Cybersecurity Leader Burnout: Causes and Resources
Cybersecurity leaders face unique work-related stresses that increase their risk of burnout. Are their organizations providing the necessary support to mitigate this risk?
Want more insights like these?
Join our community
No selling.
No recruiting.
No self promotion.
More like this
Impact & Perceptions of A Privacy-First Digital Era
View insights
Emerging Software Security Risks: How Are Tech Leaders Preparing for 2024?
View insights
AI Adoption in Cybersecurity Tools
View insightsOne minute insights:
Most cite extended work hours among the biggest cultural contributors to their experience with burnout
Likewise, having too many responsibilities is the top-reported organizational factor driving respondents’ burnout
Nearly half of respondents say their organization’s resources to cope with or prevent burnout are inadequate
Pressure to work long hours is the most common cultural factor driving burnout
62% of surveyed leaders who have experienced burnout (n = 111) report that pressure to work late nights or weekends has been one of the biggest contributing cultural factors.
From your perspective, which of the following cultural factors have been the biggest contributors to your experience(s) with burnout? Select up to 3.1
Risk of security incidents negatively impacting my reputation/career 32% | Low morale among cybersecurity team(s) 32% | Executive leadership doesn’t view cybersecurity as critical to business success 26% | No cybersecurity champions among executive leaders/board 23% | Security function blamed if business goals aren’t achieved 23% | Security leader lacks authority among executive leadership 16% | Factor(s) not listed here 6% | Not sure 1% | Other 0%
Question: Please share any final thoughts on burnout among cybersecurity leaders.
There is a tremendous amount of (constant) pressure on cybersecurity leaders. Blame/pointing fingers, in the case of a security event, is always on your mind... Easing that fear is critical for an organization to reduce the level of burnout.
Excessive responsibilities cited as major organizational factor driving burnout
Among the same group, nearly two-thirds (65%) say that having too many responsibilities has been one of the biggest contributors to their burnout in terms of organizational or technical factors.
From your perspective, which of the following organizational and/or technical factors have been the biggest contributors to your experience(s) with burnout? Select up to 3.1
Team attrition (i.e., staff turnover) 35% | Complex technical environment 24% | Capacity restraints (i.e., not enough staff to accomplish goals within allotted time) 23% | My responsibilities are unclear 21% | Regulatory landscape 16% | Emerging risks (e.g., employee misuse of generative AI tools) 14% | Reporting structure (e.g., CISO reports to CFO or CIO) 14% | Pressure to address low-priority tasks before others 11% | Remote/hybrid working issues (e.g., BYOD policies) 10% | Factor(s) not listed here 1% | Not sure 0% | Other 0%
Question: Please share any final thoughts on burnout among cybersecurity leaders.
From my perspective, there is a gap between the number of people needed to implement security systems and the number that are needed to handle an active incident. During incidents, the burden on the team can become unbearable, with no way to reduce it.
Almost half say organizational resources for burnout are lacking
Over half (51%) of all respondents (n = 178) indicate their organization provides adequate resources to address burnout, but 46% say these resources are either inadequate or unavailable at their organization.
From your perspective, does your organization provide adequate resources to cope with or reduce the risk of burnout (e.g., benefits related to mental and physical wellness)?2
Question: Please share one or more example(s) of resources you would like your organization to provide that would help cybersecurity leaders cope with and/or reduce the risk of burnout.
I believe resources like quicker access to company-endorsed therapy and lounging areas are nominal at best; in order to deal with frequent burnout, the ‘rushed’ culture of the company needs to change and employee welfare needs to be considered.
In their own words...
Question: Please share one or more example(s) of resources you would like your organization to provide that would help cybersecurity leaders cope with and/or reduce the risk of burnout.
I think that providing the appropriate segregation of duties between normal keep-the-lights-on activities and net new project work needs to occur. If we have our same resources that are working the day-to-day function and then also doing projects, that is where burnout occurs.
We have [an] unlimited vacation policy but it is clear they don’t want you to use it at all. I’d prefer to go back to standard policy so there’s less stigma in taking time off.
We basically need more resources.
Respondent Breakdown
1 Question shown only to respondents who answered “Yes, once” or “Yes, multiple times” to “Burnout in the workplace refers to a state of physical, mental andemotional exhaustion caused by chronic work-related stress. Have you personally experienced burnout in the past 24 months?”
2 Question shown only to respondents who answered “Yes, once”, “Yes, multiple times”, “No, but my team and/or colleagues have” or “No, but I'm concerned about burnout among cybersecurity leaders” to “Burnout in the workplace refers to a state of physical, mental and emotional exhaustion caused by chronicwork-related stress. Have you personally experienced burnout in the past 24 months?” Respondents who answered “No” were eliminated from the survey.
3 Question shown only to respondents who answered “My organization does not provide any resources,” “Resources are less than adequate” or “Resources arecompletely inadequate” to “From your perspective, does your organization provide adequate resources to cope with or reduce the risk of burnout (e.g., benefits related to mental and physical wellness)?