Why burnout is a growing problem in cybersecurity

When Tony was signed off for burnout from his cybersecurity awareness role at a major UK ecommerce company last year, it had been a long time coming.

“Many of us in cyber, we put our hearts into our job. There’s a lot of passion involved.”

He had found it progressively harder to sleep, and to go into the office.

Tony, who did not want his real name used, recalls the Wannacry ransomware attack in 2017. “It was a Friday and something came up on BBC News.”

The security team got on a call that evening and the decision was taken to remove every single device from the network.

“And it was Sunday afternoon that I came offline,” he says.

The firm hadn’t been hit by the bug, he says. “It was all preparatory work.”

Tony said this pattern is currently being repeated across organizations trying to protect themselves against the Scattered Spider attacks that hit retailers and other businesses this year.

And, he says, “I can’t even imagine what the folks at Co-op and M&S have gone through.”

“If you think you might be burning out, you’re already on your way there,” says Andrew Tillman, former head of cyber risk and assurance for the UK’s Health Security Agency.

He says cyber security can, at times, be “the best job in the world”. But when things get bad “it can be a bit of a dangerous place to be”.

Mr Tillman has suffered bouts of “burnout” himself through his four years at the agency.

That stress is revealing itself in data collected by ISC2, the membership organisation for cybersecurity professionals.

Its annual Workforce Study showed a 66% favourable job satisfaction rate in 2024, down four percentage points from the previous year.

Burnout is a “major issue” for the sector, ISC2’s chief information security officer Jon France says.

He says professionals in the industry are increasingly being asked “to do more with less” which only increases stress and job dissatisfaction.

“Cyber professionals rarely work nine to five”, he adds, “Even if they do, they remain on call because threat actors don’t adhere to office hours.”

Part of the issue is that hackers have become more aggressive, prepared to target critical national infrastructure, or cripple health organizations with ransomware.

Also, hackers backed by nation states are also accounting for more attacks, whether to carry out espionage, steal IP, spread misinformation, or cause disruption, or even seek financial gain on their own account.

North Korean hackers, for example have become more active and adept at using cybercrime.

Earlier this year hackers, thought to be working for the North Korean regime, stole $1.5bn (£1.1bn) worth of digital tokens from crypto exchange ByBit.

US officials estimate that half of North Korea’s foreign currency acquisition comes from cyber theft.

As private and public sector organizations have digitized more of their operations, the ramifications of a cyber attack or data breach are more severe.

Mr Tillman says: “There’s always that conscious thought about ‘if it goes wrong, how could this impact the individuals on the street? How could it affect their jobs, their livelihoods?’.”

Staff turnover is particularly pronounced in entry level roles, says Lisa Ackerman, former deputy chief information security officer (CISO) at GSK, and CISO Council strategic lead at Cybermindz, a non-profit targeting burnout in cyber security.

Constant alerts from warning systems might compound the problem, presenting professionals with a barrage of data they have to make sense of.

This could be a particular issue for the younger professionals in frontline roles and security operations centres.

But non-frontline roles are not immune, says Mr Tillman.

Managing risk and ensuring organisations meet compliance and regulatory obligations can be a challenge when other teams are desperate to get new applications or services live without considering all the security angles.

Cybermindz founder Peter Coroneos says cybersecurity workers can be caught in a “blame culture” where their successes are “low visibility”.

This leaves them carrying “a low level of dread”, he explains.

For younger workers this can be damaging, as the human brain is still developing well into the 20s, Mr Coroneos says.

“So, if you are recruiting people whose brains are not fully formed and putting them in high-stress roles, then you are potentially setting them up for long-term problems in terms of their own cognitive and emotional wellbeing.”

Cybermindz offers a “structured neural training regime” which aims to get subjects back to a sense of psychological safety.

“If someone’s having a panic attack, telling them to just calm down isn’t actually going to work. You need to address neurochemistry,” says Mr Coroneos.

Ultimately, says Mrs Ackerman, “We want to get to some kind of legislation for cyber teams like we have for air traffic controllers and doctors and pilots and people who are first responders. Which, in reality, cyber defenders are.”

In the meantime, it’s down to organizations and workers to watch out for the signs of stress before they turn into something more ominous.

Mr Tillman says he is now far more aware of the warning signs of impending burnout, which for him include changing sleep patterns or eating habits, taking less exercise or not walking the dog.

“It’s almost like a cyber breach,” he explains. “You should assume it’s on its way and work towards not allowing it to happen.”