Burnout among chief information security officers (CISOs) is not just a personal disaster for those concerned. It also constitutes a high, and costly, risk for the business.
But in the face of rising threats and limited resources, the problem is “more serious than most people realise until they’re in the seat”, says Martin Astley. He is CISO at central heating services provider 24/7 Home Rescue and a mental health champion.
According to Proofpoint’s 2025 Voice of the CISO report, for example, a huge 63% of cyber security leaders have either personally experienced, or witnessed, burnout among their peers over the past year.
A key issue here, says Astley, is that the CISO role has “quietly become five jobs in one”, which is significantly more than most other professions. These jobs include strategist, operator, board adviser, crisis manager, compliance lead and acting as emotional support for the team.
To make matters worse, the always-on nature of incidents, as well as ongoing audit and regulatory pressures, make it hard for CISOs to switch off. Chronic skills shortages and the resultant impact on available team resources play their part, too.
“Threats are accelerating, including AI-driven scams and deepfakes, the attack surface keeps expanding, and expectations keep rising faster than budgets and headcount,” says Astley.
But there are also other drivers behind the problem. “CISOs are held accountable for enterprise-wide risk, but many still don’t have enterprise-wide influence,” he adds. “That mismatch is corrosive, and turns the job into permanent responsibility without permanent control.”
Burnout as a predictable human response
Peter Coroneos, founder and executive chair of resilience training charity Cybermindz, agrees.
“It’s about predicting how to manage and control things that aren’t fully within your purview,” he says. “This means you may have the responsibility, but you’re not capable of managing all the risk factors, which include someone clicking on a link downstream in the organisation, especially if they’re working from home.”
Another contributory factor is the lack of control many CISOs have over the budgets available for them to deliver on strategy. It means they can end up being in a “constant battle for resources” with other functions. This situation tends to be particularly difficult if the board has unrealistic expectations, requiring them taking a “zero incident” rather than managed risk approach.
Should a breach occur, though, says Coroneos, it is the CISO who has to manage the fallout. But they can also find themselves scapegoated, particularly if organisations have a blame culture and need a “sacrificial lamb”.
“CISOs are brought in to protect the organisation’s assets, and when they do so, no one notices and their success is unseen,” he says. “But failure is high-profile and can make front-page news, with the board, regulators and even Parliament getting involved.”
Given this difficult situation, Coroneos believes it is unsurprising that many CISOs are experiencing the chronic, unmanaged stress that leads to burnout.
“There’s nothing inherently wrong with these people and they’re often excellent at what they do,” he says. “But if anyone is subject to threats that exceed their capabilities to manage and adapt to, burnout becomes the predictable human response.”
The danger of short tenures
As Astley points out, however, burnout is a serious problem – and not just due to the harm it causes to individuals and their wellbeing. Another key issue is the “real risk” it creates for the organisation “when decision-making, reliance and leadership continuity start wobbling”, he says.
This means that if employers fail to address the situation, there are serious repercussions. One of the most obvious is CISO churn rates. The average tenure of cyber security leaders is now between 18 months and three years, compared with an average of 5.2 years among members of the C-suite in S&P 500 companies.
Stephen Boyce is director of digital investigations at Magnet Forensics. He indicates that when some CISOs leave their jobs, they simply go elsewhere to find less gruelling roles or move sideways, into fractional, consultancy or supplier positions. But many are now choosing to leave the already-understaffed profession altogether, which includes opting for early retirement.
Caroline Hughes is chief executive of consultancy at Conscious Leadership Development. A big concern with average turnover rates being so low, she believes, is that organisations do not have enough time to undertake effective succession planning or even put a suitable talent pool together.
“It’s a leadership sustainability issue at both the individual and organisational level,” she says. “If you’re constantly replacing people, it’s very disruptive in terms of teams and governance – and how can you give the executive committee confidence in the long-term strategy if there’s continual short-term churn?”
Astley agrees: “The bigger issue [than people leaving the profession] is the pipeline. Almost half of CISOs reportedly don’t have an adequate internal successor lined up, which tells you how thin the bench is.”
The business risks of CISO burnout
Another point here, he warns, is that short tenures barely give incumbent CISOs enough time to assess risk properly, let alone deliver multi-year transformation initiatives. The upshot tends to be reactive and fragmented “stop-start security programmes” that force teams into a “constant ‘reset’ mode”.
Other challenges include “control gaps, delayed projects and reduced resilience”, he says. “The risk isn’t theoretical: attackers exploit disruption and distraction, and turnover causes exactly that.”
But burnout also has implications even while CISOs are still in post. Coroneos points to the three main indicators that indicate trouble is afoot: emotional exhaustion, cynicism and a fall in professional efficiency.
While the implications of the former are more personal, making everything feel like a slog, the latter two are key predictors of resignation intention, he says. This is because they impact on the reasons behind why CISOs do the job they do.
Boyce, meanwhile, believes the risks of this situation are “compounding”.
“Burnout translates into missed signals and decision fatigue, which over time leads to disengagement, slower decision-making in a crisis, and lower-quality risk communications,” he says. “In other words, quality is lower and there’s higher pressure on teams, which erodes resilience. The problem here is that cyber resilience is directly tied to business resilience.”
Astley agrees. In his view, key organisational risks include “slower incident response maturity, weaker governance, inconsistent risk acceptance decisions, and reduced credibility with auditors, insurers and regulators”, he says. “And when the security leader is burnt out, it often cascades onto the team, which generates a wider retention problem.”
The direct costs of CISO burnout
But, inevitably, there are also costs attached to each of these issues. John Skipper, a digital trust and cyber security expert at PA Consulting, estimates that the total financial impact to the FTSE 100 of CISO burnout could be as high as £200m per year, or an average of £2m per company.
For instance, according to job listings website Indeed, the average base salary for a UK cyber security leader is £117,000. Recruitment agencies generally charge between 25% and 30% of this salary to find and screen new appointees, a cost that quickly mounts up if it happens every 18 months.
But in the run-up to a burned-out CISO’s resignation, they are unlikely to have worked productively, resulting in the business not getting value for money. They may also have had to take paid leave due to ill health.
Other direct costs to the organisation include having to pay the salary of a temporary or interim replacement who will inevitably take time to get up to speed, leading to further productivity lags. Then there are the sign-on packages, onboarding, training and transition costs associated with a new starter.
“You’re probably looking at between £600,000 to £700,000 of direct costs, plus the potential cost of any incident,” says Skipper. “The hidden costs are very significant, too, though, and probably even dwarf the direct costs.”
The indirect costs of CISO burnout
These indirect costs include a loss of institutional knowledge, particularly if processes have not been well documented. Decision-making is likely to be delayed, and projects deferred due to a lack of security expertise – or, even worse, security – can simply become an afterthought.
Another common problem relates to higher cyber security insurance premiums, or even a refusal by insurance companies to cover claims in some instances.
Boyce explains: “Many underwriters take it into account if companies have someone in place who can reduce the likelihood of a claim. But if they notice a revolving door every 12 to 36 months, they’ll take notice of that and, when it comes time to renew, it’ll result in higher premiums.”
But there are other challenges, too, says Astley. These consist of the “increased likelihood and impact of incidents, staff turnover in the security team [due to low morale], slowed delivery across IT, and reduced confidence at board level”.
As a result, he believes the total CISO replacement cost could amount to more than 200% of salary “once you account for lost productivity and disruption”. But, he adds, most organisations underestimate the situation as such costs are spread across different departments, such as HR, IT, risk and legal, and different timescales.
Therefore, Astley says: “The implication is predictable: companies underinvest in prevention, such as support, structure and headcount, and overpay later in churn and incidents.”
Unsurprisingly given the currently unsustainable situation, he expects to see more cyber leaders taking on ‘portfolio careers’ as fractional CISOs, consultants and fixed-term roles to protect their own physical and mental health. Thus, “organisations that don’t build a bench will keep getting whiplash from turnover”, he warns.
As to what employers can do about the situation, Astley believes it is now imperative to design the job “like it’s meant to be survivable”. This means setting realistic expectations and a clear scope. It means ensuring CISOs have genuine authority and enough employees to deliver on strategy. It also means providing them with “air cover at the executive level, not just responsibility”.
“Organisations that treat security as a true business function and design proper support will improve retention and outcomes,” he says. “But the ones that keep treating CISOs as a shock absorber for every risk will continue to burn people out and then act surprised when they leave.”
