C-Suite Leadership Strategy · The Market's View
CISO Compensation Negotiation: Pricing the Personal Liability
You are accountable for a risk that is invisible until the breach, and increasingly you carry that accountability personally. Most CISO packages price the role and forget the liability.
The security chief now sits where the risk is existential and, more and more, personal — regulators and boards look for a named accountable individual when things go wrong. Yet most offers price the function and ignore the exposure. This engagement helps you run a CISO compensation negotiation that puts your personal and regulatory liability, your D&O cover and your indemnity on the table alongside base, equity and exit terms.
Does this sound like you?
If several of these land, this engagement is built for you.
- You are the named individual a regulator or a board will look to when a breach happens, yet your contract says nothing specific about how you are indemnified or defended.
- Your package was benchmarked against IT leadership roles, not against the personal and regulatory liability the security seat now actually carries.
- You have never asked whether the company’s D&O policy names you, covers regulatory investigations, or survives your departure — and you privately suspect the answers are no.
- You are accountable for an outcome you can only reduce, never guarantee, and the reward for a year with no breach is silence while the blame for a breach would be entirely yours.
- You have watched the CISO become the designated fall guy after incidents at other companies, and nothing in your terms protects you from the same fate.
- When you imagine negotiating harder, the instinct that stops you is not the money — it is that raising liability and indemnity feels like admitting you expect to fail.
The role where the biggest term is not in the pay
Most executive pay conversations are about value created — revenue grown, cost taken out, capital returned. The CISO’s is fundamentally about loss avoided, and that changes the economics entirely. You are accountable for a risk that is invisible when you succeed and catastrophic when you fail, and increasingly you carry that accountability as a named individual, not merely as a function. Regulators pursuing data-protection and disclosure failures, boards seeking someone to hold responsible after an incident, and courts in some jurisdictions have all moved toward personal accountability for the security chief. Which means the single most important term in a CISO compensation negotiation is often not the compensation at all — it is the liability, and how it is defended.
This is the term the standard process is least equipped to handle. Search firms and reward teams price the role against IT-leadership benchmarks, negotiate a base and an equity grant, and treat indemnity and insurance as boilerplate someone in legal will sort out later. But for the CISO, the boilerplate is the substance. A generous package with no clarity on how you are defended in a regulatory investigation, whether the D&O policy names you and covers your personal exposure, and what protects you if you are made the designated fall guy after a breach is a package that has priced the easy part and ignored the part that could end your career and cost you personally. The negotiation that matters is the one that brings the liability out of the fine print and onto the table.
What D&O and indemnity actually have to cover
Directors-and-officers cover and contractual indemnity are treated by most executives as background hygiene, but the CISO has to read them as core compensation terms, because they are the mechanism that stands between a corporate incident and personal ruin. The questions are specific and non-negotiable. Does the D&O policy explicitly name or clearly include the CISO as a covered officer? Does it cover regulatory investigations and enforcement actions, not just shareholder litigation? What are the limits, and are they credible against the scale of a serious data-protection penalty? Does cover survive your departure — run-off coverage for claims made after you have left about events during your tenure, which is exactly when many breach claims surface? And does the company’s contractual indemnity advance your legal defence costs as they are incurred, or only reimburse you years later if you are ultimately cleared?
Each of these has a right answer and a common wrong one, and the gap between them is measured in your personal solvency. An indemnity that reimburses rather than advances leaves you funding your own defence during the very period you are under investigation and possibly suspended. A D&O policy that lapses on departure leaves you exposed for events you are no longer around to explain. Cover that excludes regulatory action is worthless against the most likely source of personal liability a CISO faces. Negotiating these terms is not pessimism and it is not a sign you expect to fail; it is the same risk-transfer discipline you apply to the enterprise, applied to yourself. The executive whose entire job is managing downside cannot rationally leave their own downside unmanaged.
- D&O cover — that names or clearly includes the CISO, covers regulatory investigations, and carries limits credible against a serious penalty.
- Run-off / tail cover — protection that survives your departure, since breach claims often surface after you have left.
- Advancement of defence costs — indemnity that funds your defence as incurred, not reimbursement years later if cleared.
- Fall-guy protection — terms and good-leaver treatment so a scapegoat exit does not also strip your equity and severance.
Pricing an outcome you can only influence, never guarantee
The CISO’s incentive design carries a structural unfairness that a good negotiation has to correct. You are accountable for an outcome — the absence of a serious breach — that you can materially reduce the probability of but never guarantee, because a sufficiently resourced attacker can defeat even excellent defences. This makes naive outcome-based pay perverse: reward you for a breach-free year and you are being paid for an outcome that partly depended on the adversary’s choices; punish you for a breach and you are being blamed for an event you could lower the odds of but not eliminate. The result, in practice, is that the CISO absorbs unlimited downside blame for a job whose upside is, at best, quiet.
The negotiation reframes what you are rewarded for. Your incentive should be scaled substantially on the things you actually control and that genuinely reduce risk — the maturity of the security programme, the resilience and recovery capability, the closure of known exposures, the readiness demonstrated under independent testing — rather than solely on the binary of whether an incident occurred. This both makes the reward fairer and, importantly, protects your standing: it establishes, in advance and in writing, that you are measured on managing the risk well, not on the impossible standard of eliminating it. When a board has agreed up front that the CISO is judged on programme maturity and resilience, the aftermath of an incident is a very different conversation from one where you were implicitly promised to prevent all breaches.
The designated fall guy — and negotiating against it
There is a pattern the security profession knows well and rarely negotiates against: after a serious breach, organisations look for a named individual to carry the accountability, and the CISO is the structurally obvious candidate. It is a role you can be cast in regardless of whether the failure was truly yours — the board that under-funded security, the business that overrode your objections, the peers who accepted risks you flagged all recede, and the person with security in their title remains. The reputational and financial consequences of being made the fall guy — a forced exit, forfeited unvested equity, a public association with the incident, personal legal exposure — can dwarf anything on the positive side of the package. And yet almost no CISO negotiates explicit protection against it.
Protecting against the scapegoat scenario is a set of concrete terms, and this engagement is built to secure them. Good-leaver treatment so that a departure in the aftermath of an incident does not also strip your equity and severance; a documented record that risk acceptances overriding your recommendations sat with the board or the business, not with you; indemnity and D&O cover that hold whether or not you remain employed; and severance calibrated to the reality that the CISO seat can be terminated for a risk materialising rather than for any failure of performance. Across two partner conversations, a diagnosis and a written roadmap, we bring your personal and regulatory liability onto the table, negotiate the D&O and indemnity that actually defend you, reframe your incentives toward what you control, and build the exit protection the fall-guy risk demands — alongside the base and equity the seat’s true weight now commands.
Your whole job is managing downside for the enterprise. The one downside most CISOs leave unmanaged is their own. Bringing personal liability, D&O cover, indemnity and fall-guy protection onto the table is not pessimism — it is applying your own discipline to yourself.
The Indian regulatory turn that raises the stakes
The Indian context has moved sharply in a direction that makes this negotiation more urgent, not less. The Digital Personal Data Protection Act introduces meaningful penalties for data-protection failures; CERT-In directions impose tight incident-reporting obligations with real consequences for non-compliance; and SEBI and RBI frameworks increasingly expect a named, accountable security function at regulated entities. The trajectory is unmistakable: the security chief in India is being pulled toward exactly the personal and regulatory accountability that CISOs in other jurisdictions already carry, and the contractual protections have not kept pace with the liability.
This raises the value of getting the terms right before, not after, they are tested. The questions become concrete and local: does your indemnity and D&O cover contemplate DPDP and CERT-In enforcement, does it advance defence costs during a regulatory investigation, and does it survive your departure given that data-protection claims can surface long after an incident? Where equity is ESOP-based, the usual Indian mechanics — perquisite tax at exercise, capital-gains tax at sale, and liquidity in an unlisted entity — still apply and still need structuring. The engagement is built around your specific regulatory exposure and package, but the underlying principle is constant: as the liability becomes personal, the negotiation of how you are protected becomes the most important compensation conversation you will have.
How it plays out
The CISO who priced the salary and forgot the exposure
Consider the CISO of a fast-growing digital lending and payments group — call him N — recruited with a strong-looking package to secure a business handling millions of sensitive financial records under intensifying regulatory scrutiny. The base was competitive, the equity respectable, and the offer had been benchmarked against IT-leadership roles at comparable firms. What the offer said nothing meaningful about was the exposure: whether the D&O policy named him, whether it covered a CERT-In or DPDP investigation, whether his defence costs would be advanced or merely reimbursed, and what would happen to his equity and severance if he were made the accountable individual after an incident.
The diagnosis reframed the entire package around the risk it had ignored. N was the named person a regulator would look to and the structurally obvious candidate to carry accountability after any serious breach — an outcome he could reduce but never guarantee against a determined attacker. Yet his incentive was implicitly scaled on the impossible standard of no incident ever occurring, his indemnity reimbursed rather than advanced, his D&O cover was silent on regulatory action and lapsed on departure, and nothing protected him from the fall-guy scenario. He had negotiated the easy, visible part of the package and left the part that could end his career and cost him personally entirely unmanaged. The gap was not the money. It was that the biggest term was not in the pay.
The roadmap brought the liability onto the table. N renegotiated D&O cover that explicitly named him, covered regulatory investigations including DPDP and CERT-In enforcement, carried credible limits, and included run-off protection surviving his departure. His indemnity was rewritten to advance defence costs as incurred. His incentive was rescaled onto programme maturity, resilience and independently tested readiness — what he controlled — with the board agreeing in writing that this, not breach-free luck, was the standard. And good-leaver terms and documented board-level risk acceptances protected him against a scapegoat exit stripping his equity and severance. He signed a package that finally priced the seat’s real weight and defended the exposure that came with it.
Illustrative composite — every engagement is calibrated to your specific situation.
What the two conversations cover
Session 1 · Diagnosis
- Map your real exposure — the personal and regulatory liability the seat carries, and where your current terms leave it undefended.
- Audit the protection you actually have: whether D&O names you, covers regulatory action, advances defence costs and survives departure.
- Test how your incentive treats an outcome you can only influence — and how exposed you are to the designated-fall-guy scenario.
Session 2 · The plan
- Negotiate the D&O, run-off cover and indemnity that genuinely defend you — named, regulatory-inclusive, advancing costs, surviving your exit.
- Rescale your incentive onto what you control — programme maturity, resilience, tested readiness — with the standard agreed in writing.
- Build the fall-guy protection: good-leaver equity treatment, documented board-level risk acceptances, and severance calibrated to a risk materialising.
The mistakes to avoid
- Negotiating base and equity while leaving indemnity and D&O cover as boilerplate — for a CISO, the boilerplate is the substance.
- Accepting an indemnity that reimburses rather than advances defence costs, leaving you funding your own defence during an investigation.
- Never checking whether the D&O policy names you, covers regulatory action, or survives your departure — the exact moment breach claims surface.
- Letting your incentive rest on the impossible standard of no breach ever, so you absorb unlimited blame for an outcome you can only influence.
- Ignoring the designated-fall-guy risk, so a scapegoat exit after an incident strips your equity and severance on top of the reputational damage.
One offering · one outcome
- Two 60-minute one-to-one conversations with a senior Gladwin partner
- A complete diagnostic of where you stand in the market today
- A personalised repositioning roadmap you keep — your gap analysis and 90-day plan
C-Suite Leadership Strategy — Assessment and Roadmap
2 × 60-minute conversations · one booking
- Two 60-minute one-to-one conversations with a senior Gladwin partner
- A complete diagnostic of where you stand in the market today
- A personalised repositioning roadmap you keep — your gap analysis and 90-day plan
Loading available slots…
Frequently Asked Questions
Because your accountability is increasingly personal and the biggest term is often not in the compensation at all. Regulators, boards and courts now look for a named accountable individual after a security failure, and the CISO is that individual. A generous base and equity mean little if the terms are silent on how you are defended in a regulatory investigation, whether the D&O policy covers you, and what protects you if you are made the fall guy. The negotiation that matters brings the liability out of the fine print and onto the table.
Four things specifically. Whether it names or clearly includes the CISO as a covered officer; whether it covers regulatory investigations and enforcement, not just shareholder litigation; whether its limits are credible against a serious data-protection penalty; and whether cover survives your departure through run-off, since breach claims often surface after you have left about events during your tenure. Most CISOs have never asked, and privately suspect the answers are no. Those four questions are where the real protection is either present or missing.
It is the difference between being defended and being ruined while you wait. An indemnity that advances defence costs funds your legal defence as it is incurred; one that reimburses pays you back years later, and only if you are ultimately cleared. For a CISO under regulatory investigation and possibly suspended, reimbursement means funding your own defence out of pocket during the exact period you are least able to. Advancement of defence costs is one of the most important and most overlooked terms in the entire package.
No more than buying enterprise cyber-insurance signals that the company expects to be breached — it is risk transfer, which is your entire discipline. You are accountable for an outcome you can reduce but never guarantee against a determined adversary, so leaving your own downside unmanaged is the one thing a risk professional cannot rationally do. Negotiating D&O, indemnity and fall-guy protection is applying to yourself the same standard you apply to the enterprise. It reads as competence, not pessimism, to any board worth working for.
Substantially on what you actually control and that genuinely reduces risk — programme maturity, resilience and recovery capability, closure of known exposures, readiness under independent testing — rather than solely on the binary of whether an incident occurred. This is fairer, and it protects your standing: with the board agreeing in writing that you are judged on managing risk well, not on the impossible standard of eliminating it, the aftermath of any incident becomes a very different conversation from one where you were implicitly promised to prevent everything.
After a serious breach, organisations look for a named individual to carry the accountability, and the CISO is the structurally obvious candidate — even when the board under-funded security or the business overrode your objections. The financial and reputational cost of being cast in that role can dwarf your package. You negotiate against it with good-leaver treatment so a post-incident exit does not strip your equity and severance, documented board-level risk acceptances, indemnity and D&O that hold whether or not you remain employed, and severance calibrated to a risk materialising rather than a performance failure.
It pulls the Indian CISO toward the personal, regulatory accountability that CISOs elsewhere already carry, and the contractual protections have lagged the liability. The DPDP Act introduces meaningful data-protection penalties, CERT-In imposes tight incident-reporting obligations, and SEBI and RBI increasingly expect a named accountable security function. So your indemnity and D&O need to contemplate DPDP and CERT-In enforcement specifically, advance defence costs during an investigation, and survive your departure — because data-protection claims can surface long after the incident.
Two 60-minute conversations with a partner, a written diagnostic that maps your real personal and regulatory exposure and audits where your current terms leave it undefended, and a personalised roadmap document — the D&O, run-off and indemnity terms to secure, the incentive rescaling toward what you control, and the fall-guy protection to negotiate. One price, incl. GST, or $250 internationally. No tiers and nothing further to buy.