Burnout is Becoming Endemic Across the Cybersecurity Sector

Cyberattacks have come thick and fast in 2025, with huge corporations including Qantas, M&S, Co-op and Microsoft all experiencing breaches in recent months.

The sheer volume of the attacks is not the only remarkable thing about this recent trend, however.

Cybercrime is clearly becoming far more sophisticated than ever before, with criminals often weaponising AI technologies.

As such, Chief Information Security Officers (CISOs) have been under pressure to respond and prepare their defences effectively.

This is far easier said than done, however, and many cybersecurity professionals are starting to struggle under the weight of increasingly aggressive threats and round-the-clock demands.

Data from ISC2's annual Workforce Study spells this out plainly.

Job satisfaction among cybersecurity professionals fell to 66% in 2024, down four percentage points from the previous year, and significant amounts of people are reporting burnout as a result of their work.

The human cost of constant vigilance

The BBC recently conducted interviews with cybersecurity professionals to dig into this pattern.

Tony, who used a pseudonym, was signed off for burnout from his cybersecurity awareness role at a major UK ecommerce company last year, following years of mounting stress.

"Many of us in cyber, we put our hearts into our job. There's a lot of passion involved," he says.

He recalled the Wannacry ransomware attack in 2017 when his team worked through the weekend to protect the company's network.

"It was a Friday and something came up on BBC News," Tony said.

The security team removed every device from the network as a precaution, with Tony finally coming offline on Sunday afternoon.

"It was all preparatory work," he says, noting the firm had not been hit by the attack.

Tony said this pattern is being repeated across organisations responding to the Scattered Spider attacks that struck Co-op, M&S and other businesses this year.

"I can't even imagine what the folks at Co-op and M&S have gone through," he says.

A sector under strain

Andrew Tillman, former Head of Cyber Risk & Assurance for the UK's Health Security Agency, also reports experiencing burnout himself during his four years at the organisation.

"If you think you might be burning out, you're already on your way there," Andrew said.

Jon France, who is the ISC2’s own CISO, sees burnout as a "major issue" for the sector.

Jon says that professionals are increasingly being asked "to do more with less" which only increases stress and leads to dissatisfaction at work.

"Cyber professionals rarely work 9-5,” he explains. “Even if they do, they remain on call because threat actors don't adhere to office hours.”

Bigger threats, higher stakes

The pressure that many cybersecurity professionals are experiencing right now can be chalked up to a huge surge in sophisticated attacks from nation-state actors and criminal groups.

Earlier this year hackers thought to be working for the North Korean regime stole US$1.5bn worth of digital tokens from crypto exchange ByBit.

Officials in the US estimate that around half of North Korea's foreign currency acquisitions come from cyber theft.

For Andrew, the weight of responsibility is a massive part of the stress.

"There's always that conscious thought about 'if it goes wrong, how could this impact the individuals on the street? How could it affect their jobs, their livelihoods?'," he explains.

Entry-level workers are vulnerable

Lisa Ackerman is the former Deputy CISO at GSK.

She highlights just how intense the level of staff turnover is in entry-level roles in cybersecurity.

Younger workers in frontline positions have to deal with a constant barrage of security alerts they need to assess and respond to, which is clearly not for everybody.

Peter Coroneos, Founder of Cybermindz, a non-profit that aims to tackle burnout in the cyber sector, says that workers can be caught in a "blame culture" while their successes are "low visibility".

This leaves them carrying "a low level of dread", he suggests.

Peter warned that recruiting people whose brains are not fully formed and placing them in high-stress roles could set them up for long-term cognitive and emotional problems.

Cybermindz offers a structured neural training regime aimed at restoring psychological safety for stressed workers.

"If someone's having a panic attack, telling them to just calm down isn't actually going to work. You need to address neurochemistry," Peter says.

Calls for regulatory intervention

Lisa, like Peter, believes that cybersecurity teams need far more protection than they currently have.

"We want to get some kind of legislation for cyber teams like we have for air traffic controllers and doctors and pilots and people who are first responders. Which, in reality, cyber defenders are," she explains.

Other industry insiders are focusing on making the lives of cyber teams easier by fighting fire with fire, using AI to shore up defences against AI-powered threats.

“When AI closes the loop from detection to containment in minutes, board-level metrics move: fewer payouts, faster recovery and less revenue at risk,” explains Anirudh Agarwal, CEO of OutreachX.

Elsewhere, Andrew says he now watches carefully for warning signs of impending burnout, including changing sleep patterns, altered eating habits and reduced exercise.

Going forward, this kind of reflection will likely be imperative for professionals.

"It's almost like a cyber breach. You should assume it's on its way and work towards not allowing it to happen," he says.