The Forgotten Human Factor in Cybersecurity

As a psychologist entering the cybersecurity industry, I discovered the extensive skill sets required of CISOs, and noticed many professionals frequently changing employers or transitioning to advisory roles. Given that cyber attacks commonly exploit human vulnerabilities, “human factors” discussions are increasingly important — yet one critical aspect remains overlooked: the wellbeing of security professionals themselves.

Over Half Experience Extreme Stress or Burnout

According to Forrester, 51% of cybersecurity professionals encounter extreme stress or burnout throughout their careers. The WHO defines this state as involving:

• Feelings of energy depletion or exhaustion
• Increased mental distance from work, or feelings of negativism or cynicism
• Reduced professional efficacy

Burnout extends beyond the workplace, affecting families and quality of life. Recovery proves difficult, and those who emerge face lifelong increased risk. This drives professionals to change jobs, take sick leave, or leave the industry entirely.

Workload Isn’t the Whole Story

While resource imbalance contributes to burnout, many security professionals report they could fulfill their roles with better working environments despite heavy workloads. The real challenges include:

• Professional isolation, creating an “us versus the organization” dynamic
• Difficulty securing stakeholder cooperation for security improvements
• Limited employee engagement support
• Insufficient budget or control over budget decisions
• Multi-year implementation timelines due to bureaucracy and misunderstanding

The responsibility of protecting organizations becomes unbearable when professionals lack adequate time, cooperation, and resources.

3.5 Million Unfulfilled Positions

Cybersecurity faces a severe talent shortage, with 3.5 million unfilled positions in 2021. As industries increasingly digitalize, this gap will widen. Burnout represents a concerning trend that urgently requires attention — we cannot afford to exhaust the professionals we have.

Recent peer-reviewed research confirms that human performance degradation in cybersecurity is a critical risk factor and requires immediate attention (Nobles, 2022).

Addressing Burnout

The science is clear: recovery requires stopping work and engaging in non-work activities. To prevent burnout, organizational leaders should:

• Proactively learn and understand cybersecurity risks, approaching security constructively rather than skeptically
• Integrate security professionals throughout the organization rather than isolating them
• Demonstrate that cybersecurity is everyone’s responsibility through organizational culture

Current cybersecurity professionals represent invaluable, irreplaceable global talent. Their knowledge must be leveraged to train the next generation. Losing them carries significant organizational peril.