But are tech leaders risking a cyber resourcing crisis by not sufficiently rewarding their security teams?
New research in Harvey Nash’s Tech Talent & Salary Report 2026, taking in the views of over 3,600 tech professionals from around the world, should be a wake-up call. A run-down of the findings in relation to cybersecurity makes sobering reading:
All of this is despite the fact that cyber skills are the third most in-demand tech skillset across the world. Leaders know that cybersecurity is crucial but appear to be running a gauntlet of losing disillusioned team members looking to transition into other roles.
What seems clear from these findings is that businesses are frequently asking cybersecurity teams to stand on the front line of business risk, yet too often they are not matching that responsibility with the reward, progression and operating environment that keeps people in the profession. When pay lags the market, workload keeps rising and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance.
A useful way to frame this challenge is through the lens of “risk debt”. Like technical debt, it accumulates quietly over time when organisations underinvest in people, capability and tooling, even as the threat surface expands. Under‑rewarded teams, persistent vacancies, rising alert volumes and outdated operating models all defer risk rather than remove it. The balance sheet looks fine in the short term, but the liability compounds beneath the surface. When an incident eventually occurs, the cost is rarely limited to remediation alone; it shows up in slower response times, greater operational disruption, regulatory scrutiny and reputational damage. Cyber risk debt is therefore not an abstract concept – it is the delayed cost of treating security as an overhead rather than a strategic investment.
What solutions are there to this problem? Compensation matters of course – particularly for scarce skills – so evidently tech leaders need to ensure that cyber teams are being appropriately rewarded as far as it’s in their remit (and budget) to do so.
But pay is rarely the only lever. CIOs, CISOs and other leaders need to ensure they are investing in sustainable cyber operating models: clear career pathways from analyst to engineer to architect, funded time for training and certification, and modern tooling and automation that reduce burnout and let teams focus on high-value work. Just as importantly, security has to be embedded into product and engineering ways of working, so teams spend less time firefighting late-stage issues and more time shaping secure-by-design outcomes.
At the same time, the situation is not all negative: in fact, I believe that the greenfield of AI is opening up significant opportunities for cyber professionals. AI and the agentic approach are strategically key to businesses across sectors now – and who better than cyber professionals to take a lead role in responsible AI and governance? Ensuring that there are robust controls and guardrails in place so that agents don’t ‘go rogue’ is both operationally and reputationally critical.
Traditionally, technology teams are split into two halves: operational technology (including cyber) on one side and IT (doing the more ‘creative’ and value adding work like engineering and development) on the other. But in my view, AI is beginning to narrow the gap between OT and IT. Certainly, I believe that it should do: OT needs to be right at the table when assessing the potential threats (and solutions) created by AI. In this way, AI can open up new career paths. Cyber professionals can take advantage of this and in doing so increase their job satisfaction and reward.
Ultimately, cyber resourcing is a resilience question. If organisations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible and supported by leadership. There is also an onus on CISOs (and CIOs) to make sure that they are fully communicating the value of the work being done by the cyber team to the Board – expressing this in business language the Board understands rather than just technical terms. It is one of the challenges of working in a domain like cyber that much of the value delivered goes unseen: all of the threats blocked and the risks mitigated may not be fully appreciated in the boardroom for the very reason that they have been successfully headed off. Communicating this value will build the business case for appropriate reward and recognition.
The organisations that get this right won’t just retain their best people – they’ll build trust with customers, regulators and their own boards. Cybersecurity is too important to be taken for granted, especially when the threats are rapidly escalating due to new AI-based attack tools. Let’s not leave it to chance: the industry needs to properly value its cyber professionals and ensure that security remains a rewarding and fulfilling technology career path.
But are tech leaders risking a cyber resourcing crisis by not sufficiently rewarding their security teams?
New research in Harvey Nash’s Tech Talent & Salary Report 2026, taking in the views of over 3,600 tech professionals from around the world, should be a wake-up call. A run-down of the findings in relation to cybersecurity makes sobering reading:
All of this is despite the fact that cyber skills are the third most in-demand tech skillset across the world. Leaders know that cybersecurity is crucial but appear to be running a gauntlet of losing disillusioned team members looking to transition into other roles.
What seems clear from these findings is that businesses are frequently asking cybersecurity teams to stand on the front line of business risk, yet too often they are not matching that responsibility with the reward, progression and operating environment that keeps people in the profession. When pay lags the market, workload keeps rising and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance.
A useful way to frame this challenge is through the lens of “risk debt”. Like technical debt, it accumulates quietly over time when organisations underinvest in people, capability and tooling, even as the threat surface expands. Under‑rewarded teams, persistent vacancies, rising alert volumes and outdated operating models all defer risk rather than remove it. The balance sheet looks fine in the short term, but the liability compounds beneath the surface. When an incident eventually occurs, the cost is rarely limited to remediation alone; it shows up in slower response times, greater operational disruption, regulatory scrutiny and reputational damage. Cyber risk debt is therefore not an abstract concept – it is the delayed cost of treating security as an overhead rather than a strategic investment.
What solutions are there to this problem? Compensation matters of course – particularly for scarce skills – so evidently tech leaders need to ensure that cyber teams are being appropriately rewarded as far as it’s in their remit (and budget) to do so.
But pay is rarely the only lever. CIOs, CISOs and other leaders need to ensure they are investing in sustainable cyber operating models: clear career pathways from analyst to engineer to architect, funded time for training and certification, and modern tooling and automation that reduce burnout and let teams focus on high-value work. Just as importantly, security has to be embedded into product and engineering ways of working, so teams spend less time firefighting late-stage issues and more time shaping secure-by-design outcomes.
At the same time, the situation is not all negative: in fact, I believe that the greenfield of AI is opening up significant opportunities for cyber professionals. AI and the agentic approach are strategically key to businesses across sectors now – and who better than cyber professionals to take a lead role in responsible AI and governance? Ensuring that there are robust controls and guardrails in place so that agents don’t ‘go rogue’ is both operationally and reputationally critical.
Traditionally, technology teams are split into two halves: operational technology (including cyber) on one side and IT (doing the more ‘creative’ and value adding work like engineering and development) on the other. But in my view, AI is beginning to narrow the gap between OT and IT. Certainly, I believe that it should do: OT needs to be right at the table when assessing the potential threats (and solutions) created by AI. In this way, AI can open up new career paths. Cyber professionals can take advantage of this and in doing so increase their job satisfaction and reward.
Ultimately, cyber resourcing is a resilience question. If organisations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible and supported by leadership. There is also an onus on CISOs (and CIOs) to make sure that they are fully communicating the value of the work being done by the cyber team to the Board – expressing this in business language the Board understands rather than just technical terms. It is one of the challenges of working in a domain like cyber that much of the value delivered goes unseen: all of the threats blocked and the risks mitigated may not be fully appreciated in the boardroom for the very reason that they have been successfully headed off. Communicating this value will build the business case for appropriate reward and recognition.
The organisations that get this right won’t just retain their best people – they’ll build trust with customers, regulators and their own boards. Cybersecurity is too important to be taken for granted, especially when the threats are rapidly escalating due to new AI-based attack tools. Let’s not leave it to chance: the industry needs to properly value its cyber professionals and ensure that security remains a rewarding and fulfilling technology career path.
But are tech leaders risking a cyber resourcing crisis by not sufficiently rewarding their security teams?
New research in Harvey Nash’s Tech Talent & Salary Report 2026, taking in the views of over 3,600 tech professionals from around the world, should be a wake-up call. A run-down of the findings in relation to cybersecurity makes sobering reading:
All of this is despite the fact that cyber skills are the third most in-demand tech skillset across the world. Leaders know that cybersecurity is crucial but appear to be running a gauntlet of losing disillusioned team members looking to transition into other roles.
What seems clear from these findings is that businesses are frequently asking cybersecurity teams to stand on the front line of business risk, yet too often they are not matching that responsibility with the reward, progression and operating environment that keeps people in the profession. When pay lags the market, workload keeps rising and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance.
A useful way to frame this challenge is through the lens of “risk debt”. Like technical debt, it accumulates quietly over time when organisations underinvest in people, capability and tooling, even as the threat surface expands. Under‑rewarded teams, persistent vacancies, rising alert volumes and outdated operating models all defer risk rather than remove it. The balance sheet looks fine in the short term, but the liability compounds beneath the surface. When an incident eventually occurs, the cost is rarely limited to remediation alone; it shows up in slower response times, greater operational disruption, regulatory scrutiny and reputational damage. Cyber risk debt is therefore not an abstract concept – it is the delayed cost of treating security as an overhead rather than a strategic investment.
What solutions are there to this problem? Compensation matters of course – particularly for scarce skills – so evidently tech leaders need to ensure that cyber teams are being appropriately rewarded as far as it’s in their remit (and budget) to do so.
But pay is rarely the only lever. CIOs, CISOs and other leaders need to ensure they are investing in sustainable cyber operating models: clear career pathways from analyst to engineer to architect, funded time for training and certification, and modern tooling and automation that reduce burnout and let teams focus on high-value work. Just as importantly, security has to be embedded into product and engineering ways of working, so teams spend less time firefighting late-stage issues and more time shaping secure-by-design outcomes.
At the same time, the situation is not all negative: in fact, I believe that the greenfield of AI is opening up significant opportunities for cyber professionals. AI and the agentic approach are strategically key to businesses across sectors now – and who better than cyber professionals to take a lead role in responsible AI and governance? Ensuring that there are robust controls and guardrails in place so that agents don’t ‘go rogue’ is both operationally and reputationally critical.
Traditionally, technology teams are split into two halves: operational technology (including cyber) on one side and IT (doing the more ‘creative’ and value adding work like engineering and development) on the other. But in my view, AI is beginning to narrow the gap between OT and IT. Certainly, I believe that it should do: OT needs to be right at the table when assessing the potential threats (and solutions) created by AI. In this way, AI can open up new career paths. Cyber professionals can take advantage of this and in doing so increase their job satisfaction and reward.
Ultimately, cyber resourcing is a resilience question. If organisations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible and supported by leadership. There is also an onus on CISOs (and CIOs) to make sure that they are fully communicating the value of the work being done by the cyber team to the Board – expressing this in business language the Board understands rather than just technical terms. It is one of the challenges of working in a domain like cyber that much of the value delivered goes unseen: all of the threats blocked and the risks mitigated may not be fully appreciated in the boardroom for the very reason that they have been successfully headed off. Communicating this value will build the business case for appropriate reward and recognition.
The organisations that get this right won’t just retain their best people – they’ll build trust with customers, regulators and their own boards. Cybersecurity is too important to be taken for granted, especially when the threats are rapidly escalating due to new AI-based attack tools. Let’s not leave it to chance: the industry needs to properly value its cyber professionals and ensure that security remains a rewarding and fulfilling technology career path.
ComputerWeekly
If you ask any technology leader, they will tell you that cybersecurity has become a higher priority than ever, with sophisticated cyberattacks causing high-profile incidents around the world. According to data from the World Economic Forum, the global cost of cybercrime is forecast to reach USD $12.2 trillion by 2031, placing the scale of cybercriminal operations on a par with some of the world's largest economies.
But are tech leaders risking a cyber resourcing crisis by not sufficiently rewarding their security teams?
New research in Harvey Nash’s Tech Talent & Salary Report 2026, taking in the views of over 3,600 tech professionals from around the world, should be a wake-up call. A run-down of the findings in relation to cybersecurity makes sobering reading:
All of this is despite the fact that cyber skills are the third most in-demand tech skillset across the world. Leaders know that cybersecurity is crucial but appear to be running a gauntlet of losing disillusioned team members looking to transition into other roles.
What seems clear from these findings is that businesses are frequently asking cybersecurity teams to stand on the front line of business risk, yet too often they are not matching that responsibility with the reward, progression and operating environment that keeps people in the profession. When pay lags the market, workload keeps rising and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance.
A useful way to frame this challenge is through the lens of “risk debt”. Like technical debt, it accumulates quietly over time when organisations underinvest in people, capability and tooling, even as the threat surface expands. Under‑rewarded teams, persistent vacancies, rising alert volumes and outdated operating models all defer risk rather than remove it. The balance sheet looks fine in the short term, but the liability compounds beneath the surface. When an incident eventually occurs, the cost is rarely limited to remediation alone; it shows up in slower response times, greater operational disruption, regulatory scrutiny and reputational damage. Cyber risk debt is therefore not an abstract concept – it is the delayed cost of treating security as an overhead rather than a strategic investment.
What solutions are there to this problem? Compensation matters of course – particularly for scarce skills – so evidently tech leaders need to ensure that cyber teams are being appropriately rewarded as far as it’s in their remit (and budget) to do so.
But pay is rarely the only lever. CIOs, CISOs and other leaders need to ensure they are investing in sustainable cyber operating models: clear career pathways from analyst to engineer to architect, funded time for training and certification, and modern tooling and automation that reduce burnout and let teams focus on high-value work. Just as importantly, security has to be embedded into product and engineering ways of working, so teams spend less time firefighting late-stage issues and more time shaping secure-by-design outcomes.
At the same time, the situation is not all negative: in fact, I believe that the greenfield of AI is opening up significant opportunities for cyber professionals. AI and the agentic approach are strategically key to businesses across sectors now – and who better than cyber professionals to take a lead role in responsible AI and governance? Ensuring that there are robust controls and guardrails in place so that agents don’t ‘go rogue’ is both operationally and reputationally critical.
Traditionally, technology teams are split into two halves: operational technology (including cyber) on one side and IT (doing the more ‘creative’ and value adding work like engineering and development) on the other. But in my view, AI is beginning to narrow the gap between OT and IT. Certainly, I believe that it should do: OT needs to be right at the table when assessing the potential threats (and solutions) created by AI. In this way, AI can open up new career paths. Cyber professionals can take advantage of this and in doing so increase their job satisfaction and reward.
Ultimately, cyber resourcing is a resilience question. If organisations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible and supported by leadership. There is also an onus on CISOs (and CIOs) to make sure that they are fully communicating the value of the work being done by the cyber team to the Board – expressing this in business language the Board understands rather than just technical terms. It is one of the challenges of working in a domain like cyber that much of the value delivered goes unseen: all of the threats blocked and the risks mitigated may not be fully appreciated in the boardroom for the very reason that they have been successfully headed off. Communicating this value will build the business case for appropriate reward and recognition.
The organisations that get this right won’t just retain their best people – they’ll build trust with customers, regulators and their own boards. Cybersecurity is too important to be taken for granted, especially when the threats are rapidly escalating due to new AI-based attack tools. Let’s not leave it to chance: the industry needs to properly value its cyber professionals and ensure that security remains a rewarding and fulfilling technology career path.