RC RANDOM CHAOS

Harvey Nash priced your security staff

Cybersecurity compensation benchmarks function as a control input. When the internal pay-band cycle runs slower than the external market, retention fails.

· 8 min read
Harvey Nash priced your security staff

Compensation is a control signal. When the Harvey Nash data lands in cybersecurity leadership inboxes, it is not a market update. It is a measurement of how well an organisation is holding the boundary between its security function and the open labour market. That boundary is the same shape as any other trust boundary. It either holds, or it does not.

Security teams are not staffed by abstractions. They are staffed by specific operators with portable skill sets, transferable certifications, and active inboxes. The pay number attached to that operator is the price the market has set to retain control of their attention, their availability, and their access. When the internal compensation figure drifts below the market figure, the control weakens. When it drifts far enough, the control fails.

The Harvey Nash dataset, in this framing, is not informational. It is operational. It tells leadership where their staffing posture currently sits relative to the price of the people who hold the keys. The exact figures referenced in any given cycle of this report are not confirmed in this brief. What is confirmed is that compensation benchmarks of this type are routinely used as inputs to retention strategy, headcount planning, and hiring authorisation. Treating them as anything less than a control input is a misclassification.

The operating assumption inside many security functions has been that compensation is a human resources concern. Pay bands are set centrally. Adjustments run on an annual cycle. Market data is reviewed by compensation teams and translated into ranges that apply uniformly across job families. Security roles are slotted into those ranges using titles and levels designed for the broader organisation.

Under that assumption, the security leader’s job is to hire within band, retain within band, and escalate exceptions. The compensation framework is treated as a fixed environmental condition rather than a variable that affects security outcomes. Risk reporting, board updates, and audit responses rarely include staffing economics as a named risk. The implicit position is that the labour market for security talent behaves like the labour market for adjacent technical functions, and that standard retention controls are sufficient to hold the team together.

That assumption rested on a further sub-assumption: that the supply of qualified security operators is broad enough, and the switching cost high enough, that pay drift inside a normal band would not produce material attrition. Under that view, a few percentage points of underpayment is absorbed by tenure, mission alignment, internal mobility, and benefits. The compensation control is assumed to be effective by default, because the market is assumed to be slow.

The market is not slow. Specialist security roles, particularly those tied to cloud security, detection engineering, offensive testing, and identity, have separated from the general technology pay curve. Recruiters reach operators directly, on platforms the employer does not monitor, with offers benchmarked against current external data rather than internal bands. The switching cost for a competent operator with current certifications and recent incident experience is low. The time from first contact to signed offer is short. The annual compensation review cycle is no longer aligned with the speed at which the external price updates.

What this means in operational terms is that the compensation control, as previously designed, is no longer enforced at the points where attrition decisions are actually made. The decision is made in a recruiter conversation that the employer does not see. The internal band is a number on an HR system. The external offer is a number in the operator’s inbox. If those two numbers diverge, the band does not push back. It is not a control at the point of failure. It is a record of intent.

The Harvey Nash data, and benchmark datasets like it, are the mechanism by which leadership can observe this divergence before it converts into resignations. They are external visibility into a control surface that is otherwise opaque from inside the organisation. The specific magnitude and direction of movement in any given reporting cycle is not confirmed in this brief. What is confirmed is the structural change: cybersecurity compensation is now a fast-moving variable, the internal pay-band process is a slow-moving control, and the gap between the two is where retention failures originate.

The failure mechanism is a timing mismatch between two clocks. The internal compensation clock runs on an annual cycle, governed by budget windows, levelling reviews, and central HR calibration. The external compensation clock runs continuously, updated by every closed offer, every recruiter placement, and every benchmark refresh. When the internal clock ticks once and the external clock ticks a thousand times in the same period, the internal number is a stale reading by definition. Stale readings are not enforcement. They are documentation of a position that no longer matches the environment.

The drift becomes a failure at the individual operator level, not the aggregate level. Aggregate pay reporting smooths the signal. It shows the team paid within band, the function within budget, the attrition rate within tolerance. The actual failure is concentrated in a small number of high-value operators whose external market price has moved fastest. These are the operators who hold detection logic, incident context, identity architecture knowledge, and standing access to production. Their replacement cost is not the salary delta. It is the time-to-productive-replacement multiplied by the risk carried during that window. That cost does not appear in the compensation system. It appears in the incident response timeline of the next event after they leave.

The control surface that should catch this drift is not present in most organisations as a defined control. There is no named owner for the gap between internal band and external benchmark at the role level. There is no threshold at which the gap triggers an automatic review. There is no enforcement point at which a divergence above a defined percentage produces an off-cycle adjustment. In the absence of those mechanisms, the gap is observed only when it converts to a resignation, which is the latest possible point in the failure chain. Detection at the resignation event is detection after the loss has occurred. The operator, the access, and the institutional context have already left the boundary.

The same mechanism is visible in any control that depends on a periodic review cycle running against a continuous external variable. Patch management on a quarterly cadence against a vulnerability landscape that updates daily produces the same shape of failure. Access reviews on an annual cadence against a workforce that changes weekly produces the same shape of failure. Threat model reviews tied to major release cycles against an attacker capability set that updates per campaign produces the same shape of failure. In each case, the control is real on paper, scheduled, and owned. It is also, by design, slower than the variable it is meant to govern. The output is a control that is enforced at moments when enforcement no longer matches the state of the system.

The pattern is not about pay specifically. It is about the structural condition where a slow-clock process is asked to govern a fast-clock variable, and the gap between the two clocks is treated as acceptable rather than as a defined exposure. Leadership tends to accept this gap because the slow process is auditable, defensible, and aligned with established governance language. The fast variable, by contrast, is harder to instrument, harder to attribute, and harder to convert into a board-level metric. The result is a preference for the legible control over the effective one. The legible control produces reports. The effective control would produce interventions. Reports are not interventions.

The compensation case makes the pattern visible because the consequences are personnel-shaped and therefore unambiguous. An operator either stays or leaves. There is no partial state that can be obscured in aggregate reporting. In other domains the same pattern hides longer because the consequences are diffuse. A patch gap converts to exposure that may or may not be exploited. An access review gap converts to standing privilege that may or may not be abused. A threat model gap converts to undefended vectors that may or may not be probed. The slow-clock control survives in those domains because the failure mode is probabilistic rather than deterministic. The compensation case is deterministic, which is why it is the cleanest example of the pattern, not the only one.

A pay band is not a retention control. It is the record of a price the organisation has decided to offer. It becomes a control only when there is a defined process that compares it to the current external price at a frequency that matches the speed of the external market, with an owner authorised to act on the comparison without waiting for the annual cycle. In the absence of that process, the band is documentation. Documentation does not retain operators. Pricing does.

The Harvey Nash dataset, and any equivalent benchmark, is therefore not a reference document. It is a control input. If it is read once a year by a compensation team and translated into next year’s bands, it has been used as a reporting artefact and not as a control. If it is read continuously, mapped to specific roles, compared to internal positions at the individual operator level, and tied to an authorised intervention path with a defined threshold, it is functioning as a control. The same data produces both outcomes. The difference is the process wrapped around it, not the data itself.

The operator position is direct. Identify the roles where loss of the incumbent produces measurable security exposure. Establish the current external price for each of those roles using the most recent available benchmark. Compare it to the current internal compensation at the individual level. Define the threshold at which the gap is treated as a control failure. Assign an owner with the authority to close the gap off-cycle. If any of those four steps is absent, the compensation control for that role is not enforced, and the retention outcome for that operator is not governed. It is left to the external market to decide.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.