‘We think that AI is something very new and innovative, but actually we have had applications like anti-malware for decades. They can analyse network traffic and use AI to identify patterns where things are going wrong,’ says Van Leusden.

However, the trend towards automation and AI does not mean that fewer security professionals are needed. It does mean that their roles are evolving, performing less repetitive tasks and focusing more on strategic problem solving, architecture and cross-departmental collaboration.

One global healthcare CIO told the CyberSN report that her team had recently merged the DevOps and security automation teams. The result was a leaner group, but one with more responsibility for both application delivery and secure operations.

3. Accountability as a goal: the legal side of security

Security hiring is also increasingly likely to focus on non-technical skills and profiles. For example, CyberSN data shows a 40 per cent explosion in cybersecurity and privacy lawyer vacancies between 2023 and 2024.

With increasing regulation and disclosure requirements, organisations cannot afford to treat legal support as an afterthought. Legal advice is and will become a regular part of incident handling, vendor contract reviews, and even system design discussions.

This shift is particularly evident in highly regulated sectors. The modern cyber team needs to understand risk from a legal, reputational and regulatory perspective, and legal professionals are essential to this mission. More than ever, organisations are living the wisdom, ‘The goal is no longer just to be secure. It’s to be accountable.’

4. Strong rise of Governance, Risk & Compliance

This builds on the above observation. For of all the cybersecurity categories surveyed, GRC (governance, risk and compliance) functions did grow the most in 2024. Increasingly, boards and regulators expect cybersecurity leaders to measure and report risk in terms of business impact. This requires professionals who can link security activities to corporate governance frameworks. Or how, in addition to security readiness, it is also about audit readiness.

Be it internal controls, SOC 2, HIPAA, NIS2, Cyber Resilience Act, GDPR or others, companies are under pressure to document, defend and demonstrate their cybersecurity and data protection maturity. People with different profiles are being recruited for such GRC positions: former risk managers, consultants and even compliance officers from the financial or healthcare sectors. Today’s GRC professionals are the ones who bridge this gap, translating controls and threats into terms that auditors, executives and investors can understand.

5. Concern for mental wellbeing and recognition of security professionals

While hiring trends provide a good insight, they do not tell the whole story. In the security world, for example, the increasing pressure on existing security teams is an issue. In many organisations, responsibilities are growing faster than the number of staff, and this is not without consequences.

Burnout among security professionals is a growing phenomenon. Turnover in security teams is often quite high. This is especially true of mid-career professionals, who often carry the heaviest load without the clearest growth paths. Often these profiles do not move to the competition, but simply leave the job and do something completely different professionally.

It is also often a question of recognition for security jobs. ‘If nothing happens, it means you have done a good job,’ argues CISO Fleur van Leusden. ‘But you don’t get many compliments for that, and hardly anyone says, ‘Well done, CISO, we haven’t had any attacks,’ she argues.

CISOs, van Leusden says, are often cast at board level as the company’s Debbie Downer (a fictional Saturday Night Live character who usually appears at social gatherings and interrupts the conversation with negative opinions and pronouncements). ‘You are generally seen as the person who says ‘no’ to a lot of things,’ she says.

6. Security is often not (yet) a career plan

Another important observation is that the world of cybersecurity vacancies is a growing but young environment. And often, especially in smaller organisations, the jobs fall between different departments: from IT to legal to HR.

In addition, despite the attention around cybersecurity, there is sometimes less interest or awareness about actually working in the field. Children may often want to be police officers when they grow up, but being cybersecurity professionals is not (yet) on their minds. ‘I don’t know many children and young people who grow up saying ‘I want to be a CISO when I grow up’. It’s not something people aspire to, they just get into the job,’ says Fleur van Leusden.

As a CISO, she does recommend taking the security career path. ‘If you want to be a CISO, do the grunt work first. Become a security officer or a security engineer, whatever. Or become an ethical hacker. Do those basic tasks first and you will eventually get there,’ van Leusden believes.

But it is also a matter of mindset. ‘Think about the situation where your colleagues go downstairs for a cup of coffee and see the security officer sitting there with his laptop, without a privacy screen or any other measure. What message does that send to them? As a security officer, you should always lead by example.’