CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

CISO Strategy

CISO Burnout – Epidemic, Endemic, or Simply Inevitable?

CISO burnout is increasing. Are we simply more aware of the condition? Or have demands on the CISO grown and burnout is now the inevitable result? The post CISO Burnout – Epidemic, Endemic, or Simply Inevitable? appeared first on SecurityWeek.

Burnout in cybersecurity

CISO burnout is increasing. Are we simply more aware of the condition? Or have demands on the CISO grown and burnout is now the inevitable result? 

In 2019, burnout was defined by the World Health Organization as an occupational phenomenon rather than a medical condition. In 2025, this non-medical condition, initially given the same symptoms as a bad headache (exhaustion, negativism, and reduced efficacy) has become endemic within cybersecurity, affecting team members and CISOs alike.

Two things are clear: firstly, burnout is way different and more extreme than a headache, and we haven’t yet adequately learned to predict, detect, and prevent it. Secondly, burnout is not a disease, it is the name we have given to the symptoms of an unspecified disease (just as a headache is the visible symptom of an unspecified disease).

Clearly, we need to understand the cause of burnout (the underlying disease) and its treatment to be able to detect, prevent, and ameliorate the highly detrimental effect it has on its sufferers and their work.

What is burnout

Lisa Ventura (chief executive and founder of the AI and Cyber Security Association) describes her own earlier experience of, and recovery from, burnout.

Lisa Ventura
Lisa Ventura, Chief Executive and Founder of the AI and Cyber Security Association.

“It’s not just being tired after a long week,” she explains, “but rather a state of complete physical, emotional, and mental exhaustion that develops over time from chronic workplace stress that hasn’t been successfully managed… and trust me, it’s rampant in our industry.”

She describes it from experience. “It manifests in three key ways: overwhelming exhaustion that doesn’t improve with rest, cynicism or detachment from your work (you stop caring about things that once mattered deeply to you), and a profound sense of ineffectiveness. In cyber security, where we’re constantly fighting an uphill battle against increasingly sophisticated threats, burnout can creep up on even the most passionate professionals. It’s not a character flaw or a sign of weakness but rather what happens when dedicated people are pushed beyond their limits for too long without adequate support or recovery time.”

Andy James (founder at Custodian360) adds, “Burnout is not just tiredness after a long week. It is the chronic exhaustion that seeps into your bones, the fog that will not lift, the sense that no matter how much you give, it will never be enough. For a CISO, it is when accountability outweighs authority, when the joy of solving problems turns to dread, and when the resilience that once defined you is gone.”

Its causes, he suggests, include: “Constant firefighting, with no time to recover; the loneliness of leadership; responsibility for outcomes without the power to fix the underlying problems; and the never-ending message that ‘whatever you do, it is not enough’.”

Burnout, PTSD and neurodivergence

The cause and effect of burnout is like the cause and effect of PTSD (more specifically C-PTSD, or complex PTSD), but the two conditions are not considered to be medically related. C-PSTD is the accumulated effect of repeated trauma over a period (rather than a single trauma). Burnout is largely, not solely, caused by long term stress – but within that period there can be many traumatic events (complete or partial compromise; continuous late night firefighting).

Peter Coroneos
Peter Coroneos, Founder of not-for-profit Cybermindz).

“Burnout and PTSD are different conditions, though they can coexist and share some symptoms,” says Ventura. “The constant hypervigilance required in our roles can mirror PTSD symptoms, and some cyber security professionals do experience what could be considered secondary trauma from constantly dealing with the aftermath of cyber-attacks.”

Experiencing trauma can make you more susceptible to burnout, and burnout can exacerbate existing trauma responses. “Both conditions are serious and treatable, but they require different approaches,” she suggests.

And both are further complicated by neurodivergence, a characteristic that is particularly prevalent in cybersecurity, and especially among CISOs. Neurodivergence is a contributory and exacerbating factor for both burnout and C-PTSD; and there is emerging evidence of a distinct ‘neurodivergent burnout’. The additional stress of maintaining management functionality and communication while suppressing (masking) ADHD symptoms for neurotypical colleagues is a constant stress and emotional drain for divergent CISOs – who may even be unaware of this additional divergence stress.

This similarity between PTSD and burnout is important for the treatment of burnout. PTSD has been known under different names for centuries: ‘irritable heart’ in the American Civil War, Pierre Janet’s work on trauma, hysteria, and dissociation in the late nineteenth century, ‘shell shock’ in the first world war, and ‘battle neurosis’ in the second. In 1980 it was formally recognized in the American Psychiatric Association’s Diagnostic and Statistical Manual of Mental Disorders, largely driven by clinicians working with Vietnam War vets, and feminist movements advocating for victims of abuse.

The point, however, is that PTSD has long been scrutinized for methods of rehabilitation. It follows from the symptomatic correlation with burnout that what works for PTSD is likely to have a similar effect on burnout.

Cause of burnout

The role of the CISO has evolved into the Chief Crisis Officer. Crises keep coming from multiple directions and seemingly infinite and often unknown sources – and those crises must all be solved. But there is always and immediately the next one. The requirement to gain and maintain cybersecurity is ultimately endless and futile. It is a job of never-ending and continuous stress, punctuated by periods of extreme stress, at any time of the day or night on any day of the week.

Jim Wetekamp
Jim Wetekamp, CEO at Riskonnect.

It’s made worse by the often quoted problem of accountability without responsibility. CISOs are accountable for the security posture, the preparedness and the response of the entire organization when faced with a cyber crisis. But they have no authority to ensure everyone, throughout the organization, really does what he or she is supposed to do. CISOs are accountable for what happens, but not responsible for it.

“It’s like Mission Control on a space flight,” suggests Jim Wetekamp (CEO at Riskonnect). “Mission Control wasn’t responsible for building the ship (the company), they didn’t train the astronauts (the company employees driving the ship), and they didn’t plan the trip (the corporate objectives). They just execute in the moment, across all those different functions, having to trust that all the different pieces work.” 

Other company executives have far greater authority in the more limited areas for which they are accountable.

Effect

“The impact on a CISO’s performance is absolutely devastating, and frankly, it terrifies me because these are the people responsible for protecting our most critical systems and data,” says Ventura. “When CISOs experience burnout, decision-making becomes impaired. They might delay crucial security investments, miss important threat intelligence, or make reactive rather than strategic choices.”

 She has seen burned-out CISOs struggle with communication, becoming either overly aggressive in meetings or completely withdrawn, which damages their relationships with the board – and other executives.

“From my experience working with senior cyber security leaders,” she continues, “burnout also affects their ability to lead their teams effectively. They become less empathetic, more prone to micromanaging, and, ironically, more likely to create the very conditions that lead to burnout in their staff. The strategic thinking that makes a great CISO (the ability to see the big picture, anticipate threats, and balance risk with business needs) gets clouded by exhaustion and cynicism. Perhaps most dangerously, burned-out CISOs often develop tunnel vision, focusing obsessively on certain threats while missing others entirely. When the person responsible for an organization’s entire security posture is running on empty, everyone is at risk.”

Burnout starts long before it is discernible, which makes the onset difficult to detect before it is almost impossible to retrieve. “It’s only when the sufferer is visibly no longer engaged with the job does it become apparent,” says Wetekamp.

“It’s a quiet disengagement from trying to move the organization forward with continuous improvement, which means it’s hard to identify and it probably started a long time ago.” The problem is a sufferer may still be going through the actions but with little conviction. Security has become a checkbox exercise.

It may not be until the CEO or board notices that the company isn’t doing things its competitors are doing that it says, “it doesn’t seem like we’re really focused on these things, and we’re not evolving our program. Those guys have brought in this new technology that does this and this, and I never even heard you push for it.” But the CISO is thinking, “Why would I? You never give me the budget, you never give me time, you never give me the resources.”

That’s when you know you’re dealing with burnout, says Wetekamp.

CISOs are continuously watching for and alleviating any sign of burnout in their own troops. But who watches the watcher? 

The CISO is unique among corporate leaders. CIOs manage machines, CFOs manage spreadsheets. Problems exist, but one failure is unlikely to threaten the future of the company and the employment of all its staff. The CISO, however, is faced with a succession of problems, all different from different sources and none ultimately solvable. And this is done from inside every problem rather than overlooking the problems.

“So here it is, the uncomfortable truth,” says Andy James (founder at Custodian360): “no one is doing the same for the watcher. We talk about CISOs ‘protecting the team’, but we rarely talk about boards or senior leaders protecting the CISO. Too often, the watcher goes unseen until the damage is done.”

iRest

Prevention of, and cure for, burnout are two sides of the same coin: that is, managing the effects of stress even where the cause of stress cannot be eliminated. This applies to both the CISO and the security team. Methods will vary between different organizations, but there is at least one proven approach that can be applied for both prevention and cure: iRest (Integrative Restoration).

iRest was developed by Dr Richard Miller (a clinical psychologist and yoga enthusiast) in the early 2000s. In the 1990s he experimented with adapting yoga nidra (yogic sleep) for clinical use, and in 2002, he formalized his approach and called it Integrative Restoration (iRest). In 2006, he founded the iRest Institute to train practitioners and promote further research. The process gained real traction in the 2010s and has become one of the few yoga-based practices supported with strong scientific validation.

The primary purpose of iRest is to treat PTSD and especially C-PTSD. It is clinically proven. It doesn’t simply encourage passive relaxation but provides active neurotraining in both the prefrontal cortex and amygdala – and is used by the US military (and to a lesser extent the UK military) to treat both active personnel and veterans suffering from PTSD and C-PTSD.

It becomes relevant to burnout because of the close relationship between the two conditions. There is also a further parallel: neurodivergence can be a contributory factor to PTSD and neurodivergence is likely to be a multiplying factor for burnout. Neurodivergence is also statistically higher among CISOs than one would expect in the general population.

Burnout is the natural result of a perfect storm of conditions inherent to the work of a CISO: unmitigated and continuous stress, poor balance between work and home life, responsibility for the health of the team, plus personal neurodivergence. If burnout is unmanaged, it is almost the natural destination for a CISO.

Peter Coroneos (founder of not-for-profit Cybermindz) has been using IRest for more than three years for prevention and recovery from burnout – “To address burnout before it happens and restore cognitive and emotional resources at a time when they have never been more needed.”

Burnout is complex, but if it can be summarized, it is a complete loss of control and mental focus. iRest helps people prevent that loss or regain it if lost. It guides sufferers to locate what is known as their ‘inner resource’. Surprisingly, despite any degree of conscious disturbance, we all have this inner resource. It is a state possibly linked to a safe and happy time of life, but lost (perhaps more accurately, disconnected) by burnout.

“iRest,” explains Coroneos, “fundamentally uses a deep relaxation technique to guide people back into a part of their own psychology, which is always safe. It uses a 10-step process developed by clinical psychologist Richard Miller,” employing deep yoga nidra-inspired relaxation techniques to allow burnouts to restore physiological health.

“What happens then,” he continues, “is that brain neurology starts to respond to the deep physiological rest, and sufferers start to regain a sense of safety and at least control.” By reconnecting with that inner resource, “We’re getting them out of the internal narrative that is keeping them awake at night or just eroding their sense of confidence. Instead, we’re getting them back into this moment. It breaks the out-of-control negativity bias, which is really a survival method but convinces people that things are worse than reality and everything is a threat.”

Once access to the inner resource can be achieved, burnout sufferers can begin to rationalize the beliefs and emotions and fears that drive anxiety. After about eight weeks of exercises, things begin to happen. The quality of sleep, for example, improves. From studies in Australia, about 46% of CISOs describe their sleep quality as bad or very bad, and sleep quality for CISOs is about two and a half times worse than for the average adult. 

“The moment we can start to improve CISOs’ sleep, we’re able to give them deep physiological restoration. We’re replenishing at the cellular level – which is what sleep is designed to do. We’re getting down into deep REM sleep and non REM – the absolute deep sleep – where you start to get immunological boosting, gene repair, and more.”

iRest was originally developed for, and has been successful in, treating PTSD patients. Coroneos uses it to treat burnout. He describes iRest as improving mental health at the operating system of our consciousness, rather than continuously tinkering with the application layer.

And it has an interesting side-effect. By teaching burnout sufferers to understand their own neurology, recovery has the potential to create a more effective CISO. For example, many CISOs suffer from an element of imposter syndrome (they must continually express safety when they know it is impossible), which has a negative effect on overall performance. iRest can teach people to handle imposter syndrome. Similarly, having been through burnout, a recovered CISO is likely to be more empathetic to his or her teams’ stresses – and empathy is a cornerstone of effective leadership.

Burnout is no longer a rare occurrence in cybersecurity. It is almost the natural and inevitable result of working in the industry. It was an occasional effect but is now epidemic and verging on endemic. It is particularly prevalent in CISOs because of their increasing, overall, always on, endless and futile responsibility for the whole company, its employees, and possibly other companies, employees and customers. 

Furthermore, the early stages of burnout can effectively be contagious to the rest of the CISO’s own security team, who may not recognize the leader’s increasing irritability and lack of empathy for what it really is. They can become more stressed on top of their own stresses. Burnout can spread through the entire cybersecurity team.

But we are beginning to understand the cause and effect better. Prevention is better than cure, and both prevention and cure can be delivered by the clinically proven iRest protocol.

Related: Burnout in Cybersecurity – Can It Be Prevented?

Related: Choosing a Clear Direction in the Face of Growing Cybersecurity Demands

Related: The Complexity and Need to Manage Mental Well-Being in the Security Team

Related: ‘Brain Weasels’: Impostor Syndrome in Cybersecurity

Related: Harnessing Neurodiversity Within Cybersecurity Teams

Latest News

CYBERNEWSMEDIAPublisher