As cyber threats become more frequent and more complex, they’re causing visible, measurable damage to organizations’ reputations and bottom lines. But the damage doesn’t end there. Breaches — or at least the threat of them — are impacting the mental health of companies’ IT and security workforces.
According to new data, IT and security workers are facing nothing less than a mental health crisis in the workforce. Object First’s recent survey of 500 IT and security professionals revealed that 84% feel uncomfortably stressed at work due to IT security risks. The survey went on to report that 78% fear they will be personally blamed for security incidents regardless of the circumstances.
These numbers should alarm any CSO whose staff are responsible for keeping cyber threats from taking our systems down. The corporate sector rightly puts a premium on creating positive, productive cultures to help staff thrive and do their best work. But this latest data shows that workers are on edge and worried about repercussions from the threats IT breaches pose.
Other numbers in the same survey should trigger even louder alarms. Nearly three-fifths of all cyber/IT workers say they have considered or have actively begun looking for new jobs due to the pressures of their role. In addition, nearly half report feeling pressure from leadership to “fix everything” in the aftermath of a security incident, while nearly one in five (18%) say they feel “hopeless and overwhelmed” during and after an incident.
As a Field CTO who works closely with security teams to set them up for success, this data gives me chills. So many of our best professionals feel threatened enough by cyber stress to walk out the door and look for a new job. This is more than an HR nightmare; it’s a business resilience challenge.
Burnout is intensifying
Any CSO or CISO knows that burnout in the cybersecurity sector is not a brand-new topic. As far back as the early 2000s, when cyber evolved into a formal discipline, leaders were talking openly about the stress security pros were feeling, having to be “always on.” Over the next two decades, surveys found that a majority of security personnel felt burned out and many considered leaving the field.
While the issue isn’t new, recent reports confirm that burnout in our sector seems to be intensifying.
“Cybersecurity professionals at all levels are burning out. Our research shows this is only getting worse,” says Jon Oltsik, former industry analyst and author of the Information Systems Security Association (ISSA)’s seventh annual “Life and Times of Security Professionals” report.
The ISSA survey said cyber workers’ jobs are getting harder, citing increased complexity and workload, more threats and larger attack surface, regulatory compliance pressures and understaffing as their top stressors. The report also indicates the vast majority (81%) of respondents who said they are under stress considered leaving their jobs on a regular basis, versus 17% of those satisfied with their roles.
Gartner also weighed in on the topic earlier this year, listing cybersecurity burnout as one of the six top cybersecurity trends of 2025.
“Cybersecurity burnout and its organizational impact must be recognized and addressed to ensure cybersecurity program effectiveness,” said Alex Michaels, senior principal analyst at Gartner. “The most effective SRM leaders are not only prioritizing their own stress management, but they are also investing in teamwide wellbeing initiatives that demonstrably improve personal resilience.”
Finding qualified cybersecurity workers is still a difficult task. Hiring a new IT or security professional typically costs one and a half to two times their predecessor’s annual salary, and up to 28% of all cyber jobs remain unfilled, according to the Boston Consulting Group’s “2024 Cybersecurity Workforce Report: Bridging the Workforce Shortage and Skills Gap.”
It’s hard enough to match the skills a trusted, talented security professional possesses. It’s impossible — at least in the short term — to replace the institutional knowledge that same professional gains working inside your organization, helping to fend off IT threats for a significant amount of time.
The roots of cyber stress
Cyber employees can feel pressure for a number of reasons. Many sense they have to maintain a constant state of vigilance to spot any phishing, ransomware and social engineering threats that come in. Many fear that one wrong click — by them or by a colleague — could compromise the company and put their job at risk. Others feel a sense of “compliance overload,” having to deal with repeated password changes, MFA steps and security awareness training.
More than half of the respondents to the Object First survey said their heavy workloads and understaffed teams contributed the most stress, followed by concerns about cyberattacks and the pressure to maintain uptime and service availability. Nearly everybody (85%) experienced security-related stress at some level, while 31% said they face consistent stress at least once a week.
This kind of sustained stress saps motivation, causes mental fatigue, triggers physical health issues and generally reduces workers’ sense of purpose to the point where it hurts their overall performance. Stressed, fatigued workers are more likely to make mistakes and put organizations at greater risk of breaches and security.
Companies that prioritize employee wellbeing and mental health stand the best chance of solving this issue. Problem is, not everybody is doing so. According to the Object First survey, 50% of IT and security employees felt their companies aren’t doing enough to deal with the growing mental health crisis.
CSOs certainly can’t solve the burnout issue alone. Companies need to make cybersecurity burnout a priority issue for their boards and for the C-suite as a whole. But CSOs and CIOs to have an important role to play. Here are some moves they can make to lower the pressure their staff are feeling.
Build a safe culture: Protecting an organization from cyber incidents is a scary process, and employees are facing constant fear that incidents will escalate and they’ll get blamed. CSOs should set up processes where escalation is encouraged and post-incident discussions focus on ways the whole team can improve. Celebrating early detection, and not just incident containment, will improve performance and lessen tensions.
Reduce the noise: Burnout can often be caused by structural issues that are out of line: too much work, too little staffing, too much noise from unfiltered alerts, faulty systems and too much pressure from being on call. CSOs should review operations and practices to make sure staff aren’t overloaded with work or focused too heavily on reactive tasks.
Provide resources: Stress can take a toll on mental health. While HR should take the lead in providing mental-health and resilience programs, CSOs should provide guidance and watch for signs that employees need individualized attention.
Make sure team members feel “seen”: Recognition — in the form of awards or just shared discussions of work done well — can go a long way to reducing long-term, collective stress. Some CSOs set up regular 1:1 meetings or group sessions they encourage cyber workers to share examples of stressful situations on the job. When CSOs see employees heading toward burnout, nudging them to unplug and recharge can often lower stress to a manageable level.
The cybersecurity mental health crisis is real. The pressure to be the last line of cyber defense is taking a serious toll on professionals’ mental health and job performance, and it’s time to provide them with more support. CSOs can send a powerful message that well-being isn’t optional — it’s essential for businesses to stay resilient in the face of more frequent, complex cyber threats.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses