Battling Burnout: A Growing Concern for CISOs and Security Professionals

As defenders of digital assets, Chief Information Security Officers (CISOs) and cybersecurity professionals face immense pressure, often leading to burnout. This phenomenon is not just anecdotal; several studies have highlighted the alarming prevalence of burnout in the cybersecurity industry.

A new report out Tuesday by Hack The Box has found that enterprises are losing approximately $626 million in lost productivity due to security practitioners feeling the squeeze on their mental health. Mental fatigue, stress, and burnout is running rampant, affecting 84% of workers within the cybersecurity field.

The report claims that a 600% rise in cyber threats since the COVID-19 pandemic has led to increased stress levels for those working in the cybersecurity sector. It also cites the emergence of recent technologies, and the proliferation of criminal groups, as issues increasing pressure on staff.

Key findings from the report include:

• 90% of CISOs are concerned about stress, fatigue, or burnout affecting their team's well-being.
• 74% of business leaders report staff taking time off due to stress, fatigue, or burnout.
• 59% of business leaders confirm they do not invest in new tools to enable teams to do their roles more effectively.
• 65% of cybersecurity and infosecurity professionals have experienced stress, fatigue, or burnout due to skill gaps and pressure to perform beyond their capabilities.
• 8% of cybersecurity and infosecurity professionals say they are considering quitting their jobs due to overtime, stress, burnout, or mental health challenges within their role in cybersecurity.
  
  Hack The Box commissioned an independent market research company, Censuswide, to survey two samples. The first sample was 1,001 full-time enterprise business leaders specialized in cybersecurity and infosecurity in medium and large enterprises between May 20, 2024, and May 24, 2024. The second sample was 1,207 full-time cybersecurity and infosecurity professionals within medium and large enterprises in the U.K. and U.S. between May 20, 2024, and May 24, 2024. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council. Unless stated otherwise, all figures were drawn from this poll.

A 2019 study by Nominet found that 88% of CISOs reported being moderately or tremendously stressed, with 48% saying work stress had a detrimental impact on their mental health. More recently, a 2023 report by Splunk and Enterprise Strategy Group revealed that 79% of cybersecurity professionals experienced burnout in the past year.

The causes of burnout are multifaceted. The Nominet study identified several key factors:

1. Insufficient budget and resources (32%)
2. Lack of work-life balance (32%)
3. Keeping up with security threats (25%)
4. Recruitment and retention of skilled professionals (23%)

The consequences of burnout extend beyond individual well-being. It can lead to decreased productivity, increased turnover, insider threats, and potentially compromised security postures for organizations.

It's why Mind Over Cyber was founded this year. SecureWorld is partnering with Mind Over Cyber to hold panel discussions on mental health at our conferences this fall after a successful such panel at SecureWorld Miami on May 30th.

"We are long overdue, as an industry, to confront security's cultural norms that legitimize long work hours and sacrifice bordering on martyrdom," said George Kamide, Co-Founder and Executive Director of Mind Over Cyber. "Yes, there are many external factors that leaders will need to remedy like resource allocations, but teams must also work hard at building cultures where talk of stress and mental wellbeing are not stigmatized or perceived as weak. Vendors, too, can look for ways to invest in their customers' wellbeing beyond technological applications and features. Every part of the cybersecurity ecosystem needs to confront this crisis head on."

Mind Over Cyber has a Mindfulness Technique Guide that can be downloaded for free. It includes exercises, meditations, food and mental health suggestions/tips, and more— including links to additional resources.

Several cybersecurity vendor experts chimed in on the topic of burnout.

Saran Gopalakrishnan, Vice President at Netenrich, said:

"The main reasons for burnout among IT security workers are because of the unique requirements of the industry, which include the constant need to protect against continuously evolving threats, long and irregular working hours, and a continuous state of high alertness. A major source of stress in the field of cybersecurity is its high-stakes nature, as even a minor breach could have severe consequences. Given the evolving nature of the threat landscape, keeping up with newer security technologies and best practices can also be mentally exhausting.

A number of recent trends have made burnout an especially serious problem in IT security. Security professionals are under more pressure to perform well due to rising cyberthreat frequency and sophistication, a lack of qualified cybersecurity personnel, and growing attack surfaces brought on by remote work and digital transformation. Due to the quick adoption of new technologies like cloud computing and IoT, security teams are faced with even more security challenges."

Randy Watkins, CTO at Critical Start, said:

"Burnout happens across all levels of cybersecurity. At the analyst level, the burnout is typically related to a seemingly endless flood of false positives generated by overly-sensitive security products attempting to identify malicious behavior at its earliest signs. Higher up, engineers are perpetually tuning those products, while implementing other products in an, often tactical, game of whack-a-mole. At the CISO level, politics and limited budget often prevent proper risk reduction, with the CISO standing alone to shoulder the blame for a breach.

The problem is so pronounced in cybersecurity for multiple reasons. Media coverage of breaches and data leaks are leading to board concern, which trickles down to additional scrutiny on the security team. Ever-evolving threats and tactics, techniques, and procedures (TTPs) require constant adaptation by security teams. Hamstrung budget amidst these endless stream of threats make solving issues near impossible, and that's without considering the typical pushback from other factions of IT that see Security as a hinderance or inconvenience."

Piyush Pandey, CEO at Pathlock, said:

"The constant vigilance required to protect against evolving threats, and the sheer volume of routine tasks that demand attention, contribute significantly to burnout. The necessity to respond to incidents in real-time and the rapid pace of technological changes, significantly contribute to this issue. These challenges are magnified in identity security, where missteps can directly contribute to breaches and data loss that can have a material impact on the organization’s finances and reputation.

Many of my conversations with organizations struggling with this challenge in the context of identity security gravitate to automation and AI, which act as a force multiplier for their teams. Automating—and moreover, suggesting what can be safely automated—the routine, repetitive identity and access tasks allows IT leaders to have their teams work on more challenging, fulfilling initiatives. Having automation to assess the risks on 100% of transactions helps to reduce the fear of the unknown caused by only doing sample testing."

Gareth Lindahl-Wise, CISO at Ontinue, said:

"There are millions of hours of effort burned every week in the name of security in SOCs across the world. Each of them has a cost, from a traditional financial perspective, but notably from a cumulative mental health perspective. Our beleaguered analysts are neither delivering nor experiencing value—all we can see is the cost to them and the organization. So, how do we turn that around?"

Omri Weinberg, Co-founder and CRO at DoControl, said:

"The signs of burnout are usually pretty obvious: irritability, drop off in performance, frustration, etc. In general, a little compassion and understanding will help in the short term. The goal is to catch burnout early before it becomes chronic, where recovery can take more time and have more life impact. People leaders can monitor workloads carefully, but also should keep an eye on morale and esprit de corps, especially among the key members of the team and those likely to be more vocal about their challenges."

Strategies to prevent and mitigate burnout

1. Promote Work-Life Balance
   Encourage regular time off and establish clear boundaries between work and personal life. A study by Deloitte found that 69% of employees who received encouragement from leadership to take time off reported higher job satisfaction.
2. Invest in Automation and AI
   Implementing automated tools can help alleviate the workload on security teams. The Splunk/ESG report noted that 75% of organizations using AI and machine learning for cybersecurity reported reduced analyst burnout.
3. Foster a Supportive Work Culture
   Create an environment where team members feel comfortable discussing stress and mental health. The Nominet study found that 57% of CISOs rarely or never switch off from work, highlighting the need for cultural change.
4. Provide Continuous Learning Opportunities
   Offer training and development programs to help professionals keep up with evolving threats without feeling overwhelmed. A 2022 ISC Cybersecurity Workforce Study found that cybersecurity professionals who received regular training reported higher job satisfaction.
5. Implement Realistic Expectations and Workloads
   Set achievable goals and ensure adequate staffing. The Splunk/ESG report revealed that 73% of organizations with fully staffed security teams reported lower burnout rates.
6. Encourage Mindfulness and Stress-Reduction Techniques
   Promote practices like meditation or yoga. A study published in the Journal of Occupational Health Psychology found that mindfulness-based interventions can significantly reduce burnout symptoms.
7. Regular Check-ins and Mental Health Support
   Conduct periodic wellness checks and provide access to mental health resources. The Nominet study showed that 31% of CISOs said the stress of their job impacts their ability to do their job, emphasizing the need for ongoing support.

"The first and most obvious method of preventing burnout is to source some of the more repetitive tasks dealing with risk mitigation to a third party," Watkins said. "The proliferation of MDR services has lessened the burden of alert triage and response on internal security teams, allows the analysts typically tasked with the job to elevate into engineering and architecture roles with a higher level of value and fulfillment. Building career paths inside the organization is another great way to retain talent and increase job satisfaction among employees. This also creates a much broader recruiting field and makes it easier to fill more seasoned and unique rolls with an existing employee that already has knowledge about the organization."

"Work environment. Do you need shifts, or can it be follow the sun? Can it be remote as opposed to in a building or hybrid?," Lindahl-Wise asked. "You are likely to get a better quality outcome and reduced mental stress in an environment that can flex. Reward effort. Automate. Automate. Automate. Have a mantra that says the only manual tasks are the ones that have to be manual. Repeated activities should be automated. A SOC ticket should be automatically enriched and, where possible, triaged. Use automation and AI to give high confidence based auto closure of known issues such as benign positives. Free your teams to work on the things that matter by stripping away the things that don't. The slow degradation of mental wellbeing and self-worth has to be a concern where we don't do this."

More from Lindahl-Wise:

"Valued outcomes. What's the point? Make sure there is a point for the effort. They might not be equally interesting, but it must be necessary. Clearly articulative why it is needed and what the individual's contribution to that is. If you have automated away the noise, what is left should be closer to demonstrable value for the person and the company. Make each click matter!"

Valued contributions. Encourage, measure, and reward contributions from your teams to improve what you are doing and how you are doing it. A sense of recognition for your contribution goes a long way to help the sense of wellbeing and personal value."