CISO burnout: A crisis of expectation and isolation

Burnout among chief information security officers (CISOs) and cyber professionals is no longer a fringe concern – it is a persistent and growing crisis within the industry. Despite holding senior titles, many CISOs operate in environments where their roles are misunderstood, under-supported, and burdened with unrealistic expectations.

Cyber security has evolved alongside business functions rather than being fully integrated into them. This historical separation has created a cultural and operational disconnect, leaving many cyber professionals isolated. As one expert observed, “most people in cybersecurity are in survival mode, fighting the crocodiles nearest the boat.” The pressure to manage daily operations, respond to incidents, scan the horizon for emerging threats, and contribute to strategic planning – all often with minimal resources – has become unsustainable.

A key issue is the widespread misconception that CISOs are simply senior technical experts. In reality, the role demands strategic oversight, leadership, and governance. Yet many CISOs are promoted from technical backgrounds without the necessary development in communication, leadership, and business acumen. They are expected to maintain deep technical expertise while simultaneously operating as high-level strategists – a duality that few other C-suite roles are asked to maintain.

This mismatch between expectations and reality creates a vicious cycle. Without clear role definitions or organisational maturity around cyber leadership, CISOs struggle to advocate for themselves. Boundaries blur, workloads expand, and the risk of burnout intensifies. Knowing one’s value and setting boundaries is essential, but difficult when the business itself lacks clarity on what it expects from the role.

Remote work has further exacerbated this isolation. The loss of informal, in-person interactions has made it harder for CISOs to build relationships, influence culture, and engage in the dynamic conversations that often drive innovation and problem-solving. The ability to walk past a colleague’s desk and spark a spontaneous discussion has been replaced by scheduled meetings and digital silos.

To address burnout, several key strategies must be considered:

1. Early advocacy: CISOs must set expectations and boundaries from the outset. Waiting until the role becomes overwhelming is often too late.
2. Leadership development: Organisations must invest in developing CISOs beyond their technical skills, equipping them with the tools to lead, communicate, and influence at the executive level.
3. Support networks: No professional, regardless of seniority, should operate in isolation. Peer support and mentorship are vital.
4. Role clarity: Businesses must mature in their understanding of the CISO role. The title “Chief Information Security Officer” implies a remit far broader than just cyber. Recognising this distinction is key to setting realistic expectations.
5. Enforced boundaries: Downtime is essential. CISOs must be empowered to delegate, switch off, and protect their mental health.

This is not a simple fix. The challenges are both organisational and personal, and they must be addressed in tandem. The industry is hanging on by a thread, and with the rise of AI and increasingly complex threats, the risk of burnout could have catastrophic consequences if left unchecked.

The fact that CISO burnout remains a topic of concern year after year – predating even the Covid-19 pandemic – speaks volumes. The pandemic may have intensified the issue, but it did not create it. Isolation, unclear expectations, and a lack of support have long plagued the profession. If the industry is to thrive, it must prioritise the wellbeing of its cyber leaders as much as it does its technical defences.

Mike Gillespie is CEO and co-founder and Ellie Hurst is commercial director at Advent IM Ltd,