Cyber professionals in the APAC region are no strangers to work-related stress.
Reports indicate that the majority of cyber workers in the region suffer from burnout, with up to 9 in 10 employees affected in some way. Causes of burnout include lack of resources and alert fatigue, which leads to anxiety or disengagement in employees.
Senior executives at Australian cybersecurity firm Tesserent have offered some advice to CISOs looking to preserve their mental health in the cybersecurity industry. The recommendations are part of Australia’s RU OK? Day, a mental health initiative.
Why CISOs should focus on mental health in cybersecurity
Mental health issues affect many professions within the cyber industry. CISO positions, in particular, are known to be high-stress positions, in part due to an environment of constant and increasing threats.
This stress has led some workers to make drastic career changes. Globally, Gartner expects nearly half of cybersecurity leaders to change jobs by the end of 2025, with about a quarter of them leaving their jobs to pursue other roles. Meanwhile, cyber industry body AustCyber estimates that Australia will face a shortfall of 17,000 security workers over the next two years.
Burnout causes cyber professionals to leave the industry
Tesserent's top executives have seen cybersecurity burnout in Australia first-hand.
Patrick Butler, managing partner of managed and professional services, said he knows of “several” CISOs who have left their roles and chosen different cyber careers or roles outside of security incident and response.
Jason Plumridge, CISO at Tesserent, has also witnessed the stress and pressure that other CISOs are under.
“I estimate that on average, CISOs and other security leaders leave jobs due to stress and lack of support 50% of the time,” he said. “But global statistics indicate that the attrition rate is higher.”
SEE: How your company can benefit from a mental health policy
Mark Jones, a senior partner at Tesserent, said he has also seen “a lot of people burn out and give up on cybersecurity.”
“I know at least five former senior professionals who left the industry because the pressure was too much,” he said. “A lot of work is required outside of work hours, and this can affect personal relationships and a person’s well-being.”
Meanwhile, Silas Barnes, senior partner for offensive security services at Tesserent, has also seen several CISOs leave due to stress and pressure. “One resigned and took a whole year off to recover,” he said.
How CISOs can manage their mental health
Prepare well
Butler was “not fully prepared” for the stress of cybersecurity when he entered the industry 16 years ago.
“It took me a long time to learn how to manage this stress, and even now I haven’t fully succeeded,” she said.
There's one moment in particular that stands out for him. In 2017, Butler suffered exhaustion and health issues after an adversary simulation exercise, where his team spent more than a week simulating a sophisticated threat actor inside the network. He said that by the end of the week, “it took them months to recover from the absolute exhaustion and burnout.”
CISOs can better cope with stress and pressure if they understand their own weaknesses, measure the risks and prepare for the worst, Butler said.
“Being well prepared reduces stress during an incident,” he explained. “It is important to share responsibility for security risk across the organization.”
Compartmentalizing work and life
CISOs must separate the stress of cybersecurity work from their personal lives.
Barnes said she suffered from burnout and exhaustion during her career in security. In her case, the stress and pressure affected her sleep and her ability to disconnect from work during her off-duty hours.
“The combination of critical responsibilities, high pressure and devastating consequences of breach events can make it difficult to unplug, even when on vacation,” she said.
Butler advises CISOs to strengthen their physical and mental compartmentalization capabilities.
“Find a way to protect your personal time so you can disconnect and teach your mind that you have transitioned from work to personal time,” she explained, noting that this approach can allow cyber professionals to “leave the problems of the day behind.”
Delegate tasks
Plumridge agreed that it is critical to separate work from personal life by creating boundaries. She said CISOs should also strategically delegate tasks to team members to alleviate their own stress.
“While the CISO role requires a 24/7 contact capability in the event of a security incident, this does not mean you have to be personally available 24/7, mentally and physically,” Plumridge explained.
CISOs must assess and prioritize requirements based on risk and impact to manage time and stress. “CISOs must trust their colleagues’ ability to continue to meet their role requirements when you are unavailable and avoid micromanaging every event,” he said.
Practice basic mental hygiene
Basic mental health and well-being are critical for high-level cyber professionals to stay at the top of their game. Barnes recommends that cyber professionals make time for physical activity, maintain a healthy diet, and monitor their alcohol consumption.
For example, he took up skydiving as a way to disconnect from work, reduce stress and immerse himself in the moment.
“Aside from jumping out of planes, I also make sure to take reasonably sized breaks when I take vacations, making sure they last longer than a day or two, to give me a chance to fully relax,” she said.
Focus on continuous improvement, not perfection
Plumridge said CISO roles have become complex and all-encompassing. The role creates a significant number of priorities that compete for attention and action. He said CISOs should recognize that “some of them they can control and some they can’t.”
Barnes explained that CISOs can only do the best they can.
“Don’t waste time striving for perfection and don’t beat yourself up for not being perfect,” he said. “Instead, focus on the value you bring to your organization and on continuous, sustainable improvement.”
Recognizing the impact of social media
Security leaders should evaluate how much time they spend viewing content from other cybersecurity professionals and business leaders on enterprise social media platforms, Barnes suggested, because it can have negative effects on mental health.
“The increased pressure to develop a personal brand or be seen as a ‘thought leader’ by the wider community can lead to feelings of insecurity, incompetence and anxiety in those focused on their daily work,” he said.
Instead, CISOs should focus on their own personal journey and avoid comparing themselves to others. The image presented by other professionals on social media platforms does not necessarily reflect the reality of work in the sector, Barnes said.
How organizations can protect mental health
Making cybersecurity a shared responsibility among organizations
Tesserent executives argue that cybersecurity should be a shared responsibility among everyone in an organization.
“The CISO must feel supported by the entire senior leadership team because cyber resilience is a shared responsibility,” Barnes said.
Kurt Hansen, CEO of Tesserent, said listening to what CISOs say they need to do to protect the organization, its people and its customers will help support the mental health of your cybersecurity team.
A good business structure can thwart cybersecurity threats
A robust enterprise structure is needed to manage cyber threat containment and eradication efforts around the clock. Butler said this extends beyond incident response teams or the security operations center to IT and management teams, which must be “available 24/7 in the event of a major crisis.”
“Often, organizations have not anticipated this, creating a significant risk of not having key resources available or burnout in teams working around the clock,” he explained.
Employers should “recognize that employees are human,” Butler said, and create processes, structures and strategies that minimize the risk of burnout or stress.
“This is not only good for people, but it is essential to effectively manage risk and eradicate threats,” he added.
Investing in cybersecurity technologies and talent
Organizations need to invest in the technology and talent needed to adopt the best possible cybersecurity posture.
Plumridge said that for many CISOs, the inability to secure the necessary investment in cybersecurity technology to bolster an organization's security can cause additional job stress.
Employers must also understand that processes and other non-technical human factors also impact security posture.
Plumridge advised that companies “be prepared to pay market prices for organizational security and to obtain the skills and experience they need.”