Burnout among information security chiefs (CISO) and cyber professionals is no longer a fringe issue – it is an ongoing and growing crisis in the industry. Despite holding leadership positions, many CISOs work in environments where their role is misunderstood, undersupported, and saddled with unrealistic expectations.
Cybersecurity has evolved alongside business functions rather than being fully integrated into them. This historical division has created a cultural and operational divide that has left many cyber professionals isolated. As one expert noted, “Most people in cybersecurity are in survival mode, fighting the crocodiles closest to the boat.” The need to manage day-to-day operations, respond to incidents, scan the horizon for emerging threats, and engage in strategic planning—all often with minimal resources—has become unsustainable.
A key issue is the widespread misconception that CISOs are simply senior technical experts. In reality, this role requires strategic oversight, leadership and management. However, many CISOs are promoted with a technical background without the necessary development in communication, leadership and business acumen. They are expected to maintain deep technical knowledge while also serving as high-level strategists, a duality that few other senior management positions are asked to maintain.
This discrepancy between expectations and reality creates a vicious circle. Without clearly defined roles and organizational cyber leadership maturity, CISOs struggle to advocate for themselves. Boundaries blur, workloads increase, and the risk of burnout increases. Knowing your value and setting boundaries is important, but it's difficult when the company itself lacks clarity about what it expects from the role.
Remote work has further exacerbated this isolation. The loss of informal, face-to-face interactions has made it more difficult for CISOs to build relationships, influence culture, and engage in the dynamic discussions that often drive innovation and problem solving. The ability to walk past a colleague's desk and spark spontaneous discussion has been replaced by scheduled meetings and digital repositories.
To cope with burnout, there are several key strategies to consider:
- Early propaganda: CISOs must set expectations and boundaries from the beginning. Waiting until the role becomes overwhelming is often too late.
- Leadership Development: Organizations must invest in developing CISOs beyond their technical skills, equipping them with tools to lead, communicate and influence at the executive level.
- Support networks: No professional, regardless of experience, should act in isolation. Peer support and mentorship are vital.
- Role clarity: Companies need to mature in their understanding of the role of the CISO. The title “chief information security officer” implies much broader responsibilities than just cybersecurity. Recognizing this difference is key to setting realistic expectations.
- Forced boundaries: Downtime is important. CISOs must have the power to delegate, disconnect, and protect their mental health.
This is not an easy decision. The challenges are both organizational and personal in nature and need to be addressed in tandem. The industry is hanging on by a thread, and with advances in artificial intelligence and increasingly complex threats, the risk of burnout could be catastrophic if left unchecked.
The fact that CISO burnout remains a concern year after year—even before the Covid-19 pandemic—speaks volumes. The pandemic may have made the problem worse, but it did not create it. Isolation, unclear expectations and lack of support have long plagued the profession. If the industry wants to thrive, it must prioritize the well-being of its cyber leaders as well as technical protection.
Mike Gillespie is the CEO and co-founder and Ellie Hurst is the commercial director of Advent IM Ltd,
