Why Cybersecurity Professionals Are at High Risk of Burnout

So far, 2025 has witnessed a relentless wave of cyberattacks, with household names including Qantas, M&S, Co-op and Microsoft have all fallen victim to cyberattacks in recent months.
But it's not just the frequency of these incidents that stands out.
More and more, cybercriminals appear to be deploying advanced techniques, often using AI-powered tools to enhance their attacks.
As a result, Chief Information Security Officers (CISOs) are under huge pressure to strengthen their companies' defences and respond appropriately.
This is far from simple, though, and increasing numbers of cybersecurity professionals are beginning to buckle under escalating threats and the relentless demands of their work.
ISC2's annual Workforce Study data from 2024 speaks to this trend clearly.
Cybersecurity professional satisfaction dropped to 66% during 2024, representing a four-point decline from the year before, while substantial numbers report work-related burnout.
The human cost of constant vigilance
The BBC recently spoke with cybersecurity professionals to explore this emerging pattern.
Tony, speaking under a pseudonym, took sick leave for burnout from his cybersecurity awareness position at a prominent UK ecommerce firm last year, after years of accumulating stress.
"Many of us in cyber, we put our hearts into our job. There's a lot of passion involved," he says.
He remembers the Wannacry ransomware attack in 2017 when his team worked through the weekend to protect the company's network.
"It was a Friday and something came up on BBC News," Tony said.
The security team removed every device from the network as a precaution, with Tony finally coming offline on Sunday afternoon.
"It was all preparatory work," he says, noting the firm had not been hit by the attack.
Tony said this pattern is being repeated across organisations responding to the Scattered Spider attacks that struck Co-op, M&S and other businesses this year.
"I can't even imagine what the folks at Co-op and M&S have gone through," he says.
A sector under strain
Andrew Tillman, former Head of Cyber Risk & Assurance for the UK's Health Security Agency, also reports experiencing burnout himself during his four years at the organisation.
"If you think you might be burning out, you're already on your way there," Andrew said.
Jon France, who is the ISC2's own CISO, sees burnout as a "major issue" for the sector.
Jon says that professionals are increasingly being asked "to do more with less" which only increases stress and leads to dissatisfaction at work.
"Cyber professionals rarely work 9-5," he explains. "Even if they do, they remain on call because threat actors don't adhere to office hours."
Bigger threats, higher stakes
Much of the current pressure facing cybersecurity professionals stems from a dramatic increase in advanced attacks launched by criminal groups and nation-state actors.
Hackers believed to be operating for the North Korean regime stole US$1.5bn worth of digital tokens from crypto exchange ByBit earlier this year.
US officials estimate that roughly half of North Korea's foreign currency revenue originates from cyber theft.
For Andrew, the sense of responsibility contributes significantly to the stress.
"There's always that conscious thought about 'if it goes wrong, how could this impact the individuals on the street? How could it affect their jobs, their livelihoods?'," he explains.
Entry-level workers are vulnerable
Lisa Ackerman formerly served as Deputy CISO at GSK.
She draws attention to the remarkably high staff turnover rates affecting junior cybersecurity positions.
Junior staff in frontline roles must contend with an unrelenting stream of security alerts requiring assessment and action, which is clearly not for everybody.
Peter Coroneos, who founded Cybermindz, a non-profit organisation dedicated to combating burnout in the cyber sector, says that workers can be caught in a "blame culture" while their successes are "low visibility".
This leaves them carrying "a low level of dread", he suggests.
Peter cautioned that placing individuals whose brains are not fully formed into high-pressure environments could predispose them to lasting cognitive and emotional problems.
Through Cybermindz, a structured neural training programme is provided with the goal of restoring psychological safety for stressed workers.
"If someone's having a panic attack, telling them to just calm down isn't actually going to work. You need to address neurochemistry," Peter says.
Calls for regulatory intervention
Like Peter, Lisa advocates for substantially greater protections for cybersecurity teams.
"We want to get some kind of legislation for cyber teams like we have for air traffic controllers and doctors and pilots and people who are first responders. Which, in reality, cyber defenders are," she explains.
Meanwhile, other industry figures are concentrating on easing the burden on cyber teams through AI deployment, matching AI-enabled threats with AI-powered defensive capabilities.
"When AI closes the loop from detection to containment in minutes, board-level metrics move: fewer payouts, faster recovery and less revenue at risk," explains Anirudh Agarwal, CEO of OutreachX.
For his part, Andrew now monitors closely for early indicators of approaching burnout, such as disrupted sleep patterns, modified eating behaviours and diminished physical activity.
Moving ahead, this type of self-awareness will likely prove essential for practitioners.
"It's almost like a cyber breach. You should assume it's on its way and work towards not allowing it to happen," he says.


