Maksim Kabakou - Fotolia
Protecting the defenders: Addressing cyber's burnout crisis
The Computer Weekly Security Think Tank considers the burdens and responsibilities that accompany the role of chief information security officer, and share guidance on how to navigate a challenging career path.
Nobody embarks on a career in cyber security expecting an easy ride. It’s widely recognised that protecting critical digital infrastructure is high-pressure and high-stakes work.
For many of us, that’s part of the buzz. Every day, we tackle complex challenges, address high-stakes problems, and (hopefully) make a real difference – but who will protect cyber professionals from the risk of burnout?
It seems to me that this industry continues to reward heroic and even superhuman effort, but often fails to take into account the limits of human resilience. Think, for example, of the brutal all-nighters pulled by incident response teams, often for several consecutive nights.
This profession faces a burnout crisis, and the warning signs have been sounding loud and clear for some time now.
Back in 2023, market analyst firm Gartner predicted that by 2025, nearly half of cyber security leaders would change jobs, with 25% of these taking different roles entirely due to work-related stress. In a 2024 survey conducted by the Chartered Institute of Information Security (CIISec), over half (55%) of respondents reported that the stress of the job interferes with their sleep and keeps them awake at night. And the 2024 Workforce Study from industry membership organisation ISC2 revealed a four percentage-point dip from the previous year’s study in favourable job satisfaction rate, down to 66%.
How can we do better?
We have to do better. To my mind, a good first step would be a more general acknowledgement that various factors have combined to create the perfect recipe for mental and emotional exhaustion in cyber security professionals.
For a start, there’s the constant pressure exerted by an increasingly perilous threat landscape. Then there’s the strain of persevering in the face of skills gaps and budgetary constraints. And that’s not to mention the challenge of managing the expectations of colleagues from elsewhere in the organisation, who struggle to understand that the success of an IT security team is defined not by a total absence of cyber attacks (improbable), but by that team’s response to attacks (inevitable).
In short, burnout is not a weakness, but a consequence of unsustainable work conditions. Recognising that fact is a vital first step towards meaningful change.
From there, we must take action. It’s no secret that we are navigating an environment that’s only getting noisier in terms of the frequency and increasing sophistication of attacks. But that’s just a symptom of a deeper root cause – the way CISOs and their teams work is no longer effective. We’ve been taking an old approach to a new world and it’s unsustainable. We need to entirely rethink how we secure our IT infrastructure.
Read more about CISOs
- The role of the chief information security officer has evolved dramatically over the years – and will continue to do so. What should boards really looking for when hiring a security leader in 2025?
- Like technical debt, security debt accumulates quickly, due to unpatched software, rushed security testing and poor visibility. When the bill comes due, it could mean a breach.
- Traditional security measures may not be able to cope with the AI reality. In order to safeguard enterprise operations, reputation and data integrity in an AI-first world, security leaders need to rethink.
As a CISO, this is a topic I think about a great deal. A responsible CISO is someone who protects their team members from the risk of burnout and this is a topic I have previously covered for Computer Weekly. As I wrote back in 2023, a big part of my role is ensuring that our incident response plans include adequate provisions for the humans working on the frontline, safeguarding their resilience and their ability to ‘bounce back’ once a high-pressure situation has been resolved.
The answer, in part, lies in using the latest technologies to keep team members in the loop. This is a culture that values agility and creative problem-solving, but doesn’t always provide employees with tools that give them the insight and context they need to put those skills to the test and flex their decision-making muscles.
In this noisy environment, we must use smarter technologies to filter the noise, amplifying the most serious alerts and muffling unimportant ones. When those serious alerts can be heard, we can prioritise our responses accordingly. Behavioral analytics and AI-driven insights play a big role here, helping surface anomalies and trends that warrant investigation.
Security teams may face thousands of alerts each day but can investigate only a fraction, leaving critical ones missed and energy wasted on false positives. The right tools focus human effort where it has the greatest impact.
Staying sharp and resilient
Organisations urgently need adaptive security strategies that evolve as fast as attacks do. This enables IT security teams to keep one step ahead, stay in control and remain sharp, responsive, and resilient against burnout.
This is particularly important at a time when the barrier to entry for cyber crime is dropping fast, allowing far more malicious actors to get involved, regardless of their levels of technical skill. In Elastic’s 2025 Global Threat Report, we saw a 15.5% increase in generic threats, a trend likely fueled by adversaries using large language models (LLMs) to quickly generate simple but effective malicious loaders and tools.
That means that the volume and variety of malware that organisations face is increasing dramatically. For that reason, they must rely less on static signatures to guide their responses and more on behavioural analytics and AI-driven detection to automatically identify and stop the flood of novel threats at scale.
The cyber security profession attracts some of the smartest, most tenacious, and most results-driven individuals in today’s workforce – and companies regularly send these people into battle with outdated weapons. Instead, they should equip them with newer tools that not only take some of the strain involved in the work, but also help them to finetune their responses.
Protecting cyber security professionals from burnout will make a significant contribution to any organisation’s overall security posture. In today’s cyber security environment, resilience should not only mean defending networks, but also protecting the defenders themselves.
November 2025: The CW Security Think Tank on the role of the CISO
- Aditya K Sood, Aryaka: CISOs in court: Balancing cyber resilience and legal accountability.
- Sam Thornton, Bridewell: We can alleviate the expanding burden on the CISO.
- Mike Gillespie and Ellie Hurst, Advent IM: CISO burnout: A crisis of expectation and isolation.
- Haris Pylarinos, Hack The Box: We need to build psychological readiness into cyber security.
- John Skipper and Farrukh Ahmad, PA Consulting: Resilience for resilience: Managing burnout among cyber leaders.