Viewpoints from Ankur Anand, CIO, Harvey Nash

If you ask any technology leader, they will tell you that cybersecurity has become a higher priority than ever, with sophisticated cyberattacks causing numerous high-profile incidents around the world. According to data from the World Economic Forum, the global cost of cybercrime is forecast to reach USD $12.2 trillion by 2031, placing the scale of cybercriminal operations on a par with some of the world's largest economies.

But are tech leaders risking a cyber resourcing crisis by not sufficiently rewarding their security teams?

Cyber professionals showing signs of discontent

New research in Harvey Nash’s Tech Talent & Salary Report 2026, taking in the views of over 3,600 tech professionals from around the world, should be a wake-up call. A run-down of the findings in relation to cybersecurity makes sobering reading:

  • Cybersecurity professionals are the least likely in the whole tech workforce to have received a pay rise in the last year – only 29% have done so, only around half the proportion of those working in DevOps (56%) and Product Management (51%)
  • Cybersecurity professionals are amongst the unhappiest in the tech workforce – just behind those working in QA/Testing and Infrastructure/Support
  • Those working in cyber are less confident than the average that they will get a pay rise in the coming year – only 40% expecting this, compared to 44%
  • Almost half (49%) of cybersecurity professionals are looking to move jobs in the next twelve months, well above the global average across roles (39%) and the fourth highest amongst all job roles

All of this is despite the fact that cyber skills are the third most in-demand tech skillset across the world. Leaders know that cybersecurity is crucial but appear to be running a gauntlet of losing disillusioned team members looking to transition into other roles.

The risks of under-reward

What seems clear from these findings is that businesses are frequently asking cybersecurity teams to stand on the front line of business risk, yet too often they are not matching that responsibility with the reward, progression and operating environment that keeps people in the profession. When pay lags the market, workload keeps rising, and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance.

A useful way to frame this challenge is through the lens of “risk debt”. Like technical debt, it accumulates quietly over time when organisations underinvest in people, capability and tooling, even as the threat surface expands. Under‑rewarded teams, persistent vacancies, rising alert volumes and outdated operating models all defer risk rather than remove it. The balance sheet looks fine in the short term, but the liabilities compound beneath the surface. When an incident eventually occurs, the cost is rarely limited to remediation alone; it shows up in slower response times, greater operational disruption, regulatory scrutiny and reputational damage. Cyber risk debt is therefore not an abstract concept – it is the delayed cost of treating security as an overhead rather than a strategic investment.

Investing in cyber teams

What solutions are there to this problem? Compensation matters, of course – particularly for scarce skills – so evidently tech leaders need to ensure that cyber teams are being appropriately rewarded as far as it’s in their remit (and budget) to do so.

But pay is rarely the only lever. CIOs, CISOs and other leaders need to ensure they are investing in sustainable cyber operating models: clear career pathways from analyst to engineer to architect, funded time for training and certification, and modern tooling and automation that reduce burnout and let teams focus on high-value work. Just as importantly, security has to be embedded into product and engineering ways of working, so teams spend less time firefighting late-stage issues and more time shaping secure-by-design outcomes.

Opportunities created by AI

At the same time, the situation is not all negative: in fact, I believe that the greenfield of AI is opening up significant opportunities for cyber professionals. AI and the agentic approach are strategically key to businesses across sectors now – and who better than cyber professionals to take a lead role in responsible AI and governance? Ensuring that there are robust controls and guardrails in place so that agents don’t ‘go rogue’ is both operationally and reputationally critical.

Traditionally, technology teams are split into two halves: operational technology (including cyber) on one side and IT (doing the more ‘creative’ and value adding work like engineering and development) on the other. But in my view, AI is beginning to narrow the gap between OT and IT. Certainly, I believe that it should do: OT needs to be right at the table when assessing the potential threats (and solutions) created by AI. In this way, AI can open up new career paths. Cyber professionals can take advantage of this and, in doing so, increase their job satisfaction and reward.

Keeping cyber in the boardroom

Ultimately, cyber resourcing is a resilience question. If organisations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible and supported by leadership. There is also an onus on CISOs (and CIOs) to make sure that they are fully communicating the value of the work being done by the cyber team to the Board – expressing this in business language the Board understands rather than just technical terms. It is one of the challenges of working in a domain like cyber that much of the value delivered goes unseen: all of the threats blocked and the risks mitigated may not be fully appreciated in the boardroom for the very reason that they have been successfully headed off. Communicating this value will build the business case for appropriate reward and recognition.

The organisations that get this right won’t just retain their best people – they’ll build trust with customers, regulators and their own boards. Cybersecurity is too important to be taken for granted, especially when the threats are rapidly escalating due to new AI-based attack tools. Let’s not leave it to chance: the industry needs to properly value its cyber professionals and ensure that security remains a rewarding and fulfilling technology career path.