Companies are paying the value for CISO burnout
Burnout amongst chief data safety officers (CISOs) is not only a private catastrophe for these involved. It additionally constitutes a excessive, and dear, danger for the enterprise.
However within the face of rising threats and restricted sources, the issue is “extra severe than most individuals realise till they’re within the seat”, says Martin Astley. He’s CISO at central heating providers supplier 24/7 Residence Rescue and a psychological well being champion.
In response to Proofpoint’s 2025 Voice of the CISO report, for instance, an enormous 63% of cyber safety leaders have both personally skilled, or witnessed, burnout amongst their friends over the previous 12 months.
A key challenge right here, says Astley, is that the CISO function has “quietly turn into 5 jobs in a single”, which is considerably greater than most different professions. These jobs embody strategist, operator, board adviser, disaster supervisor, compliance lead and appearing as emotional help for the group.
To make issues worse, the always-on nature of incidents, in addition to ongoing audit and regulatory pressures, make it arduous for CISOs to change off. Power abilities shortages and the resultant impression on obtainable group sources play their half, too.
“Threats are accelerating, together with AI-driven scams and deepfakes, the assault floor retains increasing, and expectations maintain rising quicker than budgets and headcount,” says Astley.
However there are additionally different drivers behind the issue. “CISOs are held accountable for enterprise-wide danger, however many nonetheless don’t have enterprise-wide affect,” he provides. “That mismatch is corrosive, and turns the job into everlasting duty with out everlasting management.”
Burnout as a predictable human response
Peter Coroneos, founder and govt chair of resilience coaching charity Cybermindz, agrees.
“It’s about predicting methods to handle and management issues that aren’t absolutely inside your purview,” he says. “This implies you’ll have the duty, however you’re not able to managing all the chance components, which embody somebody clicking on a hyperlink downstream within the organisation, particularly in the event that they’re working from dwelling.”
One other contributory issue is the shortage of management many CISOs have over the budgets obtainable for them to ship on technique. It means they will find yourself being in a “fixed battle for sources” with different features. This case tends to be significantly tough if the board has unrealistic expectations, requiring them taking a “zero incident” moderately than managed danger strategy.
Ought to a breach happen, although, says Coroneos, it’s the CISO who has to handle the fallout. However they will additionally discover themselves scapegoated, significantly if organisations have a blame tradition and want a “sacrificial lamb”.
“CISOs are introduced in to guard the organisation’s property, and after they accomplish that, nobody notices and their success is unseen,” he says. “However failure is high-profile and might make front-page information, with the board, regulators and even Parliament getting concerned.”
Given this tough state of affairs, Coroneos believes it’s unsurprising that many CISOs are experiencing the continual, unmanaged stress that results in burnout.
“There’s nothing inherently unsuitable with these individuals they usually’re typically glorious at what they do,” he says. “But when anybody is topic to threats that exceed their capabilities to handle and adapt to, burnout turns into the predictable human response.”
The hazard of quick tenures
As Astley factors out, nevertheless, burnout is a major problem – and never simply because of the hurt it causes to people and their wellbeing. One other key challenge is the “actual danger” it creates for the organisation “when decision-making, reliance and management continuity begin wobbling”, he says.
Because of this if employers fail to deal with the state of affairs, there are severe repercussions. One of the crucial apparent is CISO churn charges. The common tenure of cyber safety leaders is now between 18 months and three years, in contrast with a median of 5.2 years amongst members of the C-suite in S&P 500 corporations.
Stephen Boyce is director of digital investigations at Magnet Forensics. He signifies that when some CISOs depart their jobs, they merely go elsewhere to seek out much less gruelling roles or transfer sideways, into fractional, consultancy or provider positions. However many are actually selecting to go away the already-understaffed career altogether, which incorporates choosing early retirement.
Caroline Hughes is chief govt of consultancy at Acutely aware Management Improvement. An enormous concern with common turnover charges being so low, she believes, is that organisations don’t have sufficient time to undertake efficient succession planning and even put an appropriate expertise pool collectively.
“It’s a management sustainability challenge at each the person and organisational degree,” she says. “For those who’re continuously changing individuals, it’s very disruptive when it comes to groups and governance – and how will you give the manager committee confidence within the long-term technique if there’s continuous short-term churn?”
Astley agrees: “The larger challenge [than people leaving the profession] is the pipeline. Virtually half of CISOs reportedly don’t have an ample inside successor lined up, which tells you ways skinny the bench is.”
The enterprise dangers of CISO burnout
One other level right here, he warns, is that quick tenures barely give incumbent CISOs sufficient time to evaluate danger correctly, not to mention ship multi-year transformation initiatives. The upshot tends to be reactive and fragmented “stop-start safety programmes” that power groups right into a “fixed ‘reset’ mode”.
Different challenges embody “management gaps, delayed tasks and lowered resilience”, he says. “The chance isn’t theoretical: attackers exploit disruption and distraction, and turnover causes precisely that.”
However burnout additionally has implications even whereas CISOs are nonetheless in put up. Coroneos factors to the three fundamental indicators that point out hassle is afoot: emotional exhaustion, cynicism and a fall in skilled effectivity.
Whereas the implications of the previous are extra private, making every thing really feel like a slog, the latter two are key predictors of resignation intention, he says. It’s because they impression on the explanations behind why CISOs do the job they do.
Boyce, in the meantime, believes the dangers of this case are “compounding”.
“Burnout interprets into missed alerts and resolution fatigue, which over time results in disengagement, slower decision-making in a disaster, and lower-quality danger communications,” he says. “In different phrases, high quality is decrease and there’s increased stress on groups, which erodes resilience. The issue right here is that cyber resilience is instantly tied to enterprise resilience.”
Astley agrees. In his view, key organisational dangers embody “slower incident response maturity, weaker governance, inconsistent danger acceptance selections, and lowered credibility with auditors, insurers and regulators”, he says. “And when the safety chief is burnt out, it typically cascades onto the group, which generates a wider retention downside.”
The direct prices of CISO burnout
However, inevitably, there are additionally prices connected to every of those points. John Skipper, a digital belief and cyber safety knowledgeable at PA Consulting, estimates that the overall monetary impression to the FTSE 100 of CISO burnout could possibly be as excessive as £200m per 12 months, or a median of £2m per firm.
As an illustration, in response to job listings web site Certainly, the common base wage for a UK cyber safety chief is £117,000. Recruitment businesses typically cost between 25% and 30% of this wage to seek out and display new appointees, a price that shortly mounts up if it occurs each 18 months.
However within the run-up to a burned-out CISO’s resignation, they’re unlikely to have labored productively, ensuing within the enterprise not getting worth for cash. They might even have needed to take paid depart because of unwell well being.
Different direct prices to the organisation embody having to pay the wage of a brief or interim alternative who will inevitably take time to rise up to hurry, resulting in additional productiveness lags. Then there are the sign-on packages, onboarding, coaching and transition prices related to a brand new starter.
“You’re in all probability between £600,000 to £700,000 of direct prices, plus the potential price of any incident,” says Skipper. “The hidden prices are very important, too, although, and doubtless even dwarf the direct prices.”
The oblique prices of CISO burnout
These oblique prices embody a lack of institutional information, significantly if processes haven’t been properly documented. Choice-making is prone to be delayed, and tasks deferred because of a scarcity of safety experience – or, even worse, safety – can merely turn into an afterthought.
One other frequent downside pertains to increased cyber safety insurance coverage premiums, or perhaps a refusal by insurance coverage corporations to cowl claims in some cases.
Boyce explains: “Many underwriters take it into consideration if corporations have somebody in place who can scale back the chance of a declare. But when they discover a revolving door each 12 to 36 months, they’ll take discover of that and, when it comes time to resume, it’ll lead to increased premiums.”
However there are different challenges, too, says Astley. These encompass the “elevated chance and impression of incidents, employees turnover within the safety group [due to low morale], slowed supply throughout IT, and lowered confidence at board degree”.
Because of this, he believes the overall CISO alternative price might quantity to greater than 200% of wage “when you account for misplaced productiveness and disruption”. However, he provides, most organisations underestimate the state of affairs as such prices are unfold throughout totally different departments, comparable to HR, IT, danger and authorized, and totally different timescales.
Due to this fact, Astley says: “The implication is predictable: corporations underinvest in prevention, comparable to help, construction and headcount, and overpay later in churn and incidents.”
Unsurprisingly given the at present unsustainable state of affairs, he expects to see extra cyber leaders taking up ‘portfolio careers’ as fractional CISOs, consultants and fixed-term roles to guard their very own bodily and psychological well being. Thus, “organisations that don’t construct a bench will maintain getting whiplash from turnover”, he warns.
As to what employers can do in regards to the state of affairs, Astley believes it’s now crucial to design the job “prefer it’s meant to be survivable”. This implies setting sensible expectations and a transparent scope. It means making certain CISOs have real authority and sufficient staff to ship on technique. It additionally means offering them with “air cowl on the govt degree, not simply duty”.
“Organisations that deal with safety as a real enterprise operate and design correct help will enhance retention and outcomes,” he says. “However the ones that maintain treating CISOs as a shock absorber for each danger will proceed to burn individuals out after which act shocked after they depart.”
