Compensation vs. Burnout: The New Retention Calculus for Cybersecurity Leaders
Cybersecurity professionals are on the move. Employers may be dismayed to learn that just 34% plan to stay put.
[…Keep reading]
Why Dark Web Monitoring Is No Longer Enough (And What Comes Next)
Cybersecurity professionals are on the move. Employers may be dismayed to learn that just 34% plan to stay put. The high rate of turnover reflects the pressures cybersecurity experts face, particularly as their responsibilities grow while budgets, well, don’t, according to the 2026 Cybersecurity Talent Intelligence Report from IANS and Artico Search. The survey of more than 500 security professionals showed a profession in turmoil that has pushed business leaders to pivot to a retention posture, with which can only be described as modest success. Whether compensation is sufficient depends entirely on where the role sits. Security analysts pull a median income of $113,000, while security architects come in around $188,000 and functional leaders at $256,000. Of course, top earners can expect significantly higher compensation. Not surprisingly, pay differences rest on company size and structure. Those organizations that record more than $5 billion in revenue pay between 18%-20% above average and compensation at publicly listed companies reflects a premium of as much as 24%. Government organizations come in below market averages. Organizations across the board serious about retention might want to give heavy thought to compensation since the study also found that even a modest pay increase can result in a significant uptick in satisfaction and willingness to stay. In the current landscape, the security professional has the educational chops and experience to command decent compensation—nearly half have bachelor’s degrees, with more than one-third holding a master’s degree or doctorate. And seven in 10 have spent more than eight years plying their trade. But right now their resolve—and perhaps patience—is being tested. “From a CISO perspective, our workload will continue to escalate, intensifying pressures that already pushed job satisfaction among cybersecurity professionals down to 66% in 2024,” says Diana Kelley, CISO at Noma Security. “CISOs are tasked with improving organizational resilience while managing more assets, platforms, and threats,” with some of the contributing factors to the workload increase being “responsibility increasing faster than authority, with some boards holding CISOs personally accountable for regulatory failures while budgets remain flat for nearly half of security leaders,” Kelley says. Dave Gerry, CEO at Bugcrowd, says that “offensive skills are becoming table stakes for defenders.” He notes it might not be “a newly valuable skillset,” but “the emphasis on offense is becoming increasingly important as organizations look to preemptively anticipate attacks versus reacting when they see something happen.” The traditional model of defense, he says, “is also changing by encouraging red-teaming, AI-tooling, and threat hunting as standard practice.” The blurred line between offense and defense has been further reinforced by the recent strategy from the White House, so “for those looking to build a career in cyber, gaining both offensive and defensive skills is critical.” The effects of AI are being felt with more to come. “The rapid growth of AI in the business, and expected surge in AI-powered attacks, will create significant additional workload on security teams,” says Kelley. While “AI is going to continue to automate the bottom of the skill stack, not the top end,” Gerry says, “the ability to leverage AI to expand their skills, scale their output, and, enable them to perform at machine speed will become increasingly differentiated. The need for human ingenuity alongside AI is only growing, not shrinking.” Qualys President and CEO Sumedh Thakar points out that “hiring always shifts when new technology shows up, this is simply the latest cycle,” noting that “centuries ago, it was someone’s job to chisel manuscripts on stone slabs” and “when ink and paper technology was invented, the world adapted, and we all survived.” The infusion of new technology naturally causes “dips in hiring certain roles in the short-term, but the productivity gains we’ll see from AI will lead businesses to expand and eventually lead to the hiring of new roles that did not exist in the past, such as AI prompt engineers.” That adaptation by the workforce is crucial. “The future belongs to those who can deploy AI responsibly, minimize risk, and navigate the changing regulatory environment,” says Thakar. “We’re seeing two overlapping forces. Overall tech hiring is still cooling after the pandemic spike, which hit generalist software and IT roles hardest,” says Daniel Koch, vice president of R&D at Oasis Security. “But at the same time, AI is rewiring what ‘tech work’ actually is,” he says. “Companies don’t need more engineers to do the same jobs. They need fewer, more specialized people who can design, integrate, and govern AI systems,” Koch explains. “Routine development and support work is being automated, while system-level skills are in short supply,” he explains. “That’s why broad tech postings are down even as demand for AI architects, evaluators, and platform engineers is skyrocketing. The mix of roles is changing much faster than the volume.” Koch says the scarcity is in people who can own AI systems end-to-end in a real organization. He says the bottlenecks include: Systems-level thinking: Senior AI roles need to connect data pipelines, model choices, infra, product UX, and business constraints into one coherent architecture. It’s less “can you fine-tune a model?” and more “can you design a resilient, observable AI feature that will still work when the data, traffic, and regulations change?” Orchestration and tooling: Modern AI systems are rarely “one model in a box”. They involve tool-using agents, retrieval, function calling, and workflow engines. People who understand how those pieces fit together across latency, cost, and reliability trade-offs are rare. Risk, security, and governance: As soon as you move from a prototype to production, questions about data privacy, prompt injection, model abuse, and regulatory exposure dominate the conversation. You need leaders who can collaborate across legal, security, compliance, and engineering to design safe defaults and incident playbooks, not just “make the model more accurate.” Human and organizational skills: There’s emerging evidence that GenAI roles demand higher levels of cognitive and social skills, such as communication, coordination, and stakeholder management, way more than typical developer roles. Many candidates have the math, but fewer have the ability to bring operations, product, and security along with them. To cope effectively with the pressures they face, Kelley says, “CISOs can carefully lean into automation, both traditional and AI-driven,” developing “storytelling skills to effectively communicate to boards and executive teams, reframing success within achievable parameters based on investment, business outcomes, and risk tolerance.”The dialog between the C-Suite and Board “will help CISOs secure the resources they need to succeed.” And “as the scope and weight of securing an organization expands in the future,” Kelley says, “CISOs must be strategic with delegation. Rather than carrying the burden of all security outcomes alone, they should delegate responsibility where it makes sense.” The skills gap, too, may be less of a challenge than trying to tease out talent. “We don’t lack people—we lack pathways to turn potential into capability,” says Heath Renfrow, cofounder and CISO at Fenix24. Renfrow believes that CISOs need to move beyond “recruiting unicorn résumés and instead adopt a ‘talent factory’ mindset.” “The most successful programs, he says, “will hire for aptitude and resilience, then invest heavily in on-the-job training and structured mentorship for employee retention.” When that approach is paired with “selective outsourcing for niche or 24/7 functions,” CISOs can “build a sustainable talent engine instead of constantly fighting attrition.” While Thakar agrees that hiring strategies “must align directly with business outcomes,” he says, at the same time, more SaaS vendors and service providers will offer built-in AI agents. Organizations should factor in the fact that SaaS vendors and service providers will offer built-in AI agents “into their workforce planning so they can leverage AI technology to achieve results, instead of buying more tools and hiring people to manage them.” As those in security continue to feel pressure from a changing landscape, Renfrow says organizations must pay attention to mental health. “Mental health strain in cybersecurity is worsening, and CISOs are carrying the heaviest emotional load in the industry,” and “they are expected to prevent the unpreventable, respond flawlessly under global scrutiny, and never show fatigue.” CISOs may need empathy and emotional intelligence to be strong leaders, but they can’t be full-time therapists. “Boards and CEOs must begin treating cyber burnout as a strategic risk, not a personal failing,” says Renfrow, who believes formal wellness support will eventually be built into security programs, including mandatory downtime post-incident, rotation-based on-call models, and executive mental-health resources. “The CISO protects the organization—someone must be accountable for protecting the CISO,” he says.
About Author
