Burnout burden: why CISOs are at breaking level, what wants to vary
Let’s face it, nobody talks about burnout in cybersecurity till it’s already too late. The strain for CISOs and safety leaders has been quietly mounting for years. Late nights, growing variety of incidents, shrinking budgets, ever altering panorama of laws and threats and the fixed expectation to be in every single place and be throughout every little thing. They’re basically tasked with taking part in whack-a-mole, however with moles that may breach, exfiltrate or steal invaluable information to be held ransom, all whereas attempting to translate the chaos to a boardroom that’s pressed for time and even more durable pressed for consideration or funds. However when the inevitable breach or cyber incident does happen, the CISO is the one left holding the hammer.
To be clear, this isn’t a soft-skills problem. It’s not that CISOs or safety groups can’t sustain or lack the power to talk the language of the boardroom, or that immediately’s safety leaders haven’t perfected the talent of speaking like a enterprise individual. It’s that the CISO and safety chief position has been stretched as they turn into accountable and answerable for extra belongings, processes and capabilities crucial for enterprise operations. The extra crucial cybersecurity turns into to enterprise continuity, buyer belief, and regulatory compliance, the extra the CISO position is being morphed past recognition, and we’re approaching breaking level. In accordance with one examine, virtually a 3rd of CISOs say stress is adversely affecting their efficiency, and the common tenure of a CISO is now simply over two years (26 months). Until one thing modifications, not simply on the particular person stage, however throughout your entire safety ecosystem, we’re going to maintain dropping the very leaders we depend on most whose expertise and capabilities have been constructed over a long time of guaranteeing safety permits enterprise.
Why AI alone gained’t save the CISO
If like me you sit in sufficient board conferences, you’ll hear the identical query emerge time and again: “Can’t AI remedy this?” It’s a tempting concept and it’s true that it may be a really invaluable software within the safety chief’s toolbox. With the appropriate tooling, the appropriate mannequin, the appropriate automation pipeline, we will lastly take the strain off by automating at scale and the tempo by no means seen earlier than. However it’s only a part of the answer. Certain, AI can speed up detection, streamline triage, and floor patterns sooner than most analysts, however does it perceive nuance, context, proximity and enterprise worth? Can it carry accountability, and might it take management when issues go off script or adapt and alter as a result of enterprise want? At greatest, AI is an assistant. At worst, it’s a brand new assault floor we’ve barely begun to grasp. Immediate injections, mannequin poisoning, and information leakage are simply a number of the threats outlined in OWASP’s prime ten dangers and mitigations in 2025. So, if AI is watching your safety, who’s watching the watcher?
What’s extra regarding is what this narrative does to the expertise pipeline. As we automate extra of the entry-level work, we danger eroding the very basis we have to develop the following era of cyber professionals. Junior analysts aren’t simply headcount, they’re future CISOs in coaching. Once they’re changed with automation moderately than upskilled alongside it, we’re fixing immediately’s resourcing drawback at the price of tomorrow’s management. And the cycle of burnout continues. Innovation in AI is one thing to be taken severely, however we must be clear-eyed about what it could possibly and might’t repair. Over my profession I’ve realized that my key asset is the expertise that exists inside my staff, and focus is required on the way you recruit, choose, nurture and promote your staff to allow them to succeed of their roles. That brings high quality, loyalty and distinctive buyer targeted service.
Maybe it’s time to redefine “CISO”?
There was a time when the CISO’s remit was pretty outlined; hold the dangerous actors out, hold the programs patched, and hold the auditors completely satisfied. Halcyon days for a lot of CISOs. Right this moment, their position spans every little thing from regulatory alignment and third-party danger to disaster comms, buyer reassurance, and boardroom schooling. They aren’t simply guarding in opposition to threats. They’re dealing with fallouts, preserving reputations, and juggling more and more excessive expectations, managing budgets, fixing technical debt and telling enterprise aligned tales. In loads of instances, they’re additionally the “face of resilience” for the enterprise. So, is “Chief Data Safety Officer” even nonetheless match for function? If the duties have outgrown the unique mandate, possibly it’s time the position developed too. “Chief Resilience Officer” won’t roll off the tongue, however it’s nearer to actuality, and it indicators one thing the enterprise wants to listen to that safety is about continuity, belief, and long-term stability, not simply instruments and tech.
What’s energy with out autonomy?
You can provide somebody the accountability, however when you don’t give them the authority to match, it’s not management, it’s legal responsibility. That’s precisely the place many CISOs discover themselves in 2025. They’re tasked with defending the organisation from existential danger but nonetheless report into IT management buildings that weren’t designed for independence, oversight, or problem. When the CISO experiences to the CIO, there’s usually a built-in battle of curiosity: the individual answerable for securing the infrastructure solutions to the individual answerable for delivering and optimising it. The CIO could – deliberately or not – prioritise performance, availability, and efficiency, whereas the CISO could have to sluggish issues all the way down to patch vulnerabilities, harden programs, or push again on dangerous deployments. If the CISO lacks independence, safety selections could also be overridden, downplayed, and even outright deprioritised in favor of supply timelines or funds objectives.
This isn’t a conflict of egos although, it’s extra about governance. Reporting strains form how danger is prioritised, how budgets are allotted, and the way candid a CISO may be when one thing must be stated. If safety is genuinely a board-level concern, which it must be, then the CISO wants a line into the board, or at the very least the audit committee, that isn’t filtered by way of operational layers.
There’s a broader cultural implication, too. When CISOs are handled as subordinates to IT, it sends a message that cybersecurity is a technical perform moderately than a strategic and enterprise aligned one. And that message filters down quick into hiring, funding selections, and the way incidents are dealt with when the strain rises. If organisations need safety leaders to behave as enterprise enablers and disaster navigators, they should cease inserting them in a construction that ties their arms however as an alternative permits them to steer the enterprise in instances of disaster, development or important change. Elevating and celebrating people is important but in addition constructing a system that’s designed to allow them to succeed moderately than maintain them again will guarantee future leaders may be retained in an organisation and the trade as an entire. Most significantly, they’ll preserve good psychological well being in a spot the place they really feel supported and valued.
Tim Grieveson, CSO at ThingsRecon
