Here's the thing about cybersecurity in 2026 that nobody wants to hear out loud: the people doing this work think it's gotten significantly worse. Not marginally. Significantly.
A new survey from ISSA International and research firm Omdia put a number on it — 68% of cybersecurity and IT professionals say their job is harder now than it was two years ago. That's not a rounding error. That's a majority of the profession looking at their workload, their threat landscape, and their tooling and saying: this is not getting better.
And yet. The demand for CISO-level expertise keeps climbing. Not in the way you'd expect, either. Full-time chief information security officer roles have dropped from 76% of organizations in 2024 to just 63% today. But fractional CISO engagements have more than doubled — from 6% to 15%. Companies aren't hiring fewer security leaders. They're just hiring them differently.
The job is harder. The market still wants you. That's not a contradiction — it's the actual state of play.
Shadow AI and the Visibility Problem
The biggest new stressor on cybersecurity teams isn't a new vulnerability class or a novel attack technique. It's something far more mundane and far more frustrating: employees enabling AI tools without telling anyone.
Melinda Marks, a principal analyst at Omdia who's been tracking this space closely, put it plainly. Organizations are seeing a pattern where workers adopt cloud-based AI services on their own — shadow AI, if you want the industry term for it — and security teams have no visibility into what's happening. Data flows out through channels nobody monitored. Models process information that should never have left the perimeter. And by the time someone notices, the pattern is already established.
This isn't theoretical. It's a daily operational headache for teams that are already stretched thin. The same people responsible for threat detection, incident response, and compliance reporting now also have to figure out which AI tools their colleagues are using, whether those tools comply with data governance policies, and what — if anything — they can do about it without alienating the workforce.
The visibility gap is real. And it's growing faster than any tooling can close it.
The Numbers Behind the Burnout
Let's get specific about what "harder" actually means, because the survey data paints a pretty grim picture.
Fifty-five percent of respondents say both complexity and workload have increased. That's not a small slice — that's the overwhelming majority of people in this field feeling the squeeze from two directions at once. More to do, with more complicated problems to solve.
Fifty-two percent say cyber threats have become more overwhelming. Again, a majority. Not a plural. A majority.
Shawn Murray, former president of ISSA International and someone who's spent decades in this industry, didn't mince words about what that looks like on the ground. He described CISOs working 50 to 70-hour weeks, not because they're addicted to the grind but because the workload simply doesn't fit into a normal schedule. The culture challenge, he noted, is real — teams are burning out, turnover is climbing, and the people who stay are doing it at a cost to their health.
This isn't a future problem. It's happening right now, in organizations of every size, and the people managing it know it.
Alex Hutton, CISO at Atlantic Union Bank, said something that should give every board member pause: "It's hard to argue the job is getting easier." He went further, calling for education and action — not platitudes about resilience or team-building exercises. The job is harder. Act like it.
The Liability Fear That Faded
Here's a counterintuitive finding from the survey that deserves more attention: fears about personal liability for CISOs are subsiding.
After the high-profile prosecutions tied to the Uber data breach and the SolarWinds supply chain compromise, there was genuine anxiety in the industry that CISOs could face criminal charges for failures within their organizations. That fear dominated conversations in 2024 and early 2025.
It's no longer a top stressor. Not because the legal risk has disappeared — it hasn't — but because the industry has adapted. Boards have clarified roles. Legal frameworks have been tested and refined. CISOs now understand their exposure better than they did two years ago, and that clarity itself reduces anxiety.
This doesn't mean the job is easier. It means one specific source of stress has been managed, even as new ones have emerged in its place. Shadow AI. Workforce adoption of unvetted tools. The sheer volume of alerts and incidents to triage daily.
The stressors have shifted, not vanished. That's an important distinction for anyone trying to fix the problem.
The Fractional CISO Economy
The most striking data point in the survey isn't about stress or workload. It's about how organizations are structuring their security leadership.
Full-time CISO roles have dropped from 76% of organizations in 2024 to 63% today. That's a 13-percentage-point decline in just two years. Meanwhile, fractional CISO engagements have surged from 6% to 15% — more than doubling.
What's driving this shift? Shawn Murray pointed to one factor that should surprise nobody who's tried to buy cyber insurance recently: compliance requirements. Smaller companies, in particular, are finding that their insurers demand a certain level of security governance — and that often means having a qualified CISO on the org chart, even if that person isn't full-time.
The fractional model makes sense for organizations that can't justify a six-figure salary for a security leader working part-time. But it also reflects a broader truth: cybersecurity expertise is valuable, and organizations are willing to pay for it — just not always in the traditional employment package.
Murray noted that many CISOs are going out on their own to consult, which aligns with organizations that actually listen. It's a market correction of sorts — the people who know what they're doing are pricing their expertise appropriately, and the companies that can't or won't pay aren't getting the coverage they think they have.
This isn't a weakening of the CISO role. It's a restructuring.
AI as the Tool, Not Just the Threat
There's a narrative in cybersecurity that treats AI purely as an adversary — the thing making attacks faster, smarter, and harder to detect. That narrative isn't wrong. But it's incomplete.
The survey found that 37% of respondents are currently using AI for cybersecurity operations, and another 46% plan to. That's 83% of the profession either using AI or moving toward it. The question isn't whether AI will be part of cybersecurity teams — it already is.
The top use cases people want automated are telling: assessments, predictive risk analysis, and threat detection. These aren't glamorous applications. They're the unglamorous, repetitive work that eats up security teams' time and prevents them from doing the strategic thinking their roles actually require.
If AI can handle the routine — scanning configurations, correlating alerts, generating risk reports — then maybe, just maybe, CISOs can stop working 70-hour weeks and start doing the work that actually requires a human brain. Strategic planning. Board communication. Incident response leadership.
That's the promise. Whether it delivers depends on whether organizations invest in getting AI right, or just bolt it onto existing workflows and call it innovation.
The tool isn't the problem. How we use it is.
The Market Isn't Shrinking — It's Changing Shape
Let's be clear about what the data does and doesn't say.
The job is harder. The workload is heavier. Shadow AI is creating visibility gaps that security teams are struggling to close. CISOs are working more hours than ever.
But the market for cybersecurity expertise isn't contracting. It's evolving. Full-time roles are down, yes — but fractional engagements are up. Demand for security leadership isn't disappearing; it's being redistributed across different employment models.
Alex Hutton put it well: the positions aren't being eliminated. The market is growing, just in ways that don't always look like traditional hiring.
For cybersecurity professionals considering this field, the message is complicated but clear: the work will be hard. The stress will be real. But the demand for people who can do it well has never been higher.
The question isn't whether cybersecurity is a good career. It's whether organizations will invest in making it sustainable — for the people doing the work, and for the security of the systems they're protecting.
Right now, the answer is still too often no.