Cybersecurity provides an exciting and fulfilling field of work. The latest practitioners’ perspective reveal burnout among the rank-and-file as the most disturbing trend among the field’s professionals. Andrew Tillman, the former head of cyber risk and assurance for the UK’s Health Security Agency, describes cybersecurity as potentially “the best job in the world.” Nonetheless, he admits mental health challenges can arise from the stresses that come with this type of work.
Curren Tillman, burning out Tillman has burnt out a few times in his four years at the agency. In this film, he shines a light on the weighty burden that cybersecurity professionals carry. “There’s always that conscious thought about ‘if it goes wrong, how could this impact the individuals on the street? How could it affect their jobs, their livelihoods?’” he notes. That pernicious expectation to protect everyone ramps up the anxiety and stress felt by everyone working in and around our industry.
The demands of cybersecurity roles are immense. As Tillman observed, it’s a profession that “seldom keeps you on the clock from nine to five.” He walks through the fact that even if they adhere to regular office hours, they’re never not on call. The ever-changing nature of cyber threats has them constantly on edge. “Threat actors don’t adhere to office hours,” he remarks, highlighting the 24/7 vigilance required in this sector.
Burnout isn’t just the purview of the most experienced, either. It’s an epidemic among early-career professionals as well. Lisa Ackerman, former deputy CISO at GSK, points out another huge trend. Staff turnover is especially acute in these roles, based on her observations from her tenure as CISO Council strategic lead at Cybermindz. Our 2024 annual Workforce Study finds that only 66% of workers are happy in their job. That is down four percentage points from last year. Ackerman claims that burnout in these entry-level roles stems from a “blame culture” entrenched in companies. In these environments, effort and success often lack proper acknowledgment.
Peter Coroneos, another veteran of the field, reiterates the necessity of maintaining mental health for those in cybersecurity careers. He makes the case that funneling younger, less experienced people into higher-stress positions is dangerous. These young workers specifically may not have matured cognitively and emotionally, impacting not only their well-being but the organization’s as well. “So, if you are recruiting people whose brains are not fully formed and putting them in high-stress roles, then you are potentially setting them up for long-term problems in terms of their own cognitive and emotional wellbeing,” Coroneos warns.
The reality of cybercrime further complicates matters. Just earlier this year, hackers cleaned out $1.5 billion (£1.1 billion) of digital tokens from the cryptocurrency exchange ByBit. North Korean hackers are advancing their cybercriminal skills every day. U.S. officials now believe that cyber theft makes up half of North Korea’s foreign currency. These types of incidents only increase the stress and pressure on cybersecurity practitioners, forced to defend against a dynamic and complex threat landscape.
Tillman shares actionable steps they can take if they’re headed towards burnout. He states, “If you think you might be burning out, you’re already on your way there.” He wants people to know so they can be aware of early warning signs. Watch for warning signs such as changes in sleep, eating, or exercise routines. “You should assume it’s on its way and work towards not allowing it to happen,” he advises.
The challenges that cybersecurity professionals face go beyond the individual stressor. It’s representative of a larger systemic issue within our industry. Ackerman lobbies for legislative protections that are similar to those extended to first responders like air traffic controllers and physicians. He says that the defenders of our cybersecurity terrain merit the same celebration and need the same support.
“We want to get to some kind of legislation for cyber teams like we have for air traffic controllers and doctors and pilots and people who are first responders. Which, in reality, cyber defenders are.” – Lisa Ackerman
As the cybersecurity field develops moving forward, ensuring a positive work culture for employees will be necessary. Tony, another industry insider, shares a sentiment echoed by many: “Many of us in cyber, we put our hearts into our job. There’s a lot of passion involved.” Yet, at the same time, he recognizes the perils that accompany that investment.
“It can be a bit of a dangerous place to be.” – Andrew Tillman