CISO burnout: How you can stop contagion throughout the workforce
On the ISC2 Safety Congress in October 2025, David Foote, chief analyst and analysis companion at Foote Companions, made a decidedly eye-catching level.
“The variety of CISOs [chief information security officers] who’re not within the discipline and have left it attributable to burnout is stunning,” he mentioned. “Many employers at the moment are obsessive about burnout as they’ve misplaced so many good people who find themselves simply incinerated on the job.”
This worrying state of affairs is supported by the figures. The typical tenure of cyber safety leaders is now between 18 months and three years, in contrast with a mean of 5.2 years amongst members of the C-suite in S&P 500 corporations. Whereas not each CISO who leaves their job can have skilled burnout, many are undoubtedly taking sideways profession steps, not least to cut back their stress ranges.
Martin Astley is CISO at central heating companies supplier 24/7 Dwelling Rescue, in addition to a psychological well being champion. He says: “On folks leaving the trade altogether: some do, however extra generally they transfer sideways to develop into fractional CISOs or to work in consultancies or vendor roles as a result of it provides them management again.”
As to what the warning indicators of burnout or continual and unmanaged stress are, Caroline Hughes, chief govt of consultancy at Aware Management Growth, believes they’re on a spectrum
“The early warning indicators are a discount in ambition and a narrowing down of the scope of labor, which is about going into coping mode to get by,” Hughes says. “It doesn’t are usually seen as a lot as individuals are nonetheless acting at a excessive degree and are delivering, however underneath the bonnet, there’s a way of working to face nonetheless.”
At a private degree, CISOs typically expertise adjustments in sleep patterns, resulting in emotions of exhaustion. They could cease exercising or consuming correctly and resort to alcohol and leisure medicine to assist them calm down attributable to steady emotions of tension and fears of what may go mistaken. Disengagement from work and self-doubt are additionally frequent signs.
Apparent indicators of burnout
Later, extra apparent indicators of burnout in a office context embrace leaders turning into usually much less environment friendly. As an example, they could take longer to make selections and require proof and reassurance to make sure they’ve come to the best conclusion.
They may additionally develop into overly essential attributable to having misplaced perspective and even flip into micro-managers. The issue right here is that “they not belief themselves, so discover it tough to belief others too”, Hughes says.
One other equally unlucky manifestation of burnout, says Russ Kirby, CISO at id administration software program supplier Ping Identification, is poor decision-making: “Many individuals fall into the lure of working longer hours simply to get the job executed. So, they expertise stress compounded by fatigue, which in keeping with many research has a unfavorable influence on efficiency and is cumulative.”
On the “excessive finish” of the state of affairs, says Hughes, folks typically develop into much less emotionally regulated, impatient, short-tempered and dictatorial. Additionally they develop into more and more erratic, withdrawn and transactional of their interactions and relationships with others. Dropping the flexibility to prioritise and believing every little thing is a “sizzling matter” is one other widespread manifestation.
“Search for noticeable shifts in tone or behaviour: somebody who is generally fairly balanced turning into extra erratic, or people who find themselves usually keen to tackle complicated work looking for reassurance about what’s going to occur if issues go mistaken,” says Hughes. “It might seem to be a sudden shift, however there are more likely to have been delicate cues that have been missed alongside the best way.”
The large downside is that failing to nip the issue within the bud early on has severe penalties, each for CISOs and their groups. For cyber safety leaders, each their bodily and psychological well being are more likely to endure, ultimately requiring them to take day without work work to get well.
Others resign to get out of a state of affairs they not really feel is sustainable. Key indicators of resignation intent are cynicism and a way of not being linked to their mission, and emotions of a lack of skilled efficacy. This could additionally manifest as imposter syndrome.
The workforce influence of burnout
The influence of CISO burnout cascades throughout their groups too. Peter Coroneos is founder and govt chair of resilience coaching charity Cybermindz, which gives resilience coaching. He says that one of many first casualties if leaders are in survival mode is empathy.
“Empathy is ruled by a hormone known as oxytocin, which is launched when people work cooperatively collectively,” he explains. “However when somebody is emotionally exhausted, strung out and never sleeping, oxytocin is more likely to be low, which suggests folks have a low capability for empathy – and that may have an opposed influence on the workforce.”
On account of this case, Coroneos says, staff are more likely to understand their chief as somebody “indifferent, uncaring and unsupportive, who focuses on the mission to the exclusion of the folks”. Over time, workforce members are additionally more likely to begin demonstrating a level of dysfunction themselves, resulting in elevated disengagement and better churn over time.
Hughes agrees. “Even when workforce members have some sympathy, they begin questioning which model of their chief they’ll get right this moment, which drives uncertainty and creates anxiousness,” she says. “At a elementary degree, it shifts the belief that exists between leaders and their groups as they set the tone and route.”
Coroneos concurs that there’s at all times a “diploma of contagion” attributable to CISO burnout: “The state of affairs typically results in battle and the creation of a blame tradition. It additionally results in a drop in efficiency and may injury creativity and innovation. If groups are working underneath fixed stress, they’ll begin dropping functionality and momentum, which in the end means the organisation is much less secure.”
This, he believes, is as a result of probably the most worthwhile property professionals have is their psychological energy, coaching, and expertise, which is extremely contingent on their way of thinking. “So, if individuals are underneath important stress or burn out, you lose entry to their abilities, which constitutes an organisational threat requiring the identical diploma of preventative repairs as a technical device,” Coroneos says. “This isn’t about wellness or being touchy-feely – it’s about neurological efficiency.”
What can employers do?
As to what might be executed about this troubling state of affairs, Hughes believes that line managers and friends have an necessary function to play right here.
“Individuals don’t wish to inform the boss what’s happening for them because it’s seen as profession suicide, so a sure delicacy is required in conversations,” she says. “However it may be so simple as saying, ‘Are you OK? I seen you have been a bit quiet right this moment’, and taking motion primarily based on their response.”
Such motion may embrace line managers speaking to HR for steering or recommending their CISOs communicate to an occupational well being skilled for assist.
“If we ask, folks typically inadvertently inform us all we have to know, however they don’t at all times take heed to themselves and so aren’t essentially conscious of how dangerous issues have develop into,” Hughes factors out.
However in her expertise, the answer isn’t nearly tackling “wellness” points. “As an alternative, it’s normally systemic and is about how work will get executed, how groups are resourced, and if individuals are arrange for fulfillment or not,” she says.
Consequently, Hughes is a “fan of the ‘workplace of the CISO’ strategy”. She acknowledges such ‘workplaces’ are sometimes reserved for chief executives. However she believes they’re a great way to assist folks in demanding roles ship on their targets.
The concept right here is that whereas CISOs retain their strategic remit and other people growth function, they appoint a “enterprise” or “efficiency supervisor” as a “trusted confidante”. These practical consultants drive efficiency and “hold the prepare working” in step with the priorities set by the CISO. They could even take care of essential initiatives on their behalf.
Ping Identification’s Kirby advantages from simply such a setup however has numerous leads for the completely different departments that report into him. These embrace technical, governance, threat and compliance, business and contracting, and strategic, which works on long-term roadmaps.
“The groups are led by individuals who can run their departments autonomously if I have to focus elsewhere,” he says. “A variety of CISOs have too many individuals reporting into them, so I’m in a privileged place as my workforce is larger than many and it’s properly structured.”
One other consideration, says Hughes, is utilizing succession planning as a secure technique of holding discussions round cowl for “sudden depart” occasions, which embrace the delivery of a kid. This makes it doable to coach up an interim substitute and probably restructure how work is finished ought to CISOs have to take day without work with out dropping face.
Investing in CISO psychological well being
Sarb Sembhi is founding father of the Psychological Well being in Cybersecurity Basis. He additionally suggests following the instance of a selected FTSE 100 insurance coverage firm, which allotted eight days of labor to be executed in 10 days.
The concept right here was to determine a baseline – which must be reviewed repeatedly – of how a lot work the workforce may full over a two-week interval to make sure it was not both overloaded or underworked.
“It’s about establishing a baseline of what works properly, which we’ve not at all times executed prior to now,” Sembhi says. “However as soon as you’re employed out what the baseline is, you’ll be able to extra precisely work out what finances and assets you want and make an acceptable enterprise case for them.”
Sembhi’s basis can also be engaged on a psychological well being promotion framework with the assistance of assorted neighborhood working teams. Primarily based on 9 core rules, which embrace time administration, its intention is to cut back stress and burnout and enhance resilience within the sector.
The framework may also signpost customers to present specialist companies, resembling counselling or group remedy, if required. The intention is to launch the primary model to coincide with Psychological Well being Consciousness Week on 11-17 Could.
“With most different departments, the enterprise isn’t susceptible in the event that they’re not at work, however the entire organisation depends on us being there, which suggests we have now to search out our personal manner ahead with this,” says Sembhi. “However we’re not making an attempt to offer a single, prescriptive strategy as we recognise not every little thing will work for everybody.”
As for a way Ping Identification’s Kirby retains himself in good psychological well being, he places it all the way down to quite a lot of components: self-awareness, which an govt psychologist helped him with a few years in the past; having a supportive peer community and board behind him; and a wholesome life-style, which incorporates train and a superb weight loss plan.
“A variety of organisations are investing extra in how they develop their executives to make sure they’re emotionally, not simply operationally efficient,” he says. “Individuals at the moment are turning into increasingly acutely aware of the issue, so hopefully it’ll make a distinction over time.”
