Editorial
Chief information security officers, or CISOs, are tasked with keeping a company’s systems and data secure. While it’s always been a stressful job, that’s intensifying as CISO roles are shifting and the cybersecurity landscape is changing — a situation that is driving burnout rates higher.
According to a 2023 Gartner survey of security and IT leaders responsible for cybersecurity, 62% said they’d experienced burnout at least once, and 44% reported several instances of burnout.
The pressure to work late nights and weekends was the main contributor, the respondents said. More than a third also felt isolated, low morale, unrealistic expectations and worry that a security incident would negatively affect their career or reputation.
Darren Shou, chief strategy officer at the RSA Conference, a cybersecurity industry conference, said new cyberattack disclosure requirements from the U.S. Securities and Exchange Commission for public companies and the need to adapt to emerging artificial intelligence technology are also big contributors to this increased burnout rate among CISOs.
“You’ve got these changing roles, changing technologies and now even changing regulations,” he said. “It’s easy to succumb to working extra hours and not knowing when you can really have that balance.”
Taking steps to address CISO burnout is crucial. Ignoring the issue can not only put organizations at risk for a cyberattack but it may also cause them to lose their information security talent altogether.
A Stressful CISO Reality
Job satisfaction among those responsible for cybersecurity dropped 4% from 2023 to 2024, according to the 2024 ISC2 Cybersecurity Workforce Study, to 66%.
One reason for the decline, according to the study, is that while some companies are facing a shortage of cybersecurity professionals, putting the burden of safeguarding the entire organization on fewer individuals, others are facing budgetary challenges, which has led to layoffs and contributed to further reducing the size of cybersecurity teams, said Ross Young, CISO in residence at the venture fund Team8.
“This means fewer people to do cyber, which causes more stress on the CISOs who are accountable for getting it done.”
CISO workloads are also changing, noted Jon France, CISO at ISC2, a member organization for cybersecurity professionals. “We’re now being asked to protect and be a part of business in a way that we haven’t been previously.”
Those working for public companies are now tasked to help finance and legal teams determine the materiality of cyber incidents, meaning how the event is likely to affect a company’s finances, operations or reputation, to comply with new SEC rules. Other regulations, including the Digital Operations Resilience Act in the E.U., are compounding the pressure on some CISOs.
Meanwhile, cyberattacks have been increasing, and among those, AI-generated threats are emerging at a rapid pace. CISOs may not be fully ready for that, as the ISC2 report lists AI and machine learning as the top skills gap for security teams.
All this puts pressure on CISOs, who often fear that they’ll be blamed if there’s a cyberattack and potentially lose their jobs or face liability.
Related Article: Generative AI Is Changing Work. Your Cybersecurity Training Should Change With It
CISO Burnout Is Real — And Costly
Information security and defense is a 24/7 role, Shou says. Overworked CISOs with stretched resources may not be working at their best. At the same time, vulnerabilities continue to exist. This combination makes companies more vulnerable to cyber threats.
Thirty percent of CISOs say their stress levels have compromised their ability to perform well in their roles, according to a recent report by the AI security software company Vendict.
“You don't want people in those kinds of positions that are tired, disinterested or unmotivated through burnout; it’s just not good for business,” France says.
Recognizing burnout is crucial for retaining CISO talent, Young adds. Many cyber professionals acknowledge there’s a skills gap in the industry, so ensuring that the most experienced feel supported is important.
Constantly bringing on new hires is costly for organizations, and these individuals might not be as effective at solving problems, he says.
Related Podcast: Christina Maslach on What Organizations Can Do About Burnout
How to Address CISO Burnout
Most cybersecurity leaders who have experienced burnout say they didn’t tell their managers — mostly because they worried about negative repercussions, according to Gartner’s survey. Among those who did speak up, 27% said the leaders didn’t help them come up with a plan to address it.
Here are five ways to change that and help CISOs with burnout:
Conference
Oct
20
Gartner IT Symposium/Xpo Orlando 2025
Register
Conference
Oct
27
Gartner HR Symposium/Xpo Orlando 2025
Register
1. Broaden mental health support
More than half of CISOs say having access to more resources and tools would help decrease their workload and reduce stress, according to Vendict’s survey. The report suggests that company leaders or HR incorporate counseling, stress-relief or wellness initiatives to help address burnout.
Many CISOs say their organizations also set unrealistic expectations for their roles, which is driving burnout. Shou urges companies to be clear about a CISO’s functions, goals and expectations.
2. Establish a community
Creating a network of peers to discuss issues or finding a mentor in the industry can help CISOs minimize isolation, France says. Companies should help foster these connections by establishing peer groups within the organization to “understand shared problems and be heard.”
This will help reduce stress and offer decision support, Shou says. “This is a job that can’t be done alone. It needs to be done in a community. This is one of those where it takes a village.”
3. Create a pipeline to the C-suite
CISOs need allies across an organization, Shou says. They also need to be close to company leadership, Young adds. This helps CISOs feel like their decisions are valued, which will minimize feelings that the safety of an organization is all on their shoulders.
Having regular one-on-one meetings with CEOs and including CISOs in leadership meetings will boost their confidence, highlight the importance of their roles and ensure cybersecurity is transparent. “Cybersecurity doesn’t belong to just one person; it belongs to an organization,” Young said.
4. Support career development
CISOs — like most other employees across an organization — seek continued growth opportunities, including learning new skills and establishing new relationships. Without them, they’ll likely seek new roles elsewhere, Young says.
The CISO is usually the top security role within an organization, and their average tenure is 18 to 26 months compared to 4.9 years for other members of the C-suite. “The question is, how do you still make the role new and engaging and fun?” Young said.
Organizations also must address talent shortages and skills gaps among their cybersecurity teams in order to bring fresh perspectives, reduce workload and ensure everyone has the appropriate skills.
5. Cultivate a culture of openness
Everyone across departments needs to understand cyber risks and cyber preparedness. Companies should aim to create a culture of openness when discussing cybersecurity, Shou says, because that will help promote trust and accountability and ensure CISOs and their teams are prepared when a cyber incident occurs.
CISOs should also feel comfortable being open about dealing with burnout, Shou says. It’ll help their teams feel less isolated and more bonded, and encourage others to be open about their own stress levels and burnout.
“Burnout and cyber is everybody’s concern,” he says. “Burnout cycles in the security industry puts organizations and customers at significant risk.”
Learn how you can join our contributor community.
