The global cybersecurity industry has become both the frontline and fault line of the digital economy. As the volume and sophistication of cyberattacks grow, the professionals defending critical networks are reaching their psychological limits. Behind every firewall and security protocol lies a human being, often overworked, under-supported, and chronically fatigued. Burnout has emerged as the quiet crisis within cybersecurity—one that threatens not just individuals but the integrity of entire digital infrastructures.
When Tony, a cybersecurity awareness manager at a large UK e-commerce firm, was signed off for burnout, it was the culmination of years spent in a constant state of alert. During the 2017 WannaCry ransomware outbreak, he and his team spent an entire weekend disconnected from normal life, removing every device from their company’s network in preparation for an attack that never came. Years later, as a new wave of cyber threats known as Scattered Spider targeted British retailers like Marks & Spencer and The Co-op, the pattern repeated. Endless shifts, sleepless nights, and the weight of potential disaster became routine. “Many of us in cyber put our hearts into our job,” he said. “But there’s only so long you can do that before it catches up with you.”
The story is increasingly common. The intensity and moral weight of cybersecurity work—protecting hospitals, governments, financial systems, and personal data—have created conditions where psychological strain is embedded in the profession itself. The BBC’s report highlights what industry data has long shown: burnout in cybersecurity is no longer the exception but a defining feature of the field.
The ISC2 Cybersecurity Workforce Study 2024 found job satisfaction had dropped to 66%, down from 70% the previous year. Jon France, the organization’s Chief Information Security Officer, called burnout a “major issue,” describing an industry where professionals are “being asked to do more with less.” The problem is not only overwork but the unrelenting emotional pressure of responsibility. A single lapse can cause losses in the millions, disrupt hospitals or transportation networks, and erode public trust. Defenders are expected to prevent every failure while attackers need to succeed only once.
Compounding the strain is the global skills gap. The industry faces over 3.5 million unfilled positions worldwide, according to ISC2. The shortage has left existing staff overloaded, often covering multiple roles and remaining on call at all hours. Hackers, after all, do not operate on office schedules. This permanent vigilance creates a feedback loop of exhaustion, eroding decision quality and team cohesion—exactly the vulnerabilities that adversaries exploit.
The threat landscape itself has evolved beyond traditional criminality. State-backed and ideological hacking groups now operate with the sophistication of covert intelligence units. In early 2025, hackers linked to North Korea stole $1.5 billion from the cryptocurrency exchange ByBit. U.S. intelligence agencies estimate that cyber theft now accounts for nearly half of North Korea’s foreign currency income. These events demonstrate how cybersecurity professionals are engaged in a form of undeclared digital warfare where the boundaries between corporate protection, national defense, and international espionage blur. The stress of working in this environment is unique; it combines technical precision with geopolitical consequence.
For Andrew Tillman, former Head of Cyber Risk and Assurance at the UK Health Security Agency, the toll is both professional and personal. “Cybersecurity can be the best job in the world,” he said, “but when things go wrong, it can be a dangerous place to be.” His remark captures a growing sentiment across the sector: the passion that drives cybersecurity experts is also what burns them out. Dedication without systemic support becomes unsustainable.
This shift has prompted new thinking around what experts now call resilience-based governance—a framework that places human resilience on equal footing with technical resilience. Traditional cybersecurity models emphasize defense and prevention, but resilience-based governance assumes that breaches are inevitable. The goal is not to avoid all disruption but to sustain essential functions and recover quickly when disruption occurs. In this framework, the human element—decision-making under stress, continuity during crisis, and organizational adaptability—becomes central to digital resilience.
A related concept, resistance engineering, borrows from safety and infrastructure design. It focuses on building systems that degrade gracefully under stress rather than collapsing completely. In cybersecurity, this means creating redundancies, modular architectures, and fallback procedures that reduce pressure on individuals. It also means embedding psychological and organizational safeguards—rotating shifts, cross-training staff, and incorporating mental health support into incident response frameworks. Research from the University of Cambridge in 2024 found that organizations applying resistance engineering principles recovered from cyber incidents 40% faster than those relying on conventional security models.
Companies that have experienced major disruptions are beginning to apply these ideas. Jaguar Land Rover, for example, faced a severe production halt in 2025 due to a cyber incident. Its ability to resume partial operations using paper-based contingency plans demonstrated the value of offline redundancy and analog backups—simple measures that provide stability in moments of digital paralysis. This practical resilience, though seemingly low-tech, is a model for sustainable recovery.
Governance frameworks are catching up. The Bank of England’s Operational Resilience Framework and the UK’s National Cyber Security Centre (NCSC) now emphasize that preparedness must include people, not just systems. The NCSC’s guidance urges firms to have “plans for operating without IT and rebuilding it at pace,” explicitly including paper-based instructions and non-digital communication strategies. Across the Atlantic, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched initiatives to address “cyber workforce resilience,” recognizing that human capacity is a national security asset.
This transformation reframes cybersecurity from a purely technical challenge into one of organizational design. It requires leaders to understand resilience as both an engineering and a governance problem—balancing automation with human sustainability. The most advanced firms are creating “resilience councils” that combine technical experts, behavioral scientists, and operational managers to ensure teams can withstand sustained stress without collapse.
Culturally, the industry must also confront its reliance on heroism. The long-standing mythology of the tireless defender—the expert who works through nights, holidays, and crises—has glorified exhaustion as commitment. In practice, it has normalized burnout. The future of cybersecurity will depend on dismantling this narrative and replacing it with one centered on endurance, balance, and team-based defense. Resilient organizations design their workflows with the assumption that humans need rest and systems will fail. What matters most is recovery time, not uninterrupted vigilance.
The psychological safety of cybersecurity professionals has now become a metric of national resilience. As governments and corporations integrate artificial intelligence and automation into their defenses, they must ensure that human oversight remains sustainable. Machines may detect anomalies, but humans interpret meaning, prioritize responses, and rebuild systems. Their well-being is inseparable from the stability of the infrastructures they protect.
Cyber burnout is a signal that the old model—based on endless escalation and reactive defense—has reached its limit. The next era of cybersecurity will belong to institutions that balance precision with humanity, efficiency with empathy. Those that treat resilience as a cultural and structural foundation, rather than a contingency, will not only endure future attacks but thrive beyond them.
Key Takeaways
- Burnout has become a structural vulnerability in cybersecurity, reducing workforce capacity and increasing systemic risk.
- Resilience-based governance reframes cybersecurity around continuity and recovery, integrating human well-being with technical resilience.
- Resistance engineering principles help organizations recover faster and prevent total system collapse during attacks.
- Governments and regulators are embedding workforce resilience into national and operational cybersecurity frameworks.
- The future of cybersecurity depends on replacing heroism with endurance and designing systems that sustain both machines and people.
Sources
- BBC — Why Burnout Is a Growing Problem in Cyber-Security — Link
- ISC2 — Cybersecurity Workforce Study 2024 — Link
- University of Cambridge — Operational Resilience in Networked Economies — Link
- NCSC — Annual Review 2025: National Cyber Readiness and Workforce Stress — Link
- Institute of Internet Economics — Systemic Risk and Human Resilience in Cyber Infrastructure — Link
- Bank of England — Operational Resilience Framework — Link
- CISA — Cyber Workforce Resilience Strategy — Link
