Cybersecurity Is Battling A Mental Health Crisis – Here’s How To Solve It

The cybersecurity industry is experiencing an unprecedented mental health crisis as its teams and specialists work day and night to battle a growing barrage of ferocious artificial intelligence-based cyber threats. This is evidenced by countless studies painting a dire picture for the mental wellbeing of cybersecurity experts.

A survey conducted by the Chartered Institute of Information Security found that 55% of security professionals struggle to sleep well due to long work hours, with 39% sharing that the fear of suffering a cyber attack hurts their ability to relax at home. Meanwhile, a study from cybersecurity firm Splunk shows that 35% of British chief information security officers (CISOs) feel stressed and overworked frequently. Consequently, 23% of them are currently looking for a new job.

In addition to long working hours, cybersecurity professionals may experience stress and burnout due to a lack of time off, unsupportive employers, a continued need to keep up-to-date with a fast-evolving cyber threat landscape, internal skill gaps, and so much more. The result is cybersecurity professionals struggling to do their jobs effectively, which puts organisations at greater risk of breaches and hacking. So, what can they do to better support staff?

High Levels Of Burnout And Stress

The state of mental health in the cybersecurity sector is rapidly declining as a result of the 24/7 cyber threat landscape, AI-fueled cyber attacks and the growing expectation that cybersecurity professionals must always be readily available to tackle these threats, according to Peter Coroneos, founder of non-profit Cybermindz.

Due to the unrealistic nature of an always-on workplace culture and the burnout this creates, he warns that many cybersecurity professionals may feel that they aren’t performing effectively. Coroneos describes this as “a key predictor of resignation intent”, which could be costly for an industry already plagued by a well-reported skills gap.

At the same time, imposter syndrome is becoming more common in the cybersecurity industry. Coroneos attributes this to some cybersecurity professionals’ inability to recognise – or celebrate – career successes and milestones, leading them to doubt their skills and feel inadequate. He says this typically happens when cybersecurity professionals feel invisible due to a workplace culture where incident prevention is the absolute focus and achievements aren’t recognised.

Coroneos tells ISMS.online: “As a result, even highly competent individuals may feel they are not meeting expectations, further diminishing their sense of professional efficacy and increasing the risk of burnout.”

When cybersecurity professionals start to experience fatigue from a constant barrage of threat notifications and believe they need to be hypervigilant to succeed in their roles, anxiety and exhaustion soon follow. And this can have enormous ramifications for employers. Coroneos explains: “The net effect is a workforce struggling to keep up and at risk of making errors which may carry serious downstream effects.”

Another major challenge in the cybersecurity sector is blurred lines between professional and personal life, warns Max Rogers, senior director of the threat operations centre at endpoint detection and response platform Huntress.

With threat actors now operating right around the clock and in all corners of the globe, IT security professionals are working similarly exhaustive hours to mitigate rising cybercrime. Because of this, Rogers says many specialists experience disrupted sleep schedules, contributing to burnout.

Artificial intelligence is a leading cause of these issues and has a two-fold impact. Firstly, many cybersecurity professionals may fear displacement by AI systems in the near future – a common concern across all industries. Second, the rise of AI tools allows malicious actors to scale their attacks and makes them harder to detect, increasing the workload of already-stretched cybersecurity teams.

Nivedita Murthy, principal security consultant at application security firm Black Duck, says AI-fueled attacks mean cybersecurity professionals have no choice but to be constantly alert and up-to-date with the latest techniques employed by hackers. She continues: “This does cause a lot of stress and at times may lead to imposter syndrome.”

The common occurrence of industry layoffs and restructurings also adds to the growing stress experienced by cybersecurity professionals, says Pierre Noel, field CISO of EMEA at managed detection and response experts Expel.

Describing the cybersecurity sector as “demanding”, he says those holding down cybersecurity jobs often struggle to find time for themselves because they constantly work long hours. And when cybersecurity professionals do manage to take a well-deserved holiday or attend a family event, Noel warns they’ll likely be roped into working at some point.

Identifying Struggling Employees

When it comes to improving mental health in cybersecurity teams, an essential first step is for managers to understand common signs and symptoms of poor mental wellbeing. Coroneos of Cybermindz urges managers to look out for behavioural changes in their employees, like irritability, mood swings, decreased socialising, and physical symptoms such as regular headaches and fatigue.

Feeling hopeless, anxious and burnt out is also a common emotional state experienced by those with poor mental health, adds Coroneos. These mental and physical signs may be followed by poor performance. That’s often evident when employees miss deadlines and submit poor-quality work.

This sentiment is shared by Rogers of Huntress, who advises team leaders to get to the bottom of the issues preventing security professionals from shutting off after work. They should ask themselves whether their monitoring systems are comprehensive enough to identify the latest cybersecurity threats, whether teams are working reasonable hours and whether any single points of failure exist in the security operations centre (SOC).

Tackling Poor Mental Health

Once cybersecurity leaders know what to look for, they can begin taking proactive steps to support staff and ultimately create a workplace where everyone can thrive. For Cybermindz’ Coroneos, these steps should include clear work hours, uninterrupted annual leave and safe spaces “where discussions around mental health can be normalised and not seen as a sign of personal weakness or failure”.

Given the growing workloads of cybersecurity professionals, Huntress’ Rogers asks managers to consider if automated threat detection tools and alerts can be used to “offload stress” and “provide assurance that critical issues will be identified and escalated appropriately”. Investing in such technologies will enable companies to maintain 24/7 cyber defences and ensure cybersecurity professionals can rest outside of office hours.

Of course, there will be times when organisations experience major cybersecurity incidents at ungodly hours and require all hands on deck to get systems back up and running. When this is the case, Rogers says employers will need to provide staff with suitable rest breaks, food and flexibility so they are energised to complete difficult tasks.

But even before cyber attacks occur, he says businesses need to implement clear incident response plans and set clear boundaries around on-call incident handling. Doing so will allow employees to “contribute effectively without the constant pressure of being always on”, he claims.

At managed detection and response company eSentire, ensuring enough leadership staff to support analysts is the key to running a healthy and effective security operations centre. Ciaran Luttrell, who leads these efforts as vice president of global SOC operations at eSentire, says the company’s team leaders perform a vital role in its cybersecurity department by recruiting, coaching, supporting and mentoring staff. The company also champions career progression and continual improvement in its SOC.

And crucially, all staff are obligated to take their annual leave so they can recharge their batteries and avoid burnout. Luttrell says: “Security can have a ‘hero culture’ – we love to be the ones saving the day, defending the business – but this can lead to people being too invested in work and not taking the time to recover and de-stress.”

Communication is paramount, too. Matt Wilson, UK wellbeing lead at IT support provider Computacenter, encourages cybersecurity leaders to check how staff feel regularly. He tells ISMS.online: “Checking in once is helpful. Following up consistently shows you care, helps maintain connection, and reinforces that support is ongoing, not a one-time offer.”

Implementing a professional framework like ISO 27001 can also improve the mental wellbeing of IT security staff by helping them prioritise the critical risks and automating basic, admin-heavy tasks. In fact, Noel of Expel calls it “a powerful” tool that will “ensure security teams have not left any stone unturned”.

Personal Steps

While employers have a responsibility towards staff wellbeing, there are also ways for cybersecurity professionals to foster and maintain healthy mental wellbeing on their own merit. One of these is using the Integrative Restoration (iRest) technique, which Coroneo of Cybermindz claims makes people more resilient.

“iRest is a structured, evidence-based protocol that helps individuals manage stress, improve sleep quality, and bolster emotional resilience,” he explains. “Originally applied in military settings and now adapted for the cybersecurity sector, iRest has been shown to reduce stress indicators and enhance overall wellbeing.”

On the other hand, Black Duck’s Murthy recommends that cybersecurity experts find a hobby to enjoy some downtime. It also helps to connect with like-minded individuals at industry meetups and make connections outside of the sector.

Rogers says staff working in the Huntress SOC prioritise both their physical and mental health in their own time. He says this is essential to “maintaining a resilient and effective security team.”

Seeking support from a non-profit organisation like Cybermindz will also equip cybersecurity professionals with the resources needed to navigate a fast-changing industry. Noel of Expel explains: “They can definitely help cybersecurity professionals manage stress while enjoying their jobs.”

On the whole, mental health in cybersecurity is at an all-time low. Considering the increased volume of sophisticated cyber attacks that SOCs and their teams face, this is understandable. But when cybersecurity teams are depleted and ineffective as a result, organisations end up letting their guards down and are more susceptible to cyber crime.

That’s simply something they cannot afford. This is why organisations must give their cybersecurity specialists sufficient time off to rest, plug internal skill gaps, and create a transparent workplace culture where people can openly discuss their struggles and find effective remedies to these issues. A comprehensive incident response plan and automation are also essential.