The ceaseless nature and high sophistication of today’s AI-driven cyber threats are unrelenting and daunting. An alarmingly high 85% of cybersecurity professionals anticipate leaving their jobs due to burnout. Burnout impacts our most important line of defense – our cybersecurity professionals.

​Hack The Box and SecureWorld Report:

• 84% of cybersecurity workers report stress, fatigue, or burnout.
• 90% of CISOs express concern about burnout affecting their team.
• 74% of professionals took time off due to stress-related issues. 

This mental health crisis is costing U.S. businesses around $626 million annually in lost productivity.  

Burnout is no longer a “soft” issue. It is a measurable threat vector. Security professionals report that 8 out of every 10 breaches are caused by burnout. If we fail to heed the signs of burnout, organizations risk losing good people and compromising their security.

​Strategies must be implemented to mitigate burnout. First, strengthen morale within your teams. Next, ensure that policies are practical, actionable, and clearly communicated. Finally, the industry must push software providers to deliver products with fewer inherent vulnerabilities. By following these three strategies, organizations can better maintain the health and well-being of the cyber workforce.

Strengthen Morale Through Purpose and Recognition

Mitigating burnout starts with strengthening morale. Highlighting accomplishments, such as patching vulnerabilities or reaching compliance goals, provides positive focus and reinforces achievements, and shows that progress is possible in environments where progress often feels invisible. 

As leaders, we must acknowledge and appreciate the heroic efforts of our cyber defenders, who are always “in the breach.” We expect them to be alert and ready to respond at all times.

Policy Governance Must Reduce Cognitive Load, Not Add to It

​Transparent, up-to-date policy governance will reduce stress and confusion. The governance should include:

• Proactively managing policy gaps.
• Addressing aging policies before they become risks.
• Establishing and enforcing robust exception management processes.

It is the job of IT and cybersecurity professionals to define policies and articulate the risks that drive them. Still, when exceptions are needed, policy reviews should also fall to business decision-makers. The expectation that IT-related teams must bear the full burden of authorizing policy violations places unnecessary pressure on them.

Create clear boundaries: IT and cybersecurity articulate the risk, and business leaders interpret it and decide whether to approve policy exceptions. If cybersecurity wants to update devices but a business reason prevents the updates, cybersecurity can articulate the risk, and business leaders should approve the policy exception. Risk identification and policy exception decisions should not rest solely with IT and cybersecurity.

An Industrywide Imperative: Reduce Vulnerabilities at the Source

​There needs to be a broader industry shift; business owners must demand that software providers deliver products with fewer inherent vulnerabilities. Security teams are overwhelmed as they constantly battle a stream of purchased, yet-to-be-patched flaws. These battles can entail immense financial costs and place severe psychological burdens on cyber professionals.

Dedicated vulnerability management teams constantly patch and mitigate, only to face new vulnerabilities every day. With targets shifting weekly and the feeling of being “caught up” remaining out of reach, even the most resilient professionals feel like they’re treading water.

​A software bill of materials (SBOM) is a good step toward creating a less stressful environment for cybersecurity teams. An SBOM provides a nutritional label for code: a list of components, libraries, frameworks, and modules within a software application. This listing offers visibility into dependencies, enables a quick assessment of exposure to known vulnerabilities, and serves as a baseline for continuous risk monitoring and compliance.

Workforce Health Is Cyber Resilience

​Cybersecurity maturity and IT resiliency must now encompass workforce health. No organization is resilient without a healthy team. Burnout is not an individual problem—it is a reflection of structural pressures, accelerating threats, and incomplete processes.

Leaders must treat burnout with the same seriousness as any other operational risk. ​Boost morale through recognition and clear, practical policies. Reduce daily stress with empathy and consistent leadership check-ins—often more effective than new tools or policies. Investing in the workforce is investing in resilience. Burnout is a warning signal; responding to it is a strategic responsibility.

Greg Sullivan is the Founding Partner at CIOSO Global, LLC, specializing in cybersecurity and technology risk management. He advises clients on regulatory compliance and cybersecurity strategies, helping organizations design and implement risk-based cybersecurity capabilities. Previously, Greg served as Senior Vice President & Global Chief Information Officer at Carnival Corporation, leading global IT, innovation, and cybersecurity efforts. He also held leadership roles as CEO and CTO at Global Velocity, focusing on enterprise and cloud security. Greg holds a BS in Systems Science & Mathematics from Washington University in St. Louis and is a Certified Information Systems Security Professional (CISSP).