InfoSec Opinion Column #5 (June 16, 2025)

What: 2025 Security Organization Compensation, Responsibilities, and Structure Survey Results

Why it matters: This is one of the better surveys I've seen on InfoSec leadership trends.

tl;dr:

• "Over 50% of CISOs manage at least 10 functions, with ownership patterns consistent across sectors. However, private company CISOs often have broader responsibilities compared to their public counterparts."
• "Compliance, business impact, and return on investment (ROI) are the most frequently cited justifications for CISO budgets, regardless of company structure."
• The average security team size for companies with less than 250 employees is ~9 FTEs, while for companies with >5000 employees, it's about ~100 FTEs.
• "Teams with higher diversity levels experience significantly reduced pay disparities. Notably, disparities decrease from 18.8% in teams with less than 10% diversity to just 2.1% in teams where diversity exceeds 50%."
• "For CISOs within publicly traded companies, reporting to the CIO is down significantly as more public companies move to the cloud and specialized expertise becomes more imperative. Reporting to the CEO decreases as company size increases, while reporting to the CIO increases as company size increases. This shift reflects structural complexities in larger organizations."

Matt's view: CISOs, particularly those who are looking for more scope or a bigger team, love these kinds of surveys when the data supports their asks. In this case, I think the results map fairly well to what I see anecdotally. Something I also found interesting is the ratio of director-level security functions: unsurprisingly, the vast majority had application and product security reporting directly to the CISO, but SecOps and incident response tended to be a bit more buried in the organization.