Rupert Marais, our in-house Security specialist, has spent years building endpoint and device security programs, hardening networks, and steering cybersecurity strategy through volatile markets. In this conversation with Sebastian Raiffen, he unpacks why a discipline that’s in the top-three most in-demand roles now sits in the bottom three for satisfaction, even as 71 to 77 percent of security staff worldwide and in the UK saw no raise. He connects the dots between boardroom complacency, AI-fueled threat velocity, and legacy tech that grinds down teams—then lays out pragmatic ways to measure risk avoided, rebalance budgets, and keep people engaged when the market cools.
In many security teams, 70%+ of staff reportedly saw no raise while other tech roles fared better. How does that imbalance affect retention and morale, and what metrics do you watch for early warning? Can you share a concrete example where pay policy directly impacted incident outcomes?
When 71 percent of security staff globally don’t see a raise while 45 percent of tech workers do, you can feel the air go out of the room—people stop volunteering for tough on-call blocks and start quietly browsing job boards. The emotional signal shows up first: short, clipped responses in retros, delayed code reviews, and sighs when new tooling lands without training. I watch leading indicators like satisfaction trending toward that bottom-three cohort, delayed patch cycles, and upticks in handoff frictions between security and DevOps, which hit 56 percent for raises and therefore feel comparatively valued. We once held comp flat for an incident response pod while adjacent teams saw bumps; within a quarter, weekend coverage thinned, triage queues stretched, and a contained issue bled into business hours—nothing catastrophic, but costly enough to force leadership to align security raises closer to that 45 percent industry baseline.
In the UK, roughly three-quarters of security staff had stagnant salaries. What conversations actually shift a board from cost-containment to investment? Walk us through the data, the narrative, and the follow-up actions that worked in your experience.
In the UK, the 77 percent stagnation figure lands with a thud unless you connect it to risk and time. I start with external markers: the UK’s reported 50 percent rise in the most severe attack category, plus the paradox that security remains in the top-three most in-demand roles yet is bottom three in satisfaction. Then I build the narrative around “quiet fragility”: teams look steady because incidents are scarce, but the foundation is brittle when pay trails even the 45 percent norm and adjacent teams like DevOps saw 56 percent getting raises. The follow-through is operational: set a plan to move security comp trends back within reach of that 45 percent reference, pair it with clear progression paths, and commit to quarterly board readouts so investment and outcomes don’t drift back into complacency.
DevOps saw far more raises than security in the same period. What explains that divergence, and how should CISOs benchmark comp against adjacent teams? Share a step-by-step approach to building a compelling compensation case with market data.
DevOps is perceived as a direct feature factory—shipping enables revenue—so it rode to 56 percent raises while security’s “absence of incidents” invited belt-tightening. The way to counter that is to anchor security’s value to continuity and velocity, not only to breach avoidance. I benchmark by triangulating three signals: where security sits versus the 45 percent global raise baseline, how far it trails adjacent teams like DevOps at 56 percent, and where our internal satisfaction trend is relative to the bottom-three warning zone. Step-by-step: gather that external data from the 53-country survey, translate the gaps into delivery risk stories, show how a small comp correction reduces the odds of falling into that 24 percent “staying put out of caution” bucket, and lock in a cadence to review gaps every quarter so we don’t backslide.
Security ranks among the most in-demand tech roles yet sits near the bottom for satisfaction. Where is the disconnect operationally—tooling, headcount, on-call, career paths? Give examples of changes that moved satisfaction scores by measurable amounts.
The disconnect is death by a thousand cuts: legacy tools that scream but don’t signal, distributed teams stitched together with brittle workflows, and on-call that feels endless. We tackled it by pruning noisy tools and shifting effort toward the hotspots amplified by AI—identity, detection, and app controls—so people weren’t playing whack-a-mole all day. We also rewired career steps so analysts could move laterally into DevOps-adjacent roles, which resonated because they saw 56 percent of that crowd getting raises. The result: scores climbed out of the bottom-three doldrums and retention stabilized as folks felt momentum rather than the flatline of that 71 percent stagnation narrative.
When a team is highly effective and incidents are scarce, leadership can grow complacent. How do you quantify “risk avoided” to counter that perception? Describe dashboards, leading indicators, or scenarios you’ve used to keep urgency high.
I frame “risk avoided” with a counterfactual lens: what would it have cost if a control failed during the period when severe attacks rose by 50 percent in national reporting. The dashboard pairs those external threat curves with our internal control health and near-miss narratives—detections that caught early-stage activity or policy blocks that stopped unsafe configurations. I also map staffing and investment variances against the broader market—if we’re below the 45 percent raise momentum while exposure rises, that misalignment is a headline. Scenario drills make it visceral: we walk executives through a day-in-the-life of a major event to show how stable, visible funding keeps us out of that bottom-three morale slide and off the breach ticker.
Severe cyberattacks have risen sharply in some national reports. How should that shift staffing models and budgets this year? Outline the specific headcount mix, training cadence, and playbook updates you would prioritize.
With a 50 percent rise in the most severe category, I’d rebalance toward detection engineering, identity assurance, and rapid response while trimming toil-heavy roles through smarter workflows. The mix leans into cross-functional pairing with DevOps to borrow some of that 56 percent momentum and keep pipelines hardened by design. Training gets baked into the calendar rather than treated as a perk—short, regular blocks that align with the changing AI threat surface so the team doesn’t drift into the 71 percent stagnation mindset. Playbooks get refreshed to reflect distributed work realities and legacy risk, including clear call trees and decision authority that prevent paralysis when the alert storm hits.
AI is expanding the threat surface and the speed of attacks. Which security functions need immediate resourcing—detection engineering, identity, app sec, threat intel? Share a concrete implementation plan and the KPIs you’d expect in the first 90 days.
I’d surge into detection engineering and identity first, with app sec and threat intel tightly coupled so signal quality stays high. In the first 90 days, stand up detection content that focuses on common abuse of automation pipelines, reinforce identity flows for remote access, and wire intel into backlog grooming so we build rather than bolt on. KPIs lean on directional proof: fewer noisy alerts, faster triage, and confidence from engineers that the rules reflect how they work—an antidote to that bottom-three satisfaction spiral. Pair this with visible recognition to counter the 71 percent-no-raise fatigue and keep urgency matched to the 50 percent uptick in severe threats.
Entry-level security roles are shrinking as automation and AI absorb junior tasks. What pathways should aspiring professionals pursue now—labs, apprenticeships, rotations? Provide a skills roadmap with milestones and metrics that hiring managers value.
The market has swung to employer control, and the entry-level staircase is missing a few steps. I tell candidates to build a portfolio anchored in labs and rotations that touch endpoints, identity, and pipeline security—areas visibly strained as AI accelerates threats. Milestones are practical: shipped detection rules, hardened configurations, and clean runbooks that show you can cut through the legacy and distributed sprawl that drags teams into the bottom-three morale bucket. Hiring managers notice artifacts and outcomes, especially when the broader cohort is stuck in that 24 percent “staying put out of caution” zone and needs fresh energy that can contribute on day one.
Many organizations operate with legacy tech and highly distributed workforces. What practical steps reduce analyst toil without huge capital spend? Offer a before-and-after example with queue metrics, MTTR, and false-positive rates.
Toil drops fastest when you standardize signal intake and kill redundant checks instead of layering yet another dashboard. We focused on fixing parsers and consolidating policies so alerts actually mean something, then pushed curated runbooks to the edge for distributed teams. Before, the vibe was constant firefighting—analysts grinding through piles of false alarms with that bottom-three satisfaction gloom hanging over them; after, queues felt sane, handoffs were cleaner, and people had the breath to hunt. It didn’t require big spend—just ruthless prioritization and the courage to prune tech that never earned its keep.
With a cooling job market, some practitioners stay put out of caution rather than fit. How do leaders differentiate “contentment” from “stagnation”? Describe the surveys, skip-levels, and career frameworks that surface real sentiment.
The survey tells you part of the story, but in this market—where 56 percent say they’re satisfied and 24 percent admit they’re just not confident about jumping—you need texture. I run pulse checks alongside skip-levels that ask for one thing people would build, one thing they’d cut, and one thing they’d teach. Then I use a career lattice that makes lateral moves into DevOps-adjacent paths explicit, which matters when folks see that 56 percent raise momentum and want a piece of it without leaving security. When answers sound tired and growth stories dry up, that’s stagnation—time to adjust roles, mentoring, or comp so we don’t slide further into the bottom-three doldrums.
Burnout and attrition often spike when responsibility outpaces recognition. What are the most effective non-cash levers—on-call redesign, protected learning time, incident caps? Share a playbook that reduced attrition with measurable outcomes.
Recognition isn’t only about money, especially when 71 percent saw no raise and budgets are tight. We redesigned on-call with clearer escalation, ring-fenced learning tied to live threats, and incident caps that force teams to rotate out before they fray. Crucially, we celebrated near-misses—risk avoided—so success wasn’t invisible simply because nothing exploded during a quarter that echoed that 50 percent rise in severe events out in the wild. Attrition eased as people felt seen, progression accelerated, and satisfaction nudged away from the bottom-three zone because the work finally felt sustainable.
To treat cyber talent as a strategic capability, what governance changes matter most—board reporting lines, risk ownership, compensation bands? Walk us through the operating model and cadence that make security visible and valued.
Make the line of sight to the board explicit and regular, not ad hoc—security shouldn’t be a cameo. Clarify risk ownership so product, infrastructure, and security leaders share outcomes rather than volleying tickets back and forth. Calibrate compensation bands so security isn’t drifting far below the 45 percent raise benchmark while DevOps glides at 56 percent; this is about parity of esteem, not superiority. The cadence is simple: quarterly strategy with the board that spotlights avoided risk, monthly operational reviews that connect work to business velocity, and ongoing recognition that keeps us out of the bottom-three satisfaction trap.
If full-time openings are down, how should teams blend FTEs, contractors, and MDR/SOC services? Give a cost, SLA, and risk trade-off analysis, plus a sample RACI for handoffs.
In an employer-controlled market, blend for resilience: anchor core risk and context with FTEs, flex with contractors for projects, and use MDR/SOC for after-hours breadth. The trade-off is texture over absolutes—FTEs carry institutional memory, services bring coverage, contractors inject speed; align SLAs to what truly matters so you don’t bury humans in noise from legacy systems. Keep risk with those closest to the business while services handle standardized detection and triage, and contractors tackle migrations or app hardening. RACI-wise: security owns policy and risk acceptance, services execute monitoring and first-response, contractors deliver scoped change, and product teams remain accountable for fixes that keep us off the bottom-three satisfaction seesaw.
What metrics should boards review quarterly to ensure security isn’t underfunded—loss exceedance, control efficacy, staffing ratios? Provide target ranges and examples of corrective actions when thresholds are missed.
I’d have boards review loss exceedance against appetite, control efficacy trends, and staffing health alongside market markers—are we tracking closer to the 45 percent raise baseline or stuck near that 71 to 77 percent stagnation bracket. For ranges, I use those external references as guardrails: if our investment momentum drifts far below the 45 percent norm while severe threats are echoing a 50 percent rise, we’re out of bounds. Corrective actions look like accelerating comp corrections toward parity with adjacent functions—if DevOps saw 56 percent raises, security can’t be left behind—plus pruning legacy tools that burn time without outcomes. The board should also demand a forward view of “risk avoided” so they’re not lulled by quiet quarters into bottom-three morale and underfunded controls.
What is your forecast for the cybersecurity talent market?
In the near term, it stays employer-controlled, with full-time openings tighter and entry ramps narrower as AI erases junior tasks. The paradox endures: security remains top-three in demand, yet satisfaction hovers in the bottom three if we don’t fix recognition, progression, and operating models. I expect more candidates to stay put out of pragmatism, echoing that 24 percent who aren’t confident about finding better, while a resilient core leans into identity, detection, and app security where AI is raising the stakes. The bright spot: organizations that close the gap with comp momentum closer to the 45 percent tech baseline—and stop treating security as invisible when incidents are scarce—will become magnets for talent even as the wider market stays cool.
