational. Customer trust, cloud controls, compliance automation, incident response, procurement risk, and security engineering all show up at once. Cash should move into the high $200Ks or low $300Ks, and the equity grant should still be meaningful enough to justify startup risk. A strong Series C CISO package might be $325K base, 25% bonus, and 0.25% ownership with refresh language after the next fundraise.

At late-stage and pre-IPO companies, the market gets more disciplined. Boards expect executive polish, investor diligence support, and a security roadmap that survives public-company scrutiny. Base of $325K-$425K is common, bonus targets move toward 30-40%, and equity is often expressed as dollar value rather than ownership. Watch for stale 409A math. A grant that sounds large can be thin if the valuation is aggressive and the exit window is uncertain.

At public companies, the CISO is often closer to a named executive than a functional department head, even when not formally an officer. RSUs, performance stock, retention grants, and annual refreshes matter more than initial base. For a security leader managing global risk, privacy adjacency, product security, governance, and regulatory response, TC under $700K can be low unless the company is outside technology or the role is narrower than the title.

Equity anchors: what is fair for a CISO?

Equity is hard because every startup wants to describe the option grant in the most flattering way. Ask for ownership percentage on a fully diluted basis, strike price, current preferred price, latest valuation, total shares outstanding, vesting schedule, refresh norms, and acceleration terms. If the company refuses to share basic equity math at executive level, treat that as a signal about governance.

For a first security executive at Seed or Series A, 0.40%-1.25% is a reasonable ownership range. The high end is for joining before security is built, reporting to the CEO, carrying customer and board credibility, and taking a meaningful career risk. The low end can be fine if the company is late Series A, has unusually strong traction, or pairs the grant with above-market cash.

For Series B and C, 0.15%-0.60% is the practical range. A CISO who reports to the CEO, owns product and corporate security, and will build a team should be above 0.25%. A security leader reporting to a CTO or COO with narrower scope may land below that. The key question is whether the company is pricing you as an executive or as a senior functional VP.

For late-stage companies, percentage ownership becomes less useful. Focus on annualized equity value, liquidity path, and refresh policy. A $1.2M initial RSU or option package over four years is $300K per year before stock movement. If the company is private, discount that value for liquidity and valuation risk. If the company is public, compare it directly against RSU-heavy packages from other public tech employers.

Base, bonus, and cash risk

Base salary is the part that pays your mortgage and compensates you for unavoidable executive load. For startup CISOs, base below $250K is usually only reasonable when the equity is truly founder-adjacent or the role is not a full CISO. For public-company CISOs, base below $350K is light unless the scope is regional, business-unit specific, or the company is outside high-paying sectors.

Bonus targets vary widely. Early startups may have no formal bonus, but they can still create milestone bonuses tied to SOC 2, FedRAMP, enterprise customer thresholds, a funding round, or hiring plan completion. Mid-stage companies often use 15-30%. Public and regulated companies often use 40-75%, especially when the CISO is treated as a senior executive. If the bonus is discretionary, ask what funded payout would have been for the last two cycles.

Cash risk also includes severance. A CISO can be blamed for inherited security debt, board panic, or a breach caused by decisions made years earlier. Ask for severance terms, D&O coverage where applicable, indemnification language, and whether you will have direct board or audit committee access. This is not paranoia; it is normal executive risk management.

Geo and remote adjustments

CISO compensation is less geographically discounted than many engineering roles because the candidate pool is smaller and the accountability is national. A fully remote CISO for a venture-backed U.S. software company may see little to no base discount if the company sells into enterprise, healthcare, fintech, or government-adjacent markets. Public companies still use geo bands, but senior security executives can often push closer to headquarters compensation when the role requires travel, board visibility, and national hiring responsibility.

If the company insists on a lower-cost-market adjustment, separate base from equity. A 10% base discount may be tolerable if the equity and bonus remain at the same executive level. A 25% discount across base, bonus, and equity is harder to justify for a role where incident response, regulatory exposure, and customer trust do not get cheaper because you live outside the Bay Area or New York.

What moves a CISO offer

The strongest offer drivers are scope and risk. A CISO responsible for product security, cloud infrastructure, GRC, privacy partnership, customer trust, threat detection, corporate security, and board reporting should be paid more than a CISO who manages compliance and policies only. Team size matters, but team gap matters too: building a program from zero is often harder than managing 30 people in a mature environment.

Regulatory exposure is another major lever. Fintech, healthtech, AI infrastructure, security vendors, developer platforms, defense-adjacent software, and enterprise SaaS with regulated customers tend to pay more because the downside of a failed security program is obvious. If the company sells security-sensitive products but is offering generic VP-level compensation, push the conversation back to business risk.

Recent incidents also matter. If you are inheriting a breach, unresolved audit findings, customer churn from trust issues, or a looming compliance deadline, the package should include more cash, more authority, and protection. Do not accept breach-cleanup accountability with build-from-scratch compensation.

Negotiation anchors and mistakes to avoid

The cleanest negotiation frame is: “The scope is executive-level, the risk is board-level, and the package needs to reflect both cash accountability and equity upside.” Then be specific. Ask for base, bonus, equity, refresh, severance, reporting line, budget, and team plan as a single operating package rather than haggling one line at a time.

For startups, anchor on ownership and refresh. “For a first security executive joining at this stage, I would expect 0.5%-0.7% fully diluted with a refresh at the next financing or after the first full performance cycle.” For late-stage companies, anchor on annualized equity value. “To make the risk-adjusted package competitive, I would need the initial grant closer to $1.6M over four years with annual refresh targets documented.”

Avoid three common mistakes. First, do not accept a CISO title without authority over budget, hiring, and tradeoff decisions. Second, do not value private-company options at the headline preferred valuation without discounting for dilution and liquidity. Third, do not treat indemnification, severance, and board access as legal afterthoughts. They are part of compensation because they determine how much uncompensated risk you carry.

FAQ: reading a CISO offer

Is a CISO offer without bonus normal? At an early startup, yes, but the missing bonus should be offset by equity or milestone cash. At a late-stage or public company, no bonus is unusual for a true CISO.

Should I optimize for base or equity? Optimize for cash floor first if the company has unresolved security debt or unclear runway. Optimize for equity only when the company has credible upside, clean governance, and a role with real authority.

How much more should breach-response risk pay? There is no fixed premium, but a materially troubled environment should push you toward the high end of the cash band, stronger severance, and more explicit board access.

What is the biggest red flag? A company that wants CISO accountability while placing the role two levels below the CEO, hiding equity math, and offering no budget. That is not a compensation problem alone; it is an operating-design problem.

Sources and further reading

Compensation data shifts quickly. Verify any specific number against the latest crowdsourced postings before relying on it for negotiation.

  • Levels.fyi — Real-time tech compensation data crowdsourced from candidates and recent offers, with company- and level-specific breakdowns
  • Glassdoor Salaries — Self-reported base salaries across companies, roles, and locations
  • Bureau of Labor Statistics OES — Official US Occupational Employment and Wage Statistics, useful for non-tech baselines and metro-level comparisons
  • H1B Salary Database — Public H-1B salary disclosures, useful as a lower-bound for what large employers will pay sponsored candidates
  • Blind by Teamblind — Anonymous compensation discussions, often surfaces refresh and bonus details Levels misses

Numbers in this guide reflect publicly available data as of 2026 and should be cross-checked against current postings before negotiating.

More in Role salaries 2026

role salaries

Account Executive Salary in 2026 — Base, OTE, and Quota Negotiation Anchors

Account Executive pay in 2026 is best read through base, OTE, quota quality, and territory math. This guide gives practical AE salary bands, quota checks, equity norms, and negotiation anchors before you accept a sales offer.
role salaries

AI Product Manager Salary in 2026 — TC Bands and Negotiation Anchors

AI Product Manager TC in 2026 typically ranges from $210K for mid-level PMs to $900K+ for staff and director-level leaders. This guide breaks down base, bonus, equity, geo adjustments, and the negotiation anchors that actually move AI PM offers.
role salaries

AI Research Engineer Salary in 2026 — Frontier Labs vs Big Tech TC Compared

AI Research Engineer compensation in 2026 ranges from strong Big Tech packages around $400K-$900K to frontier-lab offers that can exceed $1M for rare candidates. This guide compares cash, equity, bonuses, upside, and negotiation strategy across the market.