The realities of CISO burnout and exhaustion

CISOs are facing unprecedented challenges to their mental health due to today’s rapidly evolving threat landscape. They are often held accountable if a breach or disruption occurs, and the average tenure for a CISO tends to decrease significantly after such incidents. This constant pressure makes it difficult for them to find peace, let alone get a good night’s sleep. Meanwhile, threats are increasing in speed and complexity, but budgets and board interest are starting to decline: a bad combination.

Proofpoint reports that CISOs are experiencing a record level of burnout. 76% of CISOs feel they are at risk of experiencing a material cyberattack within the next 12 months. Another survey finds  that many CISOs operate in an environment where their roles are misunderstood, under-supported, or burdened with unrealistic expectations.

CISOs occupy one of the most pressure-packed seats in modern organizations. They have become accustomed to constant fatigue while protecting intellectual property, customer data, brand reputation, and ensuring regulatory compliance—all while balancing technology, law, business strategy, and crisis management. Yet, while cybersecurity news often highlights major breaches or zero-day exploits, it rarely addresses a quieter, ongoing problem: CISO burnout and the deeper, systemic problem of security exhaustion. 

Regardless of the industry—be it healthcare, financial services, utilities, or transportation— critical infrastructure will always be a target.  This ongoing threat transforms professional fatigue into a national security concern.

Why do CISOs burn out?

The role of a CISO has evolved significantly. According to Cybersecurity Dive,  CISOs around the world now have more authority and influence in corporate governance, with more reporting directly to the CEO than ever before. The days of a CISO focusing solely on technical tasks are over. Today’s CISO is actively involved in risk management, strategic planning, revenue generation, employee training and awareness, physical security, recovery, and more. 

Here’s a sample of what CISOs juggle to be successful: 

24/7/365 – Cyber risk is a constant, not a project with a clear end date. Attackers probe for weaknesses at all hours, meaning the threat environment never rests. For CISOs managing critical infrastructure, this ongoing vigilance means sleepless nights — downtime isn’t just a financial concern but can also threaten public safety. 

High-stakes accountability with low-level control: CISOs are increasingly held accountable, even though their actual control can be limited. Boards, regulators, and even national authorities increasingly hold these leaders responsible for security incidents. Yet they must rely on operational technology (OT) teams, outdated systems, third-party vendors, and the everyday actions of employees — any of which can become an attack vector.

At the same time, there is often a mismatch between the resources provided and the expectations placed on CISOs. Effective security requires skilled staff, advanced tools, and constant training—yet many organizations, especially public utilities or municipal systems, struggle with limited budgets and personnel. The result is CISOs feeling like their enterprises are one incident away from disaster.

Complex regulatory overload: Regulatory compliance compounds this pressure. Critical infrastructure CISOs must navigate overlapping compliance frameworks, which is a maze of acronyms: NERC CIP, HIPAA, TSA directives, and a growing list of cybersecurity performance goals from agencies like CISA. While following these frameworks is necessary, the sheer volume of audits and paperwork can divert time and attention away from actually reducing risk.

Recovering from Incident Recovery: The work does not pause after an incident occurs. Each attack, audits, or compliance request can set up days or weeks of reactive cycles, especially for CISOs in sectors like healthcare or energy. Recovery isn’t just about restoring data and systems, but also requires re-establishing communications re-established, resolving vulnerabilities and conducting post-mortems. The result is a sense of no true downtime –only the anticipation of the next incident.

Isolation and expectation management: Finally, CISOs often face professional isolation as their role evolves. Collaboration with C-suite counterparts—many of whom come from non-technical backgrounds—can be a challenge to work with, requiring effort to build trust and integrate lessons learned. At the same time, CISOs must clearly communicate technical risk, advocate for risk-reduction resources, and help reinforce strong governance and clarity of authority for security programs across the organization.   

What security exhaustion looks like

Burnout and exhaustion show up in predictable, yet sometimes subtle ways. Recognizing these warning signs early – both at the individual and organizational level – is essential to prevent the long-term declines in resilience.

• Cognitive fatigue: Difficulty concentrating, diminished decision-making quality, and reduced ability to think strategically, especially after long stretches of incident response.
• Reactive leadership: A preference for short-term firefighting over building sustainable resilience.
• Attrition and turnover: Burnt-out CISOs, analysts, engineers, and consultants leave, taking institutional knowledge with them. This problem is particularly severe in critical infrastructure, where sector-specific expertise takes years to build.
• Risk blindness: Over time, defenders can become desensitized to alerts and threats, increasing the likelihood of missing important signals.
• Reduced innovation: Exhaustion drains curiosity and motivation, making it harder to explore new defensive technologies like zero trust architectures or OT network segmentation. Groupthink can undermine creativity for the sake of completing tasks.

Patching the vulnerabilities

Beyond the human cost, CISO burnout has measurable organizational — and societal — impacts.

• Operational fragility: Overreliance on a few senior leaders creates single points of failure. In critical infrastructure, that fragility can translate into cascading service disruptions that affect entire regions and key assets.
• Compliance risk: Exhausted teams may miss audit deadlines or fail to implement required controls, leading to regulatory penalties and reduced stakeholder trust.
• Increased incident likelihood: Reactive teams struggle to maintain threat intelligence, patch management, and incident detection. In OT environments, those gaps can lead to operational shutdowns or physical damage.
• Talent drain: A reputation for poor work-life balance makes it even more difficult to attract experienced cybersecurity professionals—a problem that is already especially challenging in the utilities, healthcare, and transportation sectors.

How to reduce burnout 

Align Authority with Accountability: If CISOs are responsible for outcomes that affect national or public safety, they need the corresponding authority and budget to match that responsibility. This means having the power to make decisions over third-party vendors, technology upgrades, and what risks the organization is willing to accept. In regulated sectors, boards and regulators should ensure security leaders are empowered, not just held accountable.

Make security a shared responsibility: Security shouldn’t rest on the shoulders of a single team. By embedding secure-by-design principles into engineering, OT, and business processes, organizations can ensure that everyone—from line managers and engineers to plant operators—takes ownership of basic cyber hygiene. This approach not only reduces the workload on security teams but also strengthens the organization’s collective defense posture.

Build a war room, not a warzone: Incident response should be structured, not chaotic. Conduct regular tabletop exercises involving both IT and OT stakeholders. Clear playbooks and delegation frameworks prevent all crises from escalating to the CISO’s desk and beyond.

Embrace work-life balance: Establish structured on-call rotations and ensure that staff have adequate recovery time after major incidents. Encourage leaders to prioritize time off and set an example by maintaining healthy boundaries. For critical infrastructure CISOs, this may involve creating deputy roles or appointing regional alternates to avoid relying on a single individual. Security work is inherently stressful, particularly when public safety is at stake. Provide access to confidential counseling, employee assistance programs, and peer support networks. It’s also important to normalize open conversations about mental health among executives and at industry conferences.

Give people their recognition: Publicly acknowledging the work of the CISO and their team helps retain top talent and fosters a supportive, positive culture throughout the organization. 

Tackling burnout requires changes at both the organizational and individual levels. Companies need to invest in people, improve processes, and implement automation so their cybersecurity teams can do their best work–instead of just getting by. A truly sustainable cybersecurity program protects not only data and systems, but also the well-being of the people responsible for defending them.

In the end, defending critical infrastructure is not only about technology; it’s about endurance. And endurance requires care, balance, and the recognition that cybersecurity is a human mission as much as a technical one.

Brian Harrell currently serves as the Chief Security Officer for a large energy company with assets and operations in 25 states. He is a former Assistant Secretary for Infrastructure Protection at the Department of Homeland Security. 

David Mussington, CISSP served as CISA’s Executive Assistant Director for Infrastructure Security and now as Professor of the Practice at the University of Maryland.