Compensation

CISO Compensation and Negotiation: The Offer Terms Nobody Warns You About

How to negotiate a CISO offer: equity by stage, D&O and indemnification, reporting line, budget commitments, and scapegoat-resistant severance.

Updated July 6, 2026 · 14 min read · Free, no paywall

I’m negotiating in live CISO loops right now while running security at a large company, and here is the uncomfortable truth: the offer stage is where most security leaders leave the most value on the table. Not because they’re bad negotiators, but because they negotiate a CISO offer like a senior engineering offer: base, bonus, equity, done. The items that determine whether the job is survivable (who you report to, whether the D&O policy covers you personally, whether the budget exists, what happens when you get fired for someone else’s incident) never make it into the conversation.

This guide covers what a real CISO package contains, what the market pays by stage, and how to run the negotiation. If you’re still interviewing, read the CISO interview guide first. Your negotiating leverage is built during the loop, not after it.

The Negotiation Window Is Shorter Than You Think

Everything negotiable about a CISO offer is negotiable in exactly one window: between the verbal offer and your signature. Before the verbal, you have no standing. After the signature, no leverage: “we’ll revisit the reporting line after you start” has never once resolved in the CISO’s favor.

The company treats the verbal offer as the finish line and applies schedule pressure immediately: exploding deadlines, “the comp committee already approved this band,” “we need an answer by Friday.” Mostly theater. A company that spent four months on an executive search will not rescind over a ten-day negotiation conducted professionally. What they will do is happily let you sign fast before you’ve asked the expensive questions.

The second thing to internalize: the recruiter is not your channel for anything unusual. Recruiters, internal or retained, are excellent at relaying numbers that fit their form fields: base, bonus percentage, equity value, sign-on. They are terrible at relaying structural asks. Tell a recruiter you want a board-approved indemnification agreement and quarterly audit committee time, and the message that reaches the hiring executive is “the candidate has some legal questions.” For reporting line, D&O, budget, or severance structure, ask for a direct conversation with the hiring executive (usually the CEO or your would-be boss) and negotiate those yourself. Use the recruiter for money; use the principal for everything else.

Anatomy of the Package

A complete CISO package has six components; most first-time CISOs negotiate two. If this is your first executive seat, the first-time CISO guide covers the broader transition. Here we stay on money and terms.

Base and bonus

Base is the least interesting number and the one companies defend hardest, because it drives internal banding. Bonus targets for CISOs commonly run 25–50% of base by stage, against company performance plus individual MBOs. One thing worth negotiating that almost nobody does: what your MBOs actually are. If your bonus is gated on “zero material incidents,” you’ve accepted a metric you don’t control. Push for program maturity milestones: control coverage, audit outcomes, remediation SLAs. Also ask for a guaranteed first-year bonus at target; it’s a low-friction ask for executives starting mid-cycle.

Equity, by stage

Equity is where stage changes everything.

At a startup (Series B–C), you’re getting stock options, typically 0.3%–0.8% of fully diluted shares for a first security executive. The questions that matter: strike price and latest 409A, preference stack (how much money exits before common sees a dollar), and the post-termination exercise window. A 90-day exercise window at a company that won’t exit for five years means your equity is hostage to your ability to write a six-figure check when you leave. Extended windows are increasingly common. Ask for one, and ask about early exercise with an 83(b) election while the strike is low.

At growth/pre-IPO, you’ll see a mix of options and double-trigger RSUs. Ask directly about the IPO timeline assumptions baked into your grant’s paper value, and discount whatever you’re told.

At a public company, it’s RSUs, usually vesting quarterly over four years, and the paper value is real. The question that separates people who’ve done this before: the refresh. Your initial grant front-loads your comp; without annual refresh grants, total comp falls off a cliff in year three, the trough that quietly pushes executives out the door. Ask in the offer conversation: “What’s the refresh policy for executives, and what did refresh grants at my level look like last cycle?” A company that won’t discuss refresh philosophy is telling you your year-three comp is a coin flip.

Sign-on

Sign-on bonuses solve specific problems: forfeited unvested equity, a bonus you’re walking away from, relocation. Itemize what you’re leaving behind and present it as a make-whole calculation, not a request; companies pay make-wholes far more readily than they raise base. Watch clawback terms: 12-month full clawback is standard, 24-month is aggressive, pro-rated is what you counter with.

The executive-specific items

This is the section first-time CISOs skip entirely, and it’s where the rest of this guide lives: severance and change-of-control terms, D&O and indemnification, reporting line and board access, budget authority. At the executive level these are normal offer-stage topics. Nobody will think you’re being difficult. They will, quietly, register that you’ve done this before.

What the Market Pays by Stage

Typical mid-2026 US ranges from what I’m seeing in live searches and peer conversations, not survey data, and variance is wide. Geography, industry (financial services and healthcare pay up), and rebuild-vs-maintain scope all move the numbers materially.

StageBaseBonus targetEquity shapeTypical total comp
Startup (Series B–C)$230K–$300K15–25%Options, 0.3%–0.8% FD$280K–$400K cash; equity is the lottery ticket
Growth / pre-IPO$280K–$360K25–40%Options + RSU mix, $150K–$400K/yr paper$400K–$600K
Public mid-cap$320K–$420K40–60%RSUs, $200K–$500K/yr$500K–$800K
Large enterprise / F500$400K–$500K+50–100%RSUs + PSUs, $300K–$700K+/yr$700K–$1.2M+

Two caveats. The ranges overlap because scope beats stage: a public mid-cap CISO running a 12-person team can earn less than a pre-IPO CISO owning security, IT, and compliance with 60 heads. Price the scope, not the title. And while total comp commonly lands between $350K and $700K+, the tails are long in both directions: deputy-CISO-titled-up roles at $300K all-in exist, and so do $2M financial-services packages.

Reporting Line: The Term Worth More Than the Money

Where you sit in the org chart is the strongest predictor of whether you can do the job. It determines your information access, budget standing, escalation power, and, bluntly, your market value in your next search. A CISO reporting to the CEO and a “CISO” reporting to a director of infrastructure are different jobs with the same title.

What each line signals:

  • CEO. Security is a business function and you’re a real executive. Still the minority arrangement, most common where security is existential: fintech, health, security vendors. If offered, take it seriously; it rarely gets offered twice.
  • CTO. Common and workable at product-led companies. The risk: your budget competes with feature velocity, and your boss owns the systems you’ll need to flag as risks. Acceptable if the CTO is genuinely security-literate, something you should have tested during the loop with your own questions.
  • CIO. The traditional line, fine at IT-heavy enterprises, but it frames security as an IT sub-function. Acceptable with guaranteed board access; a yellow flag without it.
  • CFO. Less common, underrated. The CFO owns enterprise risk and audit, controls the money, and has the audit committee’s ear. A CFO line with quarterly audit committee access can beat a distracted CEO line in practice.
  • General Counsel. The post-SolarWinds arrangement, chosen to wrap security work in privilege. It signals the board takes liability seriously, but can also signal the company sees security as a legal-defense function rather than an engineering one. Ask what the GC’s actual mandate is.

What’s not acceptable: reporting into anyone who is not themselves an executive officer. Two or more layers between you and the CEO means you are not the CISO in any meaningful sense, whatever the letter says. Every incident escalation you run will be filtered through people whose incentives differ from yours.

Negotiating board access without a CEO line

You often can’t move the reporting line. Org design fights are hard to win from outside. Board access is far more negotiable, because it costs the company nothing except a standing agenda item. The ask: a written commitment to present to the board or audit committee at least quarterly, with direct access: you in the room, not your boss reading your slides. Frame it as governance, not ego: “Regulators and your auditors expect direct board engagement with the security program; I want that cadence committed up front so we’re not inventing it during an incident.” Get it named in the offer letter or a confirming email from the CEO, then deliver on it. The board presentation guide covers how to use that time.

Also ask whether you’ll attend executive staff meetings. Quarterly board access plus exclusion from the weekly e-staff is a common configuration that looks good on paper and starves you of context in practice. Standing e-staff attendance, even as a non-direct-report, is a cheap ask that changes the job.

D&O, Indemnification, and Your Personal Downside

This section didn’t exist in CISO negotiation advice ten years ago. It has to now. The Uber CSO prosecution and the SEC’s SolarWinds action against the CISO personally established that security executives face individual criminal and civil exposure for incident response decisions and public statements about security posture. You are signing up to be the named human when things go wrong. Price that in.

Three things to confirm, all in writing, before you sign:

1. You are covered under the D&O policy as an officer. Don’t accept “of course, everyone’s covered.” D&O policies define “insured persons,” and at some companies the CISO holds a VP title that falls outside that definition. The exact ask: “Please confirm in writing that my role is within the definition of insured persons under the current D&O policy, and that the policy includes Side A coverage.” Side A pays you directly when the company can’t or won’t indemnify you, precisely the scenario (insolvency, or the company deciding you’re the problem) where you need it. If they’ll share the policy summary, check whether regulatory investigations are covered, not just lawsuits; SEC inquiries are the live risk and some policies handle them badly.

2. A board-approved indemnification agreement. The detail almost every first-time CISO misses: the offer letter is not the document that protects you. Most companies have a form indemnification agreement for directors and officers: a standalone contract, board-approved, obligating the company to advance your legal fees and indemnify you to the maximum extent the law allows. Public companies file these; you can read a peer company’s form in their SEC exhibits. The ask: “Does the company have a form indemnification agreement for officers, and will I receive it?” If yes, it costs them nothing. If no, or confusion, you’ve learned how this company thinks about officer liability, and possibly what happened to your predecessor.

3. Fee advancement, not just indemnification. Indemnification reimburses you after you win. Advancement pays your lawyers while you fight. A regulatory defense runs seven figures; without mandatory advancement you can be technically indemnified and practically bankrupt. Look for fees advanced “as incurred,” not contingent on a final determination.

One more ask that signals sophistication: at a public company, ask whether you’ll be a Section 16 officer. It cuts both ways: trading restrictions and public filings, but also unambiguous inclusion in the D&O officer definition and exec comp framework. Either answer is fine; not knowing to ask is not.

Budget and Headcount: Get the Plan of Record in Writing

CISO roles fail on resourcing more than anything else. The company that spent six months recruiting you has, right now, more willingness to commit resources than it will ever have again. Use it.

In the final loop or offer conversation, ask for the plan of record: current security budget, approved headcount, open requisitions, and next fiscal year’s planning assumption. You should have built your own view of what the program needs during interviews. Then make the ask concrete: “I want us to agree on the year-one plan of record (N heads and $X program budget) before I sign, confirmed in writing.”

They will not put headcount numbers in the offer letter; legal hates it. Fine. The move is a confirming email: after the verbal agreement, send the CEO/CTO a short summary (“Confirming our discussion: security enters FY27 planning with a plan of record of 14 FTE and $6.5M program budget, subject to normal planning process”) and get an affirming reply. That email won’t win a lawsuit. It will absolutely win the budget meeting in month four when Finance discovers “later” meant “never,” because it converts a vague promise into a specific commitment a named executive made. Build your first quarter around executing against that plan. The 90-day plan guide covers how, and you should reference the committed plan of record explicitly when you build yours.

The red-flag answer is “we’ll figure out budget together once you’re in.” Translated: there is no budget, and your first year is an internal fundraising campaign run from a position of zero leverage. Survivable if you priced it in; a trap if you didn’t.

Severance and Change of Control: Scapegoat Insurance

The structural reality of the job: CISOs get fired for other people’s incidents. A breach caused by an unpatched system you flagged twice, a budget request that died in Finance, an acquisition that imported a compromised environment. When it detonates, the company needs a public accountability gesture, and the security executive is the gesture. CISO tenure is short, and involuntary exits cluster around incidents and acquisitions. Severance is not a perk here; it’s the actuarial cost of the seat.

What a scapegoat-resistant package looks like:

  • 12 months of base plus target bonus on termination without cause. Six months is the common opening offer; 12 is the defensible executive ask given the scapegoat dynamic. Include pro-rated current-year bonus and COBRA for the severance period.
  • “Good reason” resignation triggers. The clause that actually protects you, and the one first-time CISOs never ask for. Severance that only pays on termination “without cause” invites the company to make your life impossible until you quit unpaid. A good-reason clause pays if you resign after defined events. Negotiate triggers that include a material change in reporting line (moving you from the CTO to a director is a constructive demotion), a material reduction in budget or scope, and material reduction in base. This directly counters the soft-scapegoating playbook: don’t fire the CISO, just bury them and cut their budget until they leave.
  • Double-trigger change-of-control acceleration. If the company is acquired (trigger one) and you’re terminated or good-reason’d within 12–18 months (trigger two), unvested equity accelerates. This matters more for CISOs than almost any other executive: acquirers already have a security organization, and exactly one CISO survives an acquisition. Double-trigger is standard executive practice; if it’s not in your offer, ask why every other officer has it and you don’t. If they say the other officers don’t have it either, that’s worth knowing too.
  • Mutual non-disparagement, with no severance clawback over disputes about it. Post-incident exits get ugly and public; symmetry protects you.

Severance is often the easiest structural term to win: it costs nothing today, and the person approving it doesn’t expect to be there when it pays out. If you get resistance everywhere else, push here.

Running the Negotiation

Sequence matters more than scripts. The order:

1. Scope and reporting line first. Before any money conversation, close the structural questions: who you report to, board cadence, plan of record, title. These determine what the role is actually worth, so you can’t price it before you’ve fixed them, and structural asks read as diligence while money asks read as haggling, so lead with the one that builds credibility. The script shape: “Before we get to the package, I want to make sure we agree on the shape of the role: reporting line, board cadence, and the year-one plan of record. If we’re aligned there, I don’t expect the economics to be hard.” That last sentence buys enormous goodwill and is usually true.

2. Then the money, as a package, once. Don’t serialize asks: base this week, equity next, sign-on after. It exhausts goodwill. Come back with one consolidated counter: “Here’s where I need the package to land: base at X, sign-on of Y to cover forfeited equity (here’s the calculation), and the initial grant at Z. If we get there, I’m ready to sign this week.” Anchoring with a commitment to close is what separates a negotiation from a fishing expedition.

3. Then paper: D&O, indemnification, severance. Frame these as standard executive hygiene, because they are: “Last set of items, all standard officer terms: written confirmation of D&O coverage including Side A, the form indemnification agreement, and severance at 12 months with good-reason triggers and double-trigger CoC. Happy to work directly with your counsel on language.” Offering to work with their counsel signals you expect yes and moves it out of the emotional channel.

Throughout: get every agreement into writing within 24 hours via confirming email. Verbal executive promises have a half-life measured in weeks, and the CEO who made them may not be there next year.

When to walk

Some negotiation outcomes aren’t disappointing terms. They’re diagnostic results. Walk, or reprice dramatically, when you see:

  • No D&O clarity after a direct written request. A company that can’t confirm officer coverage in the post-SolarWinds era either hasn’t thought about executive liability or has decided you’re outside the blast wall. Either way, no.
  • Security reporting three layers down with no willingness to commit board access. You’re being hired as a compliance mascot; the title inflation is the tell.
  • “We’ll figure out budget later” combined with resistance to a confirming email. Promises that can’t survive being written down were never promises.
  • Hostility to the severance conversation. “Why are you planning your exit before you start?” is the wrong reaction from a company hiring the most-scapegoated role in the C-suite. The right reaction is a shrug and a redline.
  • They can’t tell you why the last CISO left, or the answer changes between interviewers. Always ask during the loop. The role’s history is its forecast.

None of these alone kills a deal. Companies are disorganized, not evil. Two or more together is the pattern, and recognizing patterns is what you’re paid for.

Before You Sign

Run the full offer against a written checklist, not your memory. After three weeks of negotiation, motivated reasoning sets in and you’ll grade your own deal on a curve. The templates library has the offer-evaluation checklist and negotiation scripts from this guide in copy-paste form, including the confirming-email language for the plan of record and the D&O request wording.

The meta-point: every term in this guide is easiest to get at the moment the company wants you most, which is now, before you sign. Reporting line, board cadence, indemnification agreement, good-reason triggers: each is a small, slightly awkward conversation today, or an unwinnable fight in year two. Have the awkward conversations. That’s the job you’re being hired to do anyway.

Frequently asked

How much do CISOs make?

Total compensation for US CISOs commonly lands between $350K and $700K+, with wide variance by company stage. A Series B CISO might see $250K base with meaningful options, while a public mid-cap CISO commonly clears $600K in total comp with RSUs. Large-enterprise and financial-services roles can go well beyond that.

What should a CISO negotiate besides salary?

Reporting line, board access cadence, written D&O and indemnification coverage, a plan-of-record budget and headcount commitment, severance with change-of-control protection, and equity refresh expectations. Most of these matter more to your career and personal risk than an extra $25K of base.

Do CISOs need D&O insurance?

Yes. After the Uber and SolarWinds cases, CISOs face personal legal exposure for security decisions and disclosures. Before signing, confirm in writing that you are covered as an officer under the company's D&O policy and get a board-approved indemnification agreement, not a verbal assurance.

Who should the CISO report to?

CEO is the strongest signal but still uncommon. CTO, CIO, or a strong COO/President line can all work depending on the company. What matters more is guaranteed board or audit committee access at least quarterly, and that you are not buried three layers below the executive team.

Free template

Steal the 90-Day CISO Plan

The exact 90-day plan structure hiring panels expect: the single asset every CISO candidate gets asked for. Free, editable, yours in one click.

Instant access, no confirmation hoops. Occasional emails on landing the seat; unsubscribe anytime.