Businesses must take urgent action to protect the wellbeing of cybersecurity professionals as high-pressure roles push many to burnout, a new study warns. Researchers highlight that stress and exhaustion in cybersecurity teams pose a direct risk to organisations, increasing the likelihood of mistakes and security breaches.
Cybersecurity teams work under intense conditions, managing constant threats, long hours and high expectations. Many professionals report feeling overwhelmed, leading to fatigue, reduced focus and even departures from the industry.
The study, by Lancaster University and published in the journal Information Systems Frontiers, found that many cybersecurity workers are stretched too thin. The industry’s talent shortage compounds the problem, forcing teams to do more with fewer resources.
A New Framework for Responsible Cybersecurity
The research introduces a five-layer model to help firms approach cybersecurity more responsibly:
- Techno-centric: Systems must be secure by design, integrating cybersecurity into IT architecture from the outset.
- Human-centric: Employee wellbeing should be a core part of security strategies, preventing burnout and supporting a diverse workforce.
- Intra-organisational-centric: Cybersecurity should be a shared responsibility across all departments, not just IT teams.
- Inter-organisational-centric: Firms must recognise their role in protecting partners, clients and supply chains from cyber threats.
- Societal-centric: The broader social impact of cyberattacks must be considered, from financial harm to public safety risks.
Professor Niki Panteli from Lancaster University Management School, who led the research, said burnout among cybersecurity staff was one companies could no longer ignore.
“Our study highlights interesting findings for the cybersecurity sector to consider but perhaps the most concerning is the level of burnout that was reported amongst our interviewees and the risks this presents to not only individuals’ health, but that of organisations and wider society,” she said.
Professor Niki Panteli warns that cyberattacks can cause harm across society. (Photograph: Lancaster University)
Professor Niki Panteli added that the data “suggests that if firms want to act responsibly with their cybersecurity, there is a pressing need to foster a culture that prioritises employee wellbeing and a work-life balance, so that cybersecurity professionals can perform at their best without compromising their health.”
How Burnout Puts Security at Risk
Burnout in cybersecurity is not just a personal issue but has serious consequences for organisations. Studies show that:
- 63% of security professionals experience burnout, according to research by workflow software firm Tines.
- 60% say their teams are understaffed, leading to unmanageable workloads.
- Cybersecurity job vacancies take 21% longer to fill than other IT roles, worsening the strain on existing staff.
Tired employees are more likely to make errors, miss threats or disengage from their work, leaving organisations exposed to cyberattacks.
Solutions: What Firms Can Do to Support Cybersecurity Teams
To tackle this growing problem, businesses must take proactive steps to protect the mental and physical health of cybersecurity professionals. Experts advise firms to:
Set Clear Boundaries on Working Hours
Encouraging employees to disconnect after hours and limiting excessive overtime can help prevent burnout.
Invest in Mental Health Support
Providing access to counselling services, peer support groups and stress management training can make a significant difference.
Automate Repetitive Tasks
Using AI and automation tools can reduce the burden of routine security monitoring, allowing professionals to focus on higher-priority threats.
Improve Workload Distribution
Hiring additional staff, outsourcing certain tasks, and rotating employees between roles can prevent excessive strain on individuals.
Foster a Culture of Cybersecurity Awareness
Embedding cybersecurity into company culture – rather than treating it as an isolated IT issue – helps ensure security is everyone’s responsibility.
Leadership Must Take Action
Professor Panteli warned the attacks on a company’s IT system resulted in fallout far beyond the organisation. “Cyberattacks don’t just impact the individual firms they target; they can generate ripple effects that are felt across supply chains and can touch all corners of society,” she said.
“And in this era of expanding digitalisation, when we are seeing a growing dependence on cloud computing and the boom in hybrid work, maintaining robust cybersecurity is a necessity.”
The professor said firms must “recognise and act on this urgently. As participants of this study suggest, this needs to be directed from the top down, with senior leaders taking a leading role in implementing responsible cybersecurity – but generate a culture where cybersecurity is seen as the collective responsibility of everyone.”
