High Salaries No Longer Enough to Attract Top Cybersecurity Talent

Despite six-figure salaries, many cybersecurity professionals are deeply unsatisfied with their roles, citing limited career growth, inflexible work policies, and overwhelming workloads

That’s the headline takeaway from the newly released 2025 Cybersecurity Staff Compensation Benchmark Report by IANS Research and Artico Search. The report, based on responses from more than 500 security professionals across North America in 2024, paints a picture of a workforce under pressure: understaffed, overextended, and often underwhelmed by career progression opportunities.

And with 60% of cybersecurity staff considering a job change in the next year, that instability could have serious implications for organizational security.

Money Isn’t the Problem, But It’s Not the Solution Either#

Compensation remains strong across the board. Security architects are pulling in an average of $206,000 in annual cash compensation, while security engineers trail closely at $191,000. Even mid-level analysts average $133,000. But the report makes one thing clear: salary alone isn’t enough to keep top talent in place.

Only one-third of cybersecurity professionals would recommend their employer. Nearly half say they’re dissatisfied with their ability to grow in their roles. And among those most likely to leave? Senior staff who already lead teams but feel stuck with no clear path to the CISO chair.

In other words: it’s not about the money. It’s about the mission.

When Everyone’s Doing Two Jobs, No One Stays Long#

One standout stat from the report: 61% of cybersecurity staff now work across multiple security functions, with common overlaps in SecOps, GRC, and AppSec. While this cross-functionality may reflect lean teams and shifting priorities, it also raises burnout risks, especially when employees feel their breadth of effort isn’t matched with upward mobility.

This multi-hat reality has been quietly reshaping the field for years. In smaller orgs, it’s a necessity. In larger ones, it’s often a function of efficiency, relying on tools and processes to reduce headcount while expecting the remaining staff to stretch wider. But the result, as the data suggests, is a workforce that feels overburdened and under-recognized.

Return-to-Office Mandates Aren’t Helping—and NPS Scores Forecast Attrition#

Perhaps unsurprisingly, return-to-office policies continue to clash with staff preferences. More than half of cybersecurity professionals work remotely full-time, and only 1% say they want to be fully on-site. Forcing a return, the report warns, risks “disengagement, increased turnover, and recruitment difficulties,” all costly at a time when the security talent pool is already shallow.

And the dissatisfaction runs deeper. Net Promoter Score (NPS), a common metric used to gauge employee satisfaction and advocacy, is alarmingly low across the board. The industry-wide NPS clocks in at just 5, a number that signals significant morale issues. Only one-third of respondents would recommend their current employer, while 28% fall into the “detractor” category.

This sentiment directly correlates with turnover intent: more than half (53%) of functional department heads say they’re considering leaving within the next year. Even among middle management and staff-level roles, that number is 40% or higher.

While only 9% of professionals actually changed jobs in the last 12 months, the gap between intent and action is a warning sign. Disengagement may not always show up on a resignation letter—but it can surface in missed detections, stalled projects, or burnout-fueled mistakes.

Retention as Risk Management#

For organizations, high turnover and low engagement don’t just hurt morale, they weaken defenses. Security teams are already stretched thin, and every departure means lost institutional knowledge, onboarding delays, and increased exposure. When threats are constant and software supply chains are increasingly targeted, continuity matters.

This is where tooling becomes critical. Organizations can’t rely solely on the judgment of individual analysts to catch malicious behavior, especially when those analysts might not be around next quarter. Tools that surface threats like dependency confusion, typo-squatting, or malicious install scripts need to be durable, automated, and capable of protecting the business even as teams shift.

Security posture shouldn’t hinge on whether a key engineer quits tomorrow.

The report’s recommendations for CISOs center around creating growth pathways, offering flexible work arrangements, and providing targeted professional development. All good advice, but not always feasible, especially in budget-constrained environments.

That makes it even more important to invest in systems and safeguards that don’t rely on any one person being in the room. With high turnover risk and limited internal bandwidth, organizations need to plan for instability. Security tooling and processes should be built to withstand not just attacks—but attrition.