The cybersecurity workforce crisis is reaching a breaking point. A new Harvey Nash Global Tech Talent & Salary Report, published April 27, 2026, surveyed 3,646 technology professionals globally and found that cybersecurity workers are being systematically undervalued, underpaid, and overworked—creating a dangerous gap in organizational defenses just as threats accelerate.
Key Takeaways
- 71% of global cybersecurity professionals received no pay rise in 2025; 77% in the UK
- Only 29% of cybersecurity workers got raises last year, versus 56% in DevOps and 51% in Product Management
- 45% expect a pay rise in the next 12 months, compared to 75% in AI/machine learning roles
- 23% of cybersecurity workers are unhappy in their roles, ranking third among tech positions
- UK’s National Cyber Security Centre reported a 50% rise in the most severe attacks
The Pay Stagnation Problem in Cybersecurity Workforce Crisis
Cybersecurity workers are falling further behind their peers. While 56% of DevOps professionals, 51% in Product Management, and 50% in Business Analysis received pay increases in 2025, only 29% of cybersecurity workers did. This disparity is especially stark when comparing expectations: 75% of AI and machine learning professionals anticipate a raise in the next 12 months, while just 45% of cybersecurity workers do. The message is clear—organizations are investing in emerging technologies while starving the teams defending against the threats those same technologies create.
Ankur Anand, CIO of Harvey Nash, framed the disconnect plainly: “The data should be a wake-up call. We’re asking cybersecurity teams to stand on the front line of business risk, yet too often we’re not matching that responsibility with the reward, progression and operating environment that keeps people in the profession”. When compensation fails to reflect responsibility, attrition becomes inevitable.
Burnout and Stress Driving Cybersecurity Talent Away
Pay stagnation is only part of the story. Cybersecurity ranks as the third most unhappy tech role globally, with 23% of workers reporting dissatisfaction. Research from ISACA shows that 68% of cybersecurity professionals say their role is more stressful than it was five years ago, with 79% blaming the escalating threat landscape. Even more alarming: 45% have considered quitting.
The burnout phenomenon extends beyond stress surveys. A 1Password report analyzing 2,500 respondents found that burnout makes cybersecurity professionals twice as likely to be “completely checked out” and three times more likely to dismiss security rules as “not worth the hassle”. This psychological disengagement directly undermines security outcomes—when the people building defenses lose faith in their work, those defenses weaken. High stress ranks as a top-three turnover factor, cited by 27% of departing workers.
Rising Threats Collide With Workforce Depletion
The timing of this crisis is catastrophic. The UK’s National Cyber Security Centre reported a 50% rise in the most severe attacks. AI is expanding the threat surface, increasing the volume, speed, and complexity of attacks while legacy systems and distributed work environments remain vulnerable. ISACA data shows 41% more cyber attacks compared to the previous year. Yet as threats multiply, cybersecurity teams shrink. ISC2’s 2024 Cybersecurity Workforce Study found that 37% of budget cuts directly cause staffing shortages.
Chris Dimitriadis, chief global strategy officer at ISACA, warned of systemic risk: “In an increasingly complex threat landscape, it is vital that, as an industry, we overcome these hurdles of underfunding and under-staffed teams. Without strong, skilled teams, the security resilience of whole ecosystems is at risk – leaving critical infrastructure vulnerable”.
Why Organizations Are Ignoring the Problem
There’s a perverse logic at work. Anand noted: “Cybersecurity has become a victim of its own effectiveness. When teams do their job well, the absence of incidents leads to complacency at senior levels”. When no breaches occur, security spending looks like waste to executives. This invisible success breeds neglect. The moment a breach happens, organizations scramble—but by then, their best talent has already left for better-paying roles in AI, DevOps, or product teams.
Cybersecurity remains the third most in-demand tech skill globally, yet demand alone does not translate to investment. Organizations want security without paying for it, want protection without valuing the protectors. Anand’s second observation cuts deeper: “When pay lags the market, workload keeps rising, and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance”.
What Organizations Must Do
The solution requires treating cybersecurity as a strategic asset, not a cost center. Anand’s recommendation is direct: “If organizations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible and supported by leadership”. This means competitive compensation, reasonable workloads, and executive visibility. It means recognizing that a security team’s absence of incidents is a success, not proof that the role is unnecessary.
The cybersecurity workforce crisis is not a human resources problem—it is a business continuity problem. Every underpaid, burned-out security professional who leaves takes institutional knowledge and threat intelligence with them. Every empty seat on a security team represents a gap in defenses. The Harvey Nash report is a warning. Organizations have months, not years, to address this before the cost of inaction becomes undeniable.
What is driving cybersecurity worker dissatisfaction?
Three factors converge: stagnant pay (71% received no raise in 2025), rising workload (68% say roles are more stressful than five years ago), and lack of executive support (security teams are seen as blockers rather than enablers). When responsibility increases but compensation and recognition do not, attrition accelerates.
How does cybersecurity pay compare to other tech roles?
Cybersecurity lags significantly. Only 29% of cybersecurity workers received raises last year, versus 56% in DevOps, 51% in Product Management, and 50% in Business Analysis. Cybersecurity professionals also have lower expectations for future raises: 45% expect a raise in the next year, compared to 75% in AI and machine learning.
What are the security implications of cybersecurity workforce depletion?
Understaffed, burned-out teams respond slower to threats and miss vulnerabilities. ISACA research shows 41% more attacks year-over-year while 37% of teams face budget cuts. The UK’s National Cyber Security Centre reported a 50% surge in the most severe attacks. As threats accelerate and teams shrink, organizational risk exposure grows exponentially.
The cybersecurity workforce crisis is not a future problem—it is happening now. Organizations that treat security talent as replaceable or optional will discover too late that they are not. The data from Harvey Nash is a wake-up call. The question is whether leaders will listen before the next major breach forces them to.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
