CISO burnout is increasing. Are we simply more aware of the condition? Or have demands on the CISO grown and burnout is now the inevitable result?

Security Week, November 3, 2025

In 2019, burnout was defined by the World Health Organization as an occupational phenomenon rather than a medical condition. In 2025, this non-medical condition, initially given the same symptoms as a bad headache (exhaustion, negativism, and reduced efficacy) has become endemic within cybersecurity, affecting team members and CISOs alike.

Two things are clear: firstly, burnout is way different and more extreme than a headache, and we haven’t yet adequately learned to predict, detect, and prevent it. Secondly, burnout is not a disease, it is the name we have given to the symptoms of an unspecified disease (just as a headache is the visible symptom of an unspecified disease).

Clearly, we need to understand the cause of burnout (the underlying disease) and its treatment to be able to detect, prevent, and ameliorate the highly detrimental effect it has on its sufferers and their work.

Cause of burnout

The role of the CISO has evolved into the Chief Crisis Officer. Crises keep coming from multiple directions and seemingly infinite and often unknown sources – and those crises must all be solved. But there is always and immediately the next one. The requirement to gain and maintain cybersecurity is ultimately endless and futile. It is a job of never-ending and continuous stress, punctuated by periods of extreme stress, at any time of the day or night on any day of the week.

It’s made worse by the often quoted problem of accountability without responsibility. CISOs are accountable for the security posture, the preparedness and the response of the entire organization when faced with a cyber crisis. But they have no authority to ensure everyone, throughout the organization, really does what he or she is supposed to do. CISOs are accountable for what happens, but not responsible for it.

“It’s like Mission Control on a space flight,” suggests Jim Wetekamp (CEO at Riskonnect). “Mission Control wasn’t responsible for building the ship (the company), they didn’t train the astronauts (the company employees driving the ship), and they didn’t plan the trip (the corporate objectives). They just execute in the moment, across all those different functions, having to trust that all the different pieces work.”

Other company executives have far greater authority in the more limited areas for which they are accountable.

Read the full article in Security Week.