Client Portal
| Become a Client
Home All Blogs How Do You Compare? 2025 Comp and Budget Data for Small and Midmarket CISOs

How Do You Compare? 2025 Comp and Budget Data for Small and Midmarket CISOs

June 17, 2025
The 2025 Comp and Budget Report for CISOs in the Small and Middle Market reveals that CISOs in this segment face growing responsibilities, flat resources, and uneven compensation—highlighting critical gaps in investment and leadership recognition.
IANS Research

CISOs working in small and midmarket organizations report they are stretched too thin, underfunded, and increasingly responsible for more within their roles.

According to the new 2025 Compensation and Budget for CISOs in the Small and Middle Market Report from IANS Research and Artico Search, organizations are growing fast, but security investment and leadership recognition often lag behind. This detailed snapshot of budget allocations, compensation levels, staffing norms, and the evolving scope of security leadership across companies under $1 billion in revenue reveals how CISOs face constraints and expectations within their organizations.

This report digs in to how these organizations spend their security budgets, compensate CISOs, and generally regard the executive security role within the company—expanding responsibilities without support in some cases. Read on to learn more about the latest budget and compensation data.

Download: The 2025 Compensation and Budget Report for CISOs in the Small and Middle Market is Live!

How Small and Midmarket Orgs Spend Security Budget Dollars

The average security budget for small and middle market organizations is $3.4 million, scaling with organizational size—from $600,000 for companies under $50 million in revenue to $5 million for those in the $600 million to $1 billion segment. (See Figure 1.)

According to our findings, smaller organizations have a higher security budget as a percentage of IT spend compared to their larger peers. The security budget as percentage of IT spend averages 26.1% in the less than $50 million segment, gradually declining to 11.6% in the $600 million to $1 billion segment. In relation to revenue, the smaller companies spend more than 2% of revenue while the larger firms spend about .6% of revenue.  The data suggests that security programs are relatively costly for smaller organizations, security spending growth is slower than revenue growth as organizations scale, making security protections more cost-efficient at larger organizations.

Similarly, our findings show that small and midmarket firms average $3,800 in security spend per employee, which is higher at the smaller firms and declines with size. Security staffing averages 1.5 full-time employees (FTEs) per 100 employees in less than $50 million organizations and .9 FTEs per 100 employees in the $600 million to $1 billion segment. These findings suggest that security costs don’t easily scale down, and that lean teams are currently doing a lot with less.

“It’s a lot easier to advocate for budget and resources when the justification for the increase is explicitly married to specific business objectives,” says Matt Comyns, co-founder and president at Artico Search.

Figure 1

DOWNLOAD NOW: 2025 Compensation and Budget for CISOs in Large Enterprises

Our research also breaks down how security budgets are spent. According to the data, the biggest amount—37% on average—is spent on staff and compensation. (See Figure 2.) This finding highlights the people-focused nature of cybersecurity. Still, spending patterns shift with company size, with smaller firms allocating an even higher share to staff, especially when they don’t use managed security service providers (MSSPs).

Midmarket companies (those between $50 million and $200 million) show an increase in cloud security tools investments, which highlights an interest in scalable defenses. Larger midmarket organizations (those between $600 million and $1 billion) dedicate more of their budgets to on-premises solutions, which is an indicator of a greater reliance on legacy tools, systems, and infrastructure. Across all segments, outsourcing, hardware, and training each account for a modest share of the overall budget.

Figure 2


CISO Compensation and Job Satisfaction in Small and Midmarket Companies

Compensation levels for CISOs in the small and midmarket segment are rising but not entirely evenly. (See Figure 3.) The average total compensation—which includes base salary, bonus, and equity—is $415,000, with annual cash compensation averaging at $330,000. Then compensation scales sharply with company size: CISOs in organization under $50 million early closer to $260,000 in cash, while those in the $600 million to $1 billion range approach $365,000.

The top 25% of CISOs earn more than $470,000 total, and the top 5% surpass the seven-figure mark, which often can be due to generous equity packages. For many in our research, equity is the differentiator, accounting for one-quarter or more of total compensation in upper midmarket firms—compared to just $27,000 on average in the smallest firms.

Figure 3

Salary growth is the strongest driver of satisfaction among CISOs in small and midmarket firms. (See Figure 4.) Among CISOs whose pay increased by more than 5% in the last year, nearly 70% report being satisfied, with 25% saying they’re very satisfied. Those whose compensation remained flat are overwhelmingly dissatisfied, regardless of their actual salary level. The findings indicate that CISOs want to see recognition of their evolving value, not just in title or responsibilities, but also recognition in compensation that reflects the growing scope of their roles.

Figure 4

 

These findings are based on data from the 2024 annual CISO Compensation and Budget survey, conducted jointly by IANS and Artico Search. From April through December 2024, more than 860 CISOs from a wide range of industries and company sizes responded. Of those, 363 work at small and midmarket organizations.

READ MORE: Tech Sector Sees Compensation Gaps and Expanding Roles: Access Key Data and Trends

CISO Compensation & Security Budget Benchmark Reports

Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security organization, security staff compensation, and job satisfaction. These in-depth reports feature new takeaways, uncover a wealth of insights, and provide valuable leadership guidance to fine-tune your current role, department, and career path. Download our 2025 Compensation and Budget for CISOs in the Small and Middle Market Report and gain access to these and other valuable insights and data sets.

Take our CISO Comp and Budget Survey in less than 10 minutes and receive career defining data and other valuable insights and data sets. Security staff professionals can take our 2025 Cybersecurity Staff Compensation and Career Benchmark Survey in less than 5 minutes.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.