Solve Staff Hiring and Retention Issues: The Cybersecurity Staff Comp Report is Live!

Talent shortages have long plagued the cybersecurity sector, leaving CISOs grappling with understaffed teams to execute critical security initiatives. Demand for skilled professionals continues to outpace supply, especially in specialized and technical roles. This imbalance pressures CISOs to offer more competitive compensation, yet many find their standard salary bands inadequate. Given that many employees are considering a job change within the next 12 months, CISOs must remain vigilant, as their teams are highly susceptible to poaching by competitors.

To provide first-hand insight into staff compensation, critical skill areas and satisfaction, IANS and Artico Search, fielded their annual Staff Compensation and Career survey for which we captured responses from more than 525 cybersecurity staff across a range of industries and company types in the U.S. and Canada. This piece presents insights from the survey, including staff compensation data, day-to-day responsibilities, common career paths and job satisfaction.

In this piece, we're highlighting findings from our 2025 Cybersecurity Staff Compensation Benchmark Report around infosec staff compensation and satisfaction to help CISOs compare current and planned staff roles along with guidance to embark on their talent search.

Cybersecurity Staff Support Multiple Functions

We identified the core responsibilities of cybersecurity staff (functional department heads, managers/team leads, functional staff and specialists), both in terms of the functions they support as well as their day-to-day activities.

Looking at the key cybersecurity functions—SecOps, governance, risk and compliance (GRC), architecture and engineering (A&E), application security (AppSec), product security, and identify and access management (IAM)—we found that most staff (61%) work across multiple functions, dedicating at least 30% of their time to more than one domain. The remaining share (39%) focuses exclusively on a single domain.

Among cybersecurity staff who support multiple domains (with each domain receiving at least 30% of their time), certain combinations are particularly common. These include AppSec and product security as well as SecOps and GRC. Additionally, product security and, to a lesser extent, IAM frequently overlap with other domains. This situation often occurs in smaller organizations that lack the budget to hire dedicated specialists across all domains. It can also occur in larger firms where robust security tools reduce the need for dedicated staff, instead requiring versatile team members who can manage responsibilities across multiple functions. Temporary vacancies may also lead to redistributed responsibilities among existing staff. 

Some cybersecurity domains inherently share responsibilities and skill sets, enabling the creation of combined roles. For example, AppSec and product security often pair due to their shared goals of securing software and systems throughout the development process. Similarly, SecOps and GRC are commonly linked, as SecOps focuses on operational defense, while GRC ensures adherence to policies, regulations and compliance standards.

IANS Faculty member and Artico Search partner, Steve Martano elaborates on these figures: “When companies hire individuals with versatile skillsets it not only offers managers flexibility when priorities shift, but it also exposes team members to broader parts of the security function which may benefit them in their career development. With broader mandates, managers can flag high-performers who may have aspirations and skillsets to manage multiple functions over time.” 

Job Satisfaction and Attrition Risk

Many organizations use net promotor score (NPS) to gauge the satisfaction and loyalty of both customers and employees—providing insight into how likely they are to recommend the organization/workplace to others. For CISOs and cyber leadership, employee NPS can serve as an insightful indicator of engagement and retention:

• A low NPS (less than 0) may signal a higher risk of employee attrition.
•  A high NPS (30 or higher) often correlates with stronger satisfaction, lower attrition and a greater likelihood of employee referrals.

Our research shows that one-third of cybersecurity staff and management are promotors—scoring a 9 or 10 when asked if they would recommend their current workplace to others. Meanwhile 28% fall in the detractors category, scoring 6 or lower. The resulting NPS score is 5 (33% promotors minus 28% detractors).

When examining NPS by role, functional staff report the highest level of workplace advocacy, with an NPS of 11 and the lowest level of detractors at 23%. In comparison, functional department heads have a negative NPS of -2, indicating that detractors outnumber promotors in this group. Security middle management falls in between these two groups with an NPS of 2, reflecting slightly more balanced levels of satisfaction.

These findings highlight challenges of promoting skilled functional staff into people-leadership roles without the proper expectations and/or training. 

Recommendations to Attract and Retain Staff

Given the competitive market for cybersecurity talent, organizations should prioritize three areas to maintain stability and support growth of their infosec teams: retaining existing talent, attracting new talent, and fostering the success of both current and new employees. Based on the research outlined in the Staff Compensation Report, our panel of experts at IANS and Artico Search provides the following recommendations to address these priorities.

Retaining top cyber talent

The research revealed significant retention challenges, with many infosec staff and leaders considering a job change, coinciding with dissatisfaction. To address this, organizations must prioritize creating clear career advancement pathways, enhancing communication about growth opportunities, and implementing leadership development programs. Additionally, regular performance reviews and personalized career planning can help employees feel valued and supported, reducing turnover risks and fostering long-term loyalty.

Attracting and hiring cyber talent

In budgeting for and crafting comp packages designed to attract strong cybersecurity talent, leaders must align compensation and opportunities with market realities. Most professionals in the field possess diverse experience across functions like SecOps, application security, and GRC, making them highly adaptable but also highly sought-after. To compete effectively, organizations should offer compensation packages that reflect expertise and proficiency levels, recognizing that top-tier talent often commands a premium of up to 40% more at each successive skill level. 

CISO Compensation & Security Budget Benchmark Reports

Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security budgets, security organization, security staff compensation, and job satisfaction. These in-depth reports feature new takeaways, uncover a wealth of insights, and provide valuable leadership guidance to fine-tune your current role, department, and career path.

These in-depth reports feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, department and career path.

Download the 2025 Cybersecurity Staff Compensation Benchmark Report – for additional insights and data for hiring and retaining staff within the security organization. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.