Persistent Burnout Is Still a Crisis in Cybersecurity
Dr. Ryan Louie, a psychiatrist focused on the intersection of cybersecurity and mental health, recalls a valuable lesson from his medical student days that cybersecurity practitioners may find relevant: “During one of my clinical clerkships at the hospital, our team’s attending physician on the first day of the rotation highlighted that ‘We are a team, and that everyone should feel free to say whenever they feel they have too much on their plate or if they need any help.’ And that medical students and residents on the team should not worry about impacts to their evaluation. There was genuine psychological safety,” he says.
But for many cybersecurity practitioners, their work is rife with the need for secrecy and discretion, making psychological safety difficult to attain. Expressing vulnerability and sharing feelings don’t happen often in this competitive environment. This lack of open communication, coupled with what often feels like never-ending crisis and work cycles, is leading to burnout at high levels in cybersecurity.
Conversations about burnout has been ongoing for nearly a decade, and the industry is getting better at recognizing the issue, but actual strategies for addressing — and preventing — burnout are still lacking.
Malcolm Harkins is no stranger to the demands of the high-stress field of cybersecurity. The chief security and trust officer at Hidden Layer (and the former chief security and privacy officer at Intel, among other past executive positions with security companies), he speaks frequently about burnout, especially for chief information security officers (CISOs). A recent Gartner Peer Community survey found 62% of IT and security leaders have experienced burnout, and that many CISOs plan to leave their jobs or careers due to what Gartner called “unique stressors.”
Burnout in cybersecurity, according to Harkins, is more than a personal issue — it’s a systemic problem that can undermine the very foundations of digital safety. He says the origins of cybersecurity burnout are deeply rooted in the relentless pace of demands, like those introduced by Patch Tuesday, where security teams scramble to fix software vulnerabilities within tight monthly deadlines.
“You’d have all these patch things — that was the workload that was driving, I think, a lot of the cycles of feeling burnt out,” Harkins says.
While Patch Tuesday has been around for more than 20 years, the pressure to work late nights and weekends isn’t a historical footnote; it’s a present-day reality that continues to strain security professionals. And it is not hard to find survey after survey confirming that the consequences of never-ending work cycles are taking a toll. A Sophos survey finds 85% of respondents from six Asia-Pacific countries say they are suffering from burnout, and 90% report increases in burnout in the past year. A survey from Mimecast finds 56% of cybersecurity workers experience increased work stress every year, and 54% of respondents say that ransomware threats are having a negative impact on their mental health.
Harkins says this is due to two primary “battlefields” that cybersecurity professionals navigate: the external threats from hackers and cybercriminals, and the internal challenges posed by budgets, bureaucracies, and corporate behaviors. These factors combine to create a relentless grind that can wear down even the most resilient individuals.
CISO: The Loneliest Executive
The isolation of running a security program is another factor in burnout specific to the cybersecurity industry. The core of the problem, Harkins argues, lies not only in the volume of work but also in the organizational and cultural structures of the companies within the cybersecurity industry. Top security executives, like the CISO, are not immune to these pressures and are, in fact, even more lonely than the team they manage.
Shamla Naidoo, head of cloud strategy and innovation at Netskope, also points to the loneliness of the CISO and others in charge of security, a feeling compounded by secrecy and confidentiality that often isolates CISOs from potential support systems.
CISOs, she says, “are encouraged to operate under a cloud of secrecy and bound by confidentiality,” noting the expectation contradicts with societal norms that encourage open discussions about stress and mental health. And the expansion from traditional office and data center security to managing hybrid and remote workforces has significantly increased the complexity and stress of the cybersecurity role.
“The job was hard back in 2013,” Naidoo says. “It’s gotten harder since. The pressures are mounting from things like securing a remote workforce to securing a hybrid workforce, with constant change and heightened expectations.”
Louie says his work leads him to conclude there is a pervasive need for a broader understanding and proactive measures in the industry.
“The CISO role has added pressure, and it’s already built into the title: CISO has four letters in it, one extra letter compared to the three-letter roles such as CEO or CFO,” he says. “They are in charge of being the chief. They are in charge of information. They are in charge of security. And they are in charge of being an officer. These are all tremendous responsibilities that can each pull the CISO in a different direction, on top of an already very stressful environment.”
The role’s unique responsibilities contribute to higher levels of isolation and stress, and CISOs often lack a support system where they can discuss their challenges freely and safely. This leads to what Louie calls a “mental health attack surface,” warning that mental health vulnerabilities could potentially be exploited maliciously, much like cybersecurity vulnerabilities.
“We have to view burnout and mental health not just about taking care of ourselves, but also think one step further and beyond: Could mental health be exploited by those with bad intentions? ” Louie says.
Communication: The Antidote to Burnout
Harkins says he regularly hears that security executives want to commiserate, but as the highest ranking member of their team, that can be difficult. Many feel lonely because, at the top, there is really nowhere else to go to ask for assistance.
“Other than to the board, there is really nowhere to go that’s higher. But obviously CISOs use that board relationship in a different way,” he says.
Harkins created a framework known as “I Believe, I Belong, I Matter,” based on life lessons that he hopes can help security professionals feel a sense of purpose, passion, and persistence to avoid burnout. He also thinks a shift is needed in how cybersecurity is approached, with a move toward understanding and addressing the material risks that companies face, rather than merely reacting to breaches as they occur, which only contributes to the never-ending cycle of work.
“We need to get security to have design goals, not just metrics,” he says.
Netskope’s Naidoo suggests community building, and encouraging CISOs to form support networks and small groups where they can share challenges and solutions without judgment, is a solid first step. Other suggestions include industry safe spaces for CISO discussion and cultural shifts that promote a culture of shared responsibility for security across all company levels, alleviating the isolation of the CISO and security team.
“Culture is everything for a typical CISO portfolio to be successful,” she says.
Referring back again to his medical training days, Louie says the model of open communication and psychological safety within his team led to effective collaboration and stress management. He thinks similar practices could be transformative in the cybersecurity field, particularly for those in high-stress positions like CISOs. Encouraging open dialogue about mental health within cybersecurity teams can foster a supportive environment that mitigates burnout and enhances overall team resilience.
“Organizations are made up of people. And I believe that the stress, burnout, and mental health of an individual extends to the stress, burnout, and the mental health of an organization,” he says.
Louie envisions a shift in how CISO roles are perceived and integrated within businesses. He advocates for greater awareness of what CISOs do and for opportunities for them to learn about the functions of other departments, which can lead to more integrated and effective cybersecurity practices across all levels of an organization.
“We should build a cybersecurity mindset into our daily practice,” he says, “and take charge of it within our domain and scope of practice.”