Harvey Nash survey: 71% of cybersecurity professionals saw no pay increase in 2025 despite mounting AI-driven threats and growing workload.
Key Takeaways
UK was worst: 77% of security staff got no raise; global average was 71% stagnant, vs. 45% of all tech workers receiving increases.
DevOps peaked at 56% receiving raises; even AI/ML and infrastructure teams outpaced security on compensation.
Harvey Nash CIO Ankur Anand: boards grow complacent when teams prevent incidents, cutting the visible justification for pay increases.
AI is expanding the threat surface and erasing entry-level roles simultaneously, creating a structural squeeze at both ends of the career pipeline.
24% of security professionals staying in current roles admit they lack confidence they’d find anything better, signaling a trapped workforce.
Hacker News Comment Review
Consensus: cybersecurity is treated as a cost center like waste management, not a strategic capability, and boards only notice it when it fails.
Commenters point to structural incentive failures: breach penalties in the US are so weak (credit monitoring letters) that companies have little reason to invest in prevention or talent retention.
A countervailing view: the AI-driven skiddie surge and rising compromise rates will force a reckoning, with potential for a high-profile breach to shock organizations into treating security as strategic.
Notable Comments
@fulafel: SOC roles chasing false positives, CISO jobs with accountability but no power to fix insecure legacy infrastructure – the career paths are structurally broken.
@lenerdenator: “Show me the incentives, and I’ll show you the outcomes” – breach penalties are effectively zero, so the investment case for security talent never closes.
@a34729t: Anthropic and Claude are well-positioned to absorb SAST, DAST, and supply chain analysis as AI writes more production code at large companies.
