For years, warnings about a chronic cyber security skills shortage have been a staple of industry and government reports, pointing to unfilled vacancies, rising salaries and intense competition for experienced professionals. But according to Amy Lemberger, a former FTSE 250 chief information security officer, the challenge facing organisations in 2026 is more complex than a simple lack of supply.

“The issue isn’t just numbers,” said Amy Lemberger. “It’s that experienced CISOs are choosing to work differently.”

Across the UK, a growing cohort of senior cyber security leaders is stepping away from traditional full-time executive posts in favour of portfolio, advisory or fractional roles. The trend is not limited to consultants or those at the margins of their careers. It increasingly includes board-level leaders with decades of experience, reassessing how and where they deploy their expertise.

Lemberger, now founder of The CISO Hub, argues that the evolution of the role itself is driving the shift. “The modern CISO remit spans regulation, board engagement, operational resilience, supply chain risk and digital transformation,” she said. “That comes with significant accountability, often without commensurate authority.”

As regulatory scrutiny has intensified and organisations’ reliance on digital infrastructure has deepened, expectations of the CISO have expanded rapidly. In many companies, however, governance structures and decision-making rights have not kept pace. “When leaders feel accountable but not empowered, they naturally reassess how they want to work,” Lemberger said.

Fractional and independent models offer experienced CISOs greater autonomy and the ability to focus on strategic oversight rather than constant operational escalation. They also allow smaller or mid-sized organisations to access senior security judgement without the cost or complexity of a full-time executive hire.

The shift poses new challenges for large enterprises seeking to recruit and retain talent. Traditional employment models are now competing not only with rival employers but with flexible career structures that offer portfolio variety, clearer impact and greater control over workload.

Discussion of cyber security talent has long focused on headcount: how many professionals are needed and how many roles remain vacant. Lemberger believes that framing misses a deeper structural change. “Retention is no longer just about pay,” she said. “It’s about how the role is designed, how authority is granted and how responsibility is supported.”

Demand for senior cyber security leadership shows little sign of easing. But the battle for CISO talent, she argues, is no longer simply a hiring problem. It is a question of whether organisations are willing to adapt to how experienced leaders now want to work.