Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- There's a big mismatch between demand and rewards in cyber.
- Working pressure is only likely to increase due to the use of AI.
- Security staff should focus on strategy and communication skills.
Almost 20% of organizations have reported a major security attack in the past two years, and the threat environment, whether due to criminal activity or the rise of new AI-enabled models, such as Anthropic's Mythos, continues to evolve at breakneck speed. However, the cybersecurity professionals who help their enterprises manage these challenges don't feel adequately rewarded — and most are fed up with the situation.
That's the conclusion from the newly released Harvey Nash Global Tech Talent & Salary Report, which surveyed over 3,646 technology professionals globally. While 19% of respondents reported a major attack at their firm in the past 24 months, those working in the security specialism were the least likely to report a pay increase over the last year.
Also: These 4 critical AI vulnerabilities are being exploited faster than defenders can respond
Only 29% of cyber professionals said they'd received additional compensation for their efforts, which is in stark contrast to other roles, where at least half of tech professionals received a pay increase in 2025, specifically in DevOps (56%), product management (51%), and business analysis (50%).
“The research clearly tells us that there's a big mismatch between the demand and the reward in cyber,” said Ankur Anand, group CIO at technology and talent solutions provider Nash Squared, which owns tech recruiter Harvey Nash, the firm that produced the survey.
“I think this mismatch is due to the complacency of many boards saying nothing bad has happened in the last few years, so security must be fine. And that's the irony — that when security teams are doing so much, and they're preventing damage to the organization, they're getting the least recognition.”
Motivation is waning
Unsurprisingly, the survey found that security specialists have had enough. People working in cybersecurity are the third-most unhappy IT professionals globally (23%), just behind those working in quality assurance/testing (24%) and infrastructure/support (25%).
What's more, the lack of recognition and a general sense of despondency mean almost half (49%) of cybersecurity professionals want to move jobs in the next 12 months, well above the global average (39%) across technology roles.
“Cyber is one of the few roles where success is invisible, and failure is very visible,” said Anand, referring to the age-old business challenge of too many executives assuming security is fine because their organization hasn't been attacked.
Also: 10 ways AI can inflict unprecedented damage in 2026
However, this complacency could quickly become a major issue. While 80% of organizations have not suffered a major attack in the past two years, a failure from senior executives to recognize the scale of the cyber challenge and to look after their security teams could mean the enterprise is next in the firing line.
In these circumstances, where cybersecurity concerns continue to rise, and companies continue to stall at rewarding and retaining their talented staff, many professionals can feel their motivation for work start to wane.
“It's the combination of the lack of recognition, the pressure in terms of ensuring that the damage is not done, and that adds to the workload because of the legacy tech stack and the distributed workforce structure that is doing the damage to people's motivation,” said Anand.
AI brings new threats
Crucially, the working pressure is only likely to go one way: upwards. The rise of AI brings new models, techniques, and risks. Anand said organizations and security professionals must consider the speed at which AI is evolving and its likely impact on business operations.
“When I review the threat vectors with my head of security, it boggles my mind about the number of vulnerabilities that outsiders are trying to compromise in the enterprise IT environment, and that reality makes it very stressful to work in the security organization,” he said.
Such is the pace of change that Anand said the threat environment is moving faster than most organizations can structurally adapt. He regularly speaks with digital leaders at other companies who say they've invested heavily in security but still struggle to cope with the threats.
Also: AI is quietly poisoning itself and pushing models toward collapse – but there's a cure
Some industry experts are concerned that current fears about the pace of AI-enabled change are just the starting point. Anand recognizes that the hype surrounding Anthropic's Mythos model is justified, with the potential for this model and other AI-powered innovations to disrupt the whole industry.
“These developments show how AI can discover all those sleeping vulnerabilities in systems,” he said.
“Anthropic, as a responsible organization, is trying to ensure that the key platforms are addressing those vulnerabilities. However, you also must think about whether other non-responsible threat actors will create similar tools.”
Taking a proactive approach
In short, the industry is right to be concerned about Mythos, and the ramifications could mean more pressure for cyber professionals. However, it's not all bad news, and the research suggests that AI could help to reduce the strain on security staff.
Cybersecurity professionals (48%) are the third-most likely IT workers not to feel threatened by AI taking their jobs, behind firmware/hardware engineers (55%) and technology leaders (58%). Anand said security specialists understand that AI creates new risks but also generates new opportunities.
“AI is not removing the need for security; it is increasing it, and this is where a cyber professional adds value — they will define what good looks like,” he said. “You need to think, ‘Okay, how do I contribute to the AI strategy of our organization and ensure what we do is within the guardrails of the regulations and data protection laws?'”
Also: 5 security tactics your business can't get wrong in the age of AI – and why they're critical
With the research suggesting that almost half (49%) of cybersecurity professionals want to move jobs in the next 12 months, security specialists are likely to find themselves fighting for opportunities in a competitive labor market. Anand encouraged cyber specialists to hone their AI capabilities and to develop skills in other areas, including strategy and communication.
“The strongest cyber professionals today combine the technical depth of the domain with the business context,” he said. “They can explain a security issue without the jargon, without any drama, but by being very practical about the business impact and how the firm manages it.”
Rather than burdening the leadership with technical details, the most in-demand cyber staff are aware of how specialist tools, such as AI, can be used to reduce risks, not increase them. These cyber professionals explain how good security practice is crucial to the overall business strategy.
“This focus is not about audits, findings, and so on,” said Anand. “It's about a progressive thought process — it's talking about cyber strategically in terms of business needs, business risks, and business readiness for the future.”
