Why is burnout common in cybersecurity?

1.5k views3 Comments

CTO in Software, 11 - 50 employees
A lot of people don't recognize that you can’t constantly wear the cape and expect to keep the status quo. It's unattainable. Having a military background, I recognized a long time ago that there are only so many people I can save. I can do my best and it might still not be good enough, which is a fact of life. But you try to sweat in peace so you don't bleed in war.

In cybersecurity, we're not permitting people to sweat right now because of the load that is placed on that individual the second they sign up for the job. I was privileged to do the remediation for a very large nation-state-level attack in Montreal in 2016. The CISO was handed his hat immediately because they were such a high-profile organization and the effect was global in dynamic. No matter how much money had been invested in their cybersecurity, both in terms of technology and resources, it still didn't matter. The CISO did as much as he could but was still left hanging in the wind. The team was left to pick up the pieces and carry on. Another CISO was dropped in and they ran things the same way their predecessor had done, as if nothing ever happened. 

I’m coaching a number of CISOs in a group where we can share candidly, and I often hear from a lot of my female peers that there is an institutional bias thrust on them right away. At the same time, the pressure is gender-neutral in the sense that wherever you come from, there is this onus on you to put on the cape and go save the world. And you can't take a day off, so it sucks for everyone in a lot of ways.

We have had powerful technology at hand, but I also know that I can't save the world and I'm not here to do that. There are certain pieces of the puzzle that you just cannot fix, so why put in the effort to try? Just mitigate as much as you can, until you get to a place where you know that you’ve done all you could. If you've done your best, you’ve reduced the liability as much as possible because you are trying to do the right thing. When something does happen, and it will, you are better prepared than you were 8 months ago when you initially took on the role, which is often the case.
Director, Security Solutions in Software, 51 - 200 employees
Because most cybersecurity people don’t have a lot of cybersecurity responsibilities that they have time to work on. Instead they’re constantly dragged into doing Compliance, SecOps or even ITOps tasks because of resource constraints in the organization. 
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
The job is always on fire.  Even if you work long hours there is still another batch of issues and vulnerabilities, some new some old, that need to be meaningfully addressed, NOW.  Making progress feels good but then you find out that some critical control (e.g. access provisioning) is not being followed it can be deflating as that can of worms needs to be revisited.  A larger team can help but with more people comes more challenges.  Not with just managing a growing team but also with all the "new" stuff that the team will discover that needs to be addressed, NOW.  Never ending and can be exhausting when you have to wake up at 2:00 am to jump onto an issue that may end up being nothing.  While it's great to get more money from a new employer sometimes its just as nice to go to another company to reboot. 

Content you might like





Crisis management22%

Personal accountability23%



Continuous learning14%



Relationship management10%


Other (please specify)0%



Chief Technology Officer in Software, 51 - 200 employees
My personal experience. 

I usually get the feedback and go back with data driven analysis providing details to cross leaders to understand the context and make decision basis data and and not gut feeling. 
Read More Comments
1.6k views2 Comments