At the ISC2 Security Congress in October 2025, David Foote, chief analyst and research partner at Foote Partners, made a decidedly eye-catching point.
“The number of CISOs [chief information security officers] who are no longer in the field and have left it due to burnout is shocking,” he said. “Many employers are now obsessed with burnout as they’ve lost so many good people who are just incinerated on the job.”
This worrying situation is supported by the figures. The average tenure of cyber security leaders is now between 18 months and three years, compared with an average of 5.2 years among members of the C-suite in S&P 500 companies. While not every CISO who leaves their job will have experienced burnout, many are undoubtedly taking sideways career steps, not least to reduce their stress levels.
Martin Astley is CISO at central heating services provider 24/7 Home Rescue, as well as a mental health champion. He says: “On people leaving the industry altogether: some do, but more commonly they move sideways to become fractional CISOs or to work in consultancies or vendor roles because it gives them control back.”
As to what the warning signs of burnout or chronic and unmanaged stress are, Caroline Hughes, chief executive of consultancy at Conscious Leadership Development, believes they are on a spectrum
“The early warning signs are a reduction in ambition and a narrowing down of the scope of work, which is about going into coping mode to get by,” Hughes says. “It doesn’t tend to be noticed as much as people are still performing at a high level and are delivering, but under the bonnet, there’s a sense of running to stand still.”
At a personal level, CISOs often experience changes in sleep patterns, leading to feelings of exhaustion. They may stop exercising or eating properly and resort to alcohol and recreational drugs to help them relax due to continuous feelings of anxiety and fears of what could go wrong. Disengagement from work and self-doubt are also frequent symptoms.
Obvious signs of burnout
Later, more obvious signs of burnout in a workplace context include leaders becoming generally less efficient. For instance, they may take longer to make decisions and require evidence and reassurance to ensure they have come to the right conclusion.
They might also become overly critical due to having lost perspective or even turn into micro-managers. The problem here is that “they no longer trust themselves, so find it difficult to trust others too”, Hughes says.
Another equally unfortunate manifestation of burnout, says Russ Kirby, CISO at identity management software provider Ping Identity, is poor decision-making: “Many people fall into the trap of working longer hours just to get the job done. So, they experience stress compounded by fatigue, which according to many studies has a negative impact on performance and is cumulative.”
At the “extreme end” of the situation, says Hughes, people often become less emotionally regulated, impatient, short-tempered and dictatorial. They also become increasingly erratic, withdrawn and transactional in their interactions and relationships with others. Losing the ability to prioritise and believing everything is a “hot topic” is another common manifestation.
“Look for noticeable shifts in tone or behaviour: someone who is normally quite balanced becoming more erratic, or people who are normally willing to take on complex work seeking reassurance about what will happen if things go wrong,” says Hughes. “It may seem like a sudden shift, but there are likely to have been subtle cues that were missed along the way.”
The big problem is that failing to nip the problem in the bud early on has serious consequences, both for CISOs and their teams. For cyber security leaders, both their physical and mental health are likely to suffer, eventually requiring them to take time off work to recover.
Others resign to get out of a situation they no longer feel is sustainable. Key indicators of resignation intent are cynicism and a sense of no longer being connected to their mission, and feelings of a loss of professional efficacy. This can also manifest as imposter syndrome.
The team impact of burnout
The impact of CISO burnout cascades across their teams too. Peter Coroneos is founder and executive chair of resilience training charity Cybermindz, which provides resilience training. He says that one of the first casualties if leaders are in survival mode is empathy.
“Empathy is governed by a hormone called oxytocin, which is released when humans work cooperatively together,” he explains. “But when someone is emotionally exhausted, strung out and not sleeping, oxytocin is likely to be low, which means people have a low capacity for empathy – and that can have an adverse impact on the team.”
As a result of this situation, Coroneos says, employees are likely to perceive their leader as someone “detached, uncaring and unsupportive, who focuses on the mission to the exclusion of the people”. Over time, team members are also likely to start demonstrating a degree of dysfunction themselves, leading to increased disengagement and higher churn over time.
Hughes agrees. “Even if team members have some sympathy, they start wondering which version of their leader they’ll get today, which drives uncertainty and creates anxiety,” she says. “At a fundamental level, it shifts the trust that exists between leaders and their teams as they set the tone and direction.”
Coroneos concurs that there is always a “degree of contagion” due to CISO burnout: “The situation often leads to conflict and the creation of a blame culture. It also leads to a drop in performance and can damage creativity and innovation. If teams are operating under constant stress, they’ll start losing capability and momentum, which ultimately means the organisation is less safe.”
This, he believes, is because the most valuable assets professionals have is their mental power, training, and experience, which is highly contingent on their state of mind. “So, if people are under significant stress or burn out, you lose access to their skills, which constitutes an organisational risk requiring the same degree of preventative upkeep as a technical tool,” Coroneos says. “This isn’t about wellness or being touchy-feely – it’s about neurological performance.”
What can employers do?
As to what can be done about this troubling situation, Hughes believes that line managers and peers have an important role to play here.
“People don’t want to tell the boss what’s going on for them as it’s seen as career suicide, so a certain delicacy is required in conversations,” she says. “But it can be as simple as saying, ‘Are you OK? I noticed you were a bit quiet today’, and taking action based on their response.”
Such action could include line managers talking to HR for guidance or recommending their CISOs speak to an occupational health professional for help.
“If we ask, people often inadvertently tell us all we need to know, but they don’t always listen to themselves and so aren’t necessarily aware of how bad things have become,” Hughes points out.
But in her experience, the solution is rarely just about tackling “wellness” issues. “Instead, it’s usually systemic and is about how work gets done, how teams are resourced, and if people are set up for success or not,” she says.
As a result, Hughes is a “fan of the ‘office of the CISO’ approach”. She acknowledges such ‘offices’ are often reserved for chief executives. But she believes they are a good way to help people in demanding roles deliver on their goals.
The idea here is that while CISOs retain their strategic remit and people development role, they appoint a “business” or “performance manager” as a “trusted confidante”. These functional experts drive performance and “keep the train running” in line with the priorities set by the CISO. They may even look after critical projects on their behalf.
Ping Identity’s Kirby benefits from just such a setup but has various leads for the different departments that report into him. These include technical, governance, risk and compliance, commercial and contracting, and strategic, which works on long-term roadmaps.
“The teams are led by people who can run their departments autonomously if I need to focus elsewhere,” he says. “A lot of CISOs have too many people reporting into them, so I’m in a privileged position as my team is bigger than many and it’s well structured.”
Another consideration, says Hughes, is using succession planning as a safe means of holding discussions around cover for “unexpected leave” events, which include the birth of a child. This makes it possible to train up an interim replacement and possibly restructure how work is done should CISOs need to take time off without losing face.
Investing in CISO mental health
Sarb Sembhi is founder of the Mental Health in Cybersecurity Foundation. He also suggests following the example of a specific FTSE 100 insurance company, which allocated eight days of work to be done in 10 days.
The idea here was to establish a baseline – which needs to be reviewed regularly – of how much work the team could complete over a two-week period to ensure it was not either overloaded or underworked.
“It’s about establishing a baseline of what works well, which we’ve not always done in the past,” Sembhi says. “But once you work out what the baseline is, you can more accurately work out what budget and resources you need and make a suitable business case for them.”
Sembhi’s foundation is also working on a mental health promotion framework with the help of various community working groups. Based on nine core principles, which include time management, its aim is to reduce stress and burnout and increase resilience in the sector.
The framework will also signpost users to existing specialist services, such as counselling or group therapy, if required. The aim is to launch the first version to coincide with Mental Health Awareness Week on 11-17 May.
“With most other departments, the business isn’t vulnerable if they’re not at work, but the whole organisation relies on us being there, which means we have to find our own way forward with this,” says Sembhi. “But we’re not trying to provide a single, prescriptive approach as we recognise not everything will work for everyone.”
As for how Ping Identity’s Kirby keeps himself in good mental health, he puts it down to a variety of factors: self-awareness, which an executive psychologist helped him with a couple of years ago; having a supportive peer network and board behind him; and a healthy lifestyle, which includes exercise and a good diet.
“A lot of organisations are investing more in how they develop their executives to ensure they’re emotionally, not just operationally effective,” he says. “People are now becoming more and more conscious of the problem, so hopefully it’ll make a difference over time.”
