"The data should be a wake-up call," said Ankur Anand, CIO of Harvey Nash, summing up findings that point to an uneasy disconnect between the responsibilities placed on cybersecurity teams and the recognition those teams receive.
Pay, expectations and morale in cybersecurity
Harvey Nash’s Global Tech Talent & Salary Report, published on April 27, found that more than three quarters of cybersecurity professionals were not granted a pay rise last year. That shortfall appears to feed into wider dissatisfaction: roughly half of the cybersecurity workforce reported feeling undervalued, and "many" said they were considering seeking a new role in the near future.
The report also measured expectations for the coming year. Just 45% of employees in cybersecurity expect they may receive a pay increase during the next 12 months — a markedly lower outlook when compared with colleagues in adjacent fields. By contrast, approximately three quarters of those working in AI and machine learning expect to see a pay rise in the same period.
Unhappiness compared with other technical roles
Cybersecurity professionals are among the more discontented groups in technology. Harvey Nash found that 23% of information security employees described themselves as unhappy in their role, making them the third most likely group to report unhappiness. Quality assurance and testing staff reported a 24% unhappiness rate, and infrastructure and support staff were at 25%.
Major incidents, limited resource shifts
The survey’s timing follows several consequential cybersecurity incidents during 2025, which the report highlights. It cites a ransomware attack against Jaguar Land Rover that had "a noticeable impact on the UK economy," and notes that the data breach at Change Healthcare was "by far the largest ever to hit the health industry." Despite these high-profile events and widespread coverage, only 22% of cybersecurity professionals said their organization had increased resources for cybersecurity in response.
That gap — visible incidents coupled with limited resource increases — is what Anand warns should prompt a change in how organizations treat cyber teams. "We’re asking cybersecurity teams to stand on the front line of business risk, yet too often we’re not matching that responsibility with the reward, progression and operating environment that keeps people in the profession," he said.
Demand for cyber skills and the risk of turnover
The report also notes a countervailing fact: cybersecurity remains the third most in-demand technology skill for employers. That demand gives individual security professionals mobility and bargaining power. Harvey Nash points out that those who feel underappreciated could leverage that market position to move to roles with higher pay.
At the same time, the report cautions that departures of key cybersecurity staff can create "additional cybersecurity risk" for the employers they leave. The advice is explicit: organizations that want to reduce exposure and accelerate incident response must make cyber talent "valued, visible and supported by leadership."
The data behind the conclusions
The Harvey Nash Global Tech Talent & Salary Report draws on a survey of more than 3,646 technology professionals globally, including 1,394 respondents in the UK and 629 in the US. The fieldwork for the survey ran from 4 November 2025 to 26 January 2026. That dataset informs the percentages cited for pay rises, expectations, and reported unhappiness.
What this means for cybersecurity professionals, employers, and leadership
- Cybersecurity professionals: the market still prizes your skills — demand sits high — but expectations for pay rises are muted inside current employers. Many are weighing moves to secure better compensation and career progression.
- Employers and procurement leaders: failing to align reward and resourcing with the operational risks cyber teams manage risks higher attrition and the loss of institutional knowledge at a time when high-profile incidents have already demonstrated systemic costs.
- Senior leadership and HR: Harvey Nash’s recommendation is pointed — treat cyber talent as a strategic capability. That means making roles visible, resourced, and part of leadership conversations rather than seeing them as operational blockers.
With major breaches fresh in memory but only one-in-five respondents seeing increased investment, the report leaves a clear managerial choice: match the market and the responsibility entrusted to cyber teams, or accept the risk that talented staff will take their skills elsewhere. As Anand put it, when "pay lags the market, workload keeps rising, and the role is seen as a blocker rather than an enabler, it’s no surprise that attrition starts to look like the path of least resistance."
