For years, businesses and policymakers have warned of a persistent cyber security skills gap. Reports from industry bodies and government departments have pointed to unfilled vacancies, rising salaries and sustained demand for experienced professionals across sectors.
But according to former FTSE-250 Chief Information Security Officer Amy Lemberger, the challenge facing organisations in 2026 is more nuanced than a simple shortage.
“The issue isn’t just supply,” she says. “It’s that experienced CISOs are choosing to work differently.”
Across the UK, a growing number of senior cyber security leaders are stepping away from traditional full-time executive roles and moving into portfolio, advisory or fractional positions. This shift is not confined to early-career professionals or consultants. It includes seasoned leaders with board-level experience who are rethinking how they want to apply their expertise.
Lemberger, now founder of The CISO Hub argues that the evolution of the CISO role itself is driving the change.
“The modern CISO role spans regulatory oversight, board reporting, operational resilience, supply chain risk and digital transformation,” she says. “It carries significant accountability, often with limited authority. Many experienced leaders want to apply their judgement across multiple organisations rather than concentrate all that responsibility in a single permanent role.”
In many enterprises, expectations of the CISO have expanded rapidly. Regulatory scrutiny has increased. Digital dependency has deepened. Reputational consequences have intensified. Yet in some organisations, reporting lines and decision-making structures have not evolved at the same pace.
“When senior leaders feel accountable but not empowered, they reassess how they want to work,” Lemberger says.
The move towards independent and fractional models offers experienced CISOs greater autonomy and the opportunity to focus on governance and strategic oversight rather than internal politics or constant operational escalation. It also allows businesses that cannot justify a full-time executive salary to access senior expertise in a proportionate way.
This shift has implications for large enterprises competing to hire and retain talent. Traditional employment models are now competing not only with other corporations, but with flexible career structures that offer portfolio variety, clearer impact and greater control over workload.
The conversation around cyber security talent has long centred on numbers. How many professionals are needed. How many vacancies remain open. Lemberger believes that framing misses a deeper structural shift.
“The market needs to recognise that experienced CISOs have options,” she says. “Retention is no longer just about compensation. It’s about how the role is structured, how authority is granted and how responsibility is supported.”
Demand for experienced cyber security leadership is unlikely to ease. As regulatory expectations rise and digital transformation continues across the UK economy, organisations will need senior judgement more than ever.
The war for CISO talent has not disappeared. It has changed shape. Enterprises that understand why senior leaders are rethinking traditional roles may be better positioned to attract and retain the expertise they need.
