Cybersec is a thankless job: expanding workload and shrinking pay packet
- Reference: 1777292578
- News link: https://www.theregister.co.uk/2026/04/27/from_a_massive_skills_gap/
- Source link:
The trend was especially stark in the UK, where 77 percent of all security staff saw no salary increase, although the pattern was observed globally too with 71 percent of infoseccers experiencing wage stagnation.
AI will make anyone a 10x programmer, but with 10x the cleanup [1]READ MORE
For context, 45 percent of all tech workers received pay rises across the 53 countries surveyed, and even DevOps - the most generously rewarded discipline - only reached 56 percent. More than half of those working in adjacent disciplines, including infrastructure, AI/ML, and product management, received wage increases.
The pay squeeze is taking a toll: security professionals now rank in the bottom three for overall workplace satisfaction alongside QA testers and infrastructure bods - despite cybersecurity being in the top-three most in-demand positions across the tech industry.
Ankur Anand, CIO at Harvey Nash, the IT recruitment biz which [2]gathered the latest data , told The Register that security salaries are stagnating because successful teams are breeding complacency at the board level.
[3]
"Cybersecurity has become a victim of its own effectiveness," he said. "When teams do their job well, the absence of incidents leads to complacency at senior levels.
[4]
[5]
"At the same time, AI is expanding the threat surface and increasing the volume, speed, and complexity of what security teams have to deal with. When you layer that onto constant pressure, legacy technology, and highly distributed working models, you end up with a workforce carrying huge responsibility with limited recognition. That combination is a powerful driver of burnout and attrition."
That boardroom complacency sits awkwardly alongside warnings from security authorities. The UK's [6]National Cyber Security Centre reported a 50 percent rise in its most severe attack category less than a year ago, and [7]data from Check Point , [8]Fortinet , and a January [9]World Economic Forum report all point in the same direction: threats are mounting.
[10]
The salary data also comes during a period of instability in the cybersecurity job market, with full-time job opportunities starting to plummet due to global economics and technological innovations, like [11]AI , erasing entry-level positions.
[12]IBM becomes first company to pay up under Trump administration's diversity blitz
[13]Suits won't quit AI spending, even if they can't prove it's working
[14]AI spurs employees to work harder, faster, and with fewer breaks, study finds
[15]OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers
[16]IBM CEO pay pack jumps 51% for 2025 in target smash and grab
Cybersecurity, like many other industries, is now in an [17]employer-controlled job market – a far cry from the skills-gap panic of recent years.
The mood is visible in why people are staying put: 56 percent cite genuine job satisfaction, but 24 percent admit they're simply not confident they'd find anything better right now.
Anand concluded: "The data should be a wake-up call. We're asking cybersecurity teams to stand on the front line of business risk, yet too often we're not matching that responsibility with the reward, progression, and operating environment that keeps people in the profession.
"When pay lags the market, workload keeps rising, and the role is seen as a blocker rather than an enabler, it's no surprise that attrition starts to look like the path of least resistance.
[18]
"If organizations want to reduce exposure and respond faster when incidents happen, they need to treat cyber talent as a strategic capability: valued, visible, and supported by leadership. The organizations that get this right won't just retain their best people – they'll build trust with customers, regulators, and their own boards." ®
Get our [19]Tech Resources
[1] https://www.theregister.com/2026/04/04/all_things_ai_conference/
[2] https://www.harveynash.co.uk/research-whitepapers/tech-talent-and-salary-report-2026
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ae-IIs95hvEshgcT9SQr8AAAAok&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ae-IIs95hvEshgcT9SQr8AAAAok&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ae-IIs95hvEshgcT9SQr8AAAAok&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/10/14/ncsc_uk_cyberattack_surge/
[7] https://blog.checkpoint.com/research/global-cyber-attacks-increase-in-november-2025-driven-by-ransomware-surge-and-genai-risks
[8] https://www.fortinet.com/uk/resources/cyberglossary/cybersecurity-statistics
[9] https://www.weforum.org/publications/global-cybersecurity-outlook-2026/digest/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ae-IIs95hvEshgcT9SQr8AAAAok&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/10/16/uk_tech_grad_jobs/
[12] https://www.theregister.com/2026/04/14/ibm_dei_settlement/
[13] https://www.theregister.com/2026/04/10/ai_roi_kpmg/
[14] https://www.theregister.com/2026/02/11/ai_makes_employees_work_harder/
[15] https://www.theregister.com/2025/09/23/openssf_open_source_infrastructure/
[16] https://www.theregister.com/2026/03/18/ibm_ceo_pay_pack_jumps/
[17] https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ae-IIs95hvEshgcT9SQr8AAAAok&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://whitepapers.theregister.com/
Re: I beg to differ
I'm sure the three companies you name will be offering big salaries for the right profiles.
Re: I beg to differ
Consider that part of the problem might be local effectiveness. If one company has not experienced any incidents, they may not be too worried about someone else that has unless someone comes along to scare them. Corporate leadership don't tend to spend much time reading about security incidents that happened to someone else, especially when compared to IT people who read IT news, so they no little about those incidents, and if they do, they probably assume there's a reason why those companies were attacked and their one wasn't, a reason other than scale and luck. Security teams usually don't think they need to bring scare stories to management because they have the same context as you do and assume management is aware of that. In my experience, it's also seen as unethical to exaggerate threats or speculate about what an attack on this company might look like, the approaches most likely to increase support for adding resources to security.
Security is not profitable
It only costs money, brings no profit whatsoever
Re: Security is not profitable
That's exactly how they think.
There's an old saying, "It's good to save money in business, but go too far and you CAN save yourself right out of business."
Successful teams get overlooked, same as it ever was
If there's one thing that anyone who's worked in the IT field for a while will know to be true is that the team that's constantly firefighting - most often due to their lack of ability - are the ones that are praised. Because they're always running around, doing this, doing that, sending emails about downtime and patching, and the other busywork, they're the ones the business sees as 'working hard'.
Whereas the team that's got everything running properly, has scheduled maintenance windows and staff who actually know and understand what they're doing at the micro and macro levels, they're getting ignored because they're essentially invisible.
Honestly, it's a disgrace. It's a failure of management to see and recognise where the work and effort is going and what it is achieving - but then again, when have management ever had vision or brought about success?
IT nowadays is akin to a utility - water, gas, electricity - everyone just expects it to work. Would you praise your electricity supplier if they had to turn the power off every second Tuesday or your water supplier if the water pressure varied from day to day between a trickle and gush?
Re: Successful teams get overlooked, same as it ever was
Yes, worse, that 2nd team will have it's budget cut and leavers from it won't be replaced until it gets down to a size too small to properly support the system and becomes like the 1st team.
Re: Successful teams get overlooked, same as it ever was
water, gas, electricity - everyone just expects it to work.
In a few place those historic expectations are not always being met. Not infrequently from the same root causes of the dismal reliabilty and resilience historically exhibited by IT.
I have certainly seen successful teams retrenched with the roles/work out·sourced on the unspoken assumption that those teams couldn't have been doing much if they weren't being noticed. The out·sourced replacement are invariably very soon "noticed" and very frequently thereafter.
Aren't cyber incidents rising massively though?
Yes, we're doing well to protect, but incidents are still on the rise, and recent NCSC, Microsoft, Government security alerts, as well as our own experiences are showing a rise...
Maybe we're at 'peak' Cyber protection - and the attackers are winning whatever we do from now on... ?
I beg to differ
Cybersecurity has become a victim of its own effectiveness
So, apart from the months of disruption and lost sales at Co-op, M&S, JLR, it's been a superb year for ITSec?