5 hard truths of a career in cybersecurity — and how to navigate them – Source: www.csoonline.com

Cybersecurity is an exceptionally promising career path. Demand for cyber talent is high, as is compensation, with average base salaries for leading functional roles topping $150,000, according to a 2025 benchmark report from IANS and Artico Search.

But working in cybersecurity comes with challenges that are often glossed over in job postings, media coverage, and even at industry events. And those challenges can wear down a cyber pro over time. To wit, IANS and Artico Search found that while functional staff by and large report positive job engagement, those further along in their careers are less positive about their situations, with middle management and department heads just as likely to be detractors as to be promoters when it comes to their current career situation.

To gain a better understanding of the sources of cyber pros’ dissatisfaction with their careers, we spoke with professionals across the field. Their perspectives shed light on the often-overlooked realities of life in cybersecurity, as well as the strategies they’ve found effective in addressing these issues.

Security for all — but not all are welcome

Mike Morrato, CISO of Forward Networks, says the first hurdle in cybersecurity is simply breaking into the field, due largely to persistent gatekeeping. He cites his own experience as an example.

“Once upon a time, I had the belief that you had to know basic networking skills. Without that knowledge, you could not be an effective security practitioner,” he says.

Morrato now recognizes that cybersecurity spans a wide range of domains, but he believes many in the industry still hold that narrow view. “There is a lot of that level of thinking within the cybersecurity industry: People still treat cybersecurity as firewalls and IPSs and VPNs. And that’s just fundamentally false,” he says.

As a result, leadership and HR teams often gatekeep by focusing exclusively on candidates with certain educational degrees or specific credentials, typically from vendors such as Cisco, Juniper, or Palo Alto. Although Morrato finds this somewhat understandable given the high cost of hiring in cybersecurity, he believes this approach unfairly filters out capable individuals who, in a different era, would have had more opportunities.

He recalls his own path: a college dropout who started in a role where he could learn on the job, eventually earning his Certified Network Administrator (CNA) certification.

To counteract this bias in hiring, Morrato takes a hands-on role in recruitment. He writes all job descriptions himself and reviews batches of applications directly with HR. “We’ll go through those first 15, 20, 30, whatever that number is, resumes. And I’ll work with the recruiters or HR and say, ‘This is the person I’m looking for. This is not the person I’m looking for,’” he says.

He also pays close attention to candidates who may be overlooked due to nontraditional profiles, such as those who are neurodivergent. “We have a lot of neurodivergence, especially in development, but also in cybersecurity as well. If I’m ignoring those people, I’m passing up a lot of talent,” he says.

For Morrato, degrees and certifications serve only as a tiebreaker between otherwise equally qualified candidates. And while he acknowledges CISOs at large enterprises may not be able to engage as deeply in hiring, senior directors still can, he insists. His own approach has led to some of the best hires of his career — candidates who would likely have been screened out by conventional recruiting filters.

Morrato also encourages cybersecurity leaders to consider applicants with “adjacent skills.”

“If I’ve got a networking person wanting to change roles from a networking IT role to a cybersecurity role, that’s a really good fit. They may not know all my technology, but they know the technology that drives my technology,” he explains.

As for job seekers, Morrato advises not relying solely on resumes to stand out. Tailored cover letters can make a real difference, and in-person networking remains powerful.

“Maybe it’s boring as sin to go to those things, but you’ve got people there. You can get to know people there. Eventually, those people can help open doors for you as well,” he says.

Cybersecurity teams protect systems but neglect people

After all the effort it takes to break into cybersecurity, professionals often end up on teams that don’t feel welcoming or supportive.

Jinan Budge, a research director at Forrester who focuses on enabling CISOs and other technical leaders, believes the way most cybersecurity career paths are structured plays a role in this. Because most team managers elevate from technical roles, they often lack the leadership and interpersonal skills needed to foster healthy team cultures or manage stakeholder relationships effectively.

This cultural disconnect has a tangible impact on individuals. “People who work in security functions don’t always feel safe — psychologically safe — doing so,” Budge explains.

Forrester recently published research showing a strong link between low psychological safety and organizational issues such as absenteeism, siloed communication, and, more alarmingly, an increased likelihood of security breaches.

“In some instances, the less psychologically safe the team is, they are three or four times more likely to be exposed to a breach,” says Budge, who encourages cyber pros who find themselves in such environments to engage in honest self-reflection. “It’s important to examine: Is this really toxicity? Is this something I am able to influence? Am I able to change? Is this a me problem or is it rather an issue with the organization itself, with my boss?” she says.

In addressing such questions, Budge recommends enlisting resources such as employee assistance programs, executive coaches, or even psychologists for support. And if the core problem lies with the organization, she advises strongly considering an exit.

Still, many professionals hesitate to leave toxic workplaces, worried that short tenures will hurt their future job prospects, which Budge sees as a common concern, noting that many people stay in unhealthy environments simply to meet an arbitrary 12- to 18-month minimum. Cyber pros who find themselves in this situation should take not that, in the context of hiring, Budge believes this kind of rigid thinking prior tenure lengths no longer applies. “I feel like those days are gone,” she says.

To reduce the risk of misalignment, Budge recommends conducting due diligence when evaluating potential employers — particularly with leadership roles.

“Imagine if you go to work for a legal firm that only wants a CISO to do ISO 27001 compliance. That’s not going to work for you” if you’re seeking to be a transformational leader, she says, emphasizing the importance of aligning personal strengths and motivations with the company’s overall direction.

Patrick Glennon, CTO at IDIQ, adds that functional staff should also seek out the kind of work that energizes them. For instance, those who thrive on investigation might find rejuvenation in combing through web application firewall logs and correlating them with system access logs to uncover meaningful patterns. “I would lock into the things that got you in there in the first place,” he concludes.

Cybersecurity is stigmatized as a blocker

Bharat Mistry, field CTO at Trend Micro, points out how CISOs can adopt a zero-risk mindset by enforcing blanket controls without engaging key stakeholders — a strategy that can further isolate cybersecurity within IT, a function that is often already siloed.

“You’ve got network teams, you’ve got server teams, you’ve got the IT applications teams, and then you’ve got the security team at the back of the chain,” Mistry says, adding that this isolation ends up shaping cybersecurity’s internal reputation. “Because they’re seen quite often as a department that says no, the reputation of the team is very much, ‘They’re a business disabler, not an enabler,’” he says. 

To overcome internal disconnect, Mistry recommends hosting events to give the cybersecurity team a chance to share insights on the broader threat landscape and the organization’s current posture, while also inviting input from other departments.

“We want to understand how you guys are working, what are you facing, and what are the new regulations you need to cope with. And then let’s work hand in hand in a joint strategy to work out how we can enable you to work better, faster, and quicker,” he says.

This kind of dialogue can help dispel a persistent myth. “Cybersecurity is seen as a technical issue, and the perception in most organizations is that it lies within the IT team. But the reality is: It’s a company-wide issue,” Mistry says.

To reinforce this point, Mistry encourages empowering cyber champions — voluntary advocates from departments such as HR, marketing, and legal — who can help demystify cybersecurity for their peers, improve awareness of associated risks, and promote good cyber hygiene.

Richard Addiscot, vice president analyst at Gartner, sees these informal roles increasingly being formalized into positions like the business information security officer (BISO), reflecting the growing need to embed security into the business at every level.

“These roles are there to be the conduit between the security function and the business to ensure that whatever the business is looking to achieve can be managed,” he says.

Even with such champions, Addiscot stresses communication must begin at the top. CISOs must clearly articulate how their work aligns with broader business objectives. Such alignment, however, can be difficult to achieve. “There’s often a disconnect between what communication the business is expecting and what the CISO is actually communicating,” Addiscot explains, noting that this gap typically stems from the CISO’s technical background.

“Picking up business acumen, understanding how the business works rather than being a technology guru is a fundamentally important shift for any midlevel security manager who wants to find themselves in a true C-suite CISO role,” he says.

Cybersecurity teams must also rethink how they approach risk, as relying solely on strict, one-size-fits-all controls is no longer tenable, Mistry says. Instead, he advocates for a more adaptive, business-aligned framework that considers overall exposure rather than just technical vulnerabilities.

“Can I live with this risk? Can I not live with this risk? Can I do something to reduce the risk? Can I offload the risk? And it’s a risk conversation, not a ‘speeds and feeds’ conversation,” he says, emphasizing that cybersecurity leaders must actively build relationships across the organization to make these conversations possible.

Without such efforts in place, cybersecurity isolation can take its toll on one’s experience of the career.

Stakeholders expect da Vinci

Anthony Diaz, CISO at Exterro, highlights another tough reality of a cybersecurity career: the relentless pace of technological change.

“Threat actors are quick studies, constantly finding new angles and leveraging the latest innovations, including the rapid leaps in AI. This demands that we, as defenders, are in a perpetual state of learning and adaptation, which can be quite demanding,” says Diaz.

It’s not just a matter of learning more — it’s also about doing more. According to the IANS and Artico Search report, 61% of cybersecurity staff work across multiple domains. For instance, among professionals in architecture and engineering, 23% also contribute to identity and access management, 26% to application security, and nearly half — 48% — to product security.

These expanded expectations are even more intense at the leadership level. Forrester’s Budge calls this the “Da Vinci Fallacy.”

“CISOs are expected to be experts with mastery of skills that includes cybersecurity, technology, strategy, finance, people, and communication. That is quite a burden of expectations of any leader, particularly of security leaders,” she says.

To meet the increased demands on cyber pros, Diaz advocates for training programs, not just for the essential building blocks of cybersecurity but with risk management integrated as well. “This includes regular, realistic risk assessments and the development of practical mitigation strategies that consider both the technological aspects and the human element,” he says.

He also champions mentorship programs that pair experienced professionals with newer team members to transfer risk assessment skills and core knowledge.

While cybersecurity professionals may face steeper learning demands than most knowledge workers, IDIQ’s Glennon believes that development opportunities are a powerful motivator.  He points to conferences as a key example, where professionals can stay current on best practices relating to emerging technologies.

“The more you do things like that, the more people stay invigorated and plugged into the role and excited about what’s going on. It’s employee retention and it’s employee development at the same time,” he says.

The emotional cost of constant readiness

Jason James, CIO of Aptos, notes that there is no downtime for cybersecurity professionals. They must always prepare for when — not if — an attack will occur. “You stay on guard for so long that it does become emotionally draining,” says James, who prefers the term “work-life harmony,” which allows for shifts in focus, over “work-life balance,” which implies a false sense of equality between the two.

For James, achieving work-life harmony requires the ability to truly disconnect and recharge by doing things that bring joy and perspective. For him, that means reading non-business books like memoirs and taking family trips, such as a recent Disney cruise with his children. And he takes intentional steps to ensure his team does the same, by regularly reviewing how much paid time off (PTO) his team members are using and never denying a PTO request.

As a global leader, he’s especially mindful of cultural differences, particularly among American workers, who are often reluctant to take their leave. “As a leader, you need to be looking at their PTO and go, ‘Well, how much time have they taken off?’ And you’ll have people that are like, ‘No, I don’t want to.’ It’s like, ‘No, you need to,’” he says.

To get a clearer picture of work-life harmony across the organization, James cautions other technology leaders against relying exclusively on communication filtered through their direct reports. To stay connected and informed, he regularly conducts skip-level meetings, which allow him to engage directly with employees beyond his immediate line of management.

“It’s to show that you’re not disconnected from the business, you’re not sitting in some ivory tower. The idea of leading is not being at the top — it’s being out in front,” he says.

James also emphasizes the importance of succession planning to ensure team members can take time off without worrying about continuity.

IDIQ’s Glennon shares a similar approach. He explains that cross-training through shadowing and knowledge-sharing helps build redundancy across roles, reducing risk when key personnel step away.

“One of our main guys just took a couple of weeks to go to Europe. I think he checked in once or twice. And we can do that because we have two guys covering,” he says.

James acknowledges that while new technologies can aid in defending against bad actors, maintaining work-life harmony remains just as essential.

“We have a lot of AI that protects our environments, but at the end of the day, I lead people. I manage services. And so it’s my duty to make sure that I’m also protecting the people that are protecting us,” he says.