There is little debate that cybersecurity jobs are very stressful. In addition, few people will argue that an organization’s growth and revenue depend on its cybersecurity team. However, recent research has shown that the stressful nature of our industry may be setting up organizations for increased cybersecurity vulnerabilities.

A Third of Cybersecurity Leaders are Planning to Quit

Research from BlackFog found that almost a third (32%) of CISOs or IT cybersecurity leaders in the U.K. and the U.S. are considering leaving their current organization. Among those with plans to leave, a third are hoping to quit within the next six months. Reasons for their dissatisfaction included a lack of work-life balance (30%) and too much time spent on firefighting rather than focusing on strategic issues (27%).

The survey also found that frustration stemmed from the skills shortage and the many changes in cybersecurity. Many of the leaders (52%) reported struggling with new frameworks and models, such as zero trust. One in five leaders also found the skill level of their team to be a serious challenge. Staying on top of the rapidly changing industry was also stressful, with 54% saying keeping up with the latest on solutions was hard and 43% reporting it was difficult to keep pace with the innovations.

Improving Retention for Cybersecurity Leaders

When a CISO or IT cybersecurity manager leaves, organizations are often more vulnerable. Additionally, the time spent hiring and training new leaders takes away from protecting the organization. Other employees on the team often leave when a leader takes on a new job, further disrupting cybersecurity.

One of the roles of a cybersecurity leader is to reduce attrition on their team. However, many organizations fail to ensure that cybersecurity leaders are engaged and satisfied with their jobs. Organizational leaders must prioritize retention at all levels of their cybersecurity team.

Here are some ways to reduce stress and increase support for CISOs and security managers.

Support Work/Life Balance

Because cybercriminals work 24/7, so must your security team. Unfortunately, that often means that cybersecurity leaders are constantly on call, which is unhealthy and leads to burnout. Additionally, your cybersecurity leaders set the example for work/life balance for their team. If they do not show good boundaries, their team will do the same. This creates a vicious cycle: teams burn out faster, employees quit and the cybersecurity manager’s stress level rises.

Provide Training and Support

Many leaders find it challenging to keep up with the ever-evolving nature of cybersecurity. To that end, organizations should ensure that their cybersecurity leaders have the training they need to stay up to date. By setting a budget for training, cybersecurity leaders can stay educated on both current threats and strategies to reduce risk.

When cybersecurity leaders feel confident in their knowledge and abilities, they often feel less stressed and burned out. Organizations should also consider how they can partner with cybersecurity experts, such as IBM X-Force, to get additional support and expertise when needed to further support their cybersecurity leader.

Establish Backups for Cybersecurity Leaders

Leaders often feel like they are always on call because that’s the reality. Therefore, it’s important to work with cybersecurity leaders to train other managers or team members to rotate being on call with the leader. Yes, they must be contacted if a breach or attack occurs. But beyond those emergencies, organizations can build backups so leaders can count on times when they are not the first line of defense.

Make PTO Mandatory

Consider requiring employees to use their PTO. At the same time, encourage them to fully disconnect by providing backup for their responsibilities while they are gone and not expecting them to check in or work remotely. According to SHRM, 78% of managers agree that vacation improves employees’ focus, and 81% say time off soothes burnout. But this only happens if employees actually take their vacation and don’t work remotely. Organizational leaders should also model this by taking their own PTO, which sets a good example.

Offer Flexibility

Cybersecurity leaders will often work overtime, weekends and nights, even with the best plans in place. Organizations need cybersecurity professionals to be flexible when an emergency arises. By showing them the same courtesy, you can reduce their stress and improve productivity. Offering leaders (and employees) as much flexibility as possible on when and where they get their work done can help balance the inevitable inconveniences of cybersecurity.

In addition to the ability to work remotely, give leaders the flexibility to set their own hours. By providing this flexibility to both cybersecurity leaders and team members, you reduce the risk of burnout for everyone, which can significantly reduce your overall cybersecurity risk. When the cybersecurity team works overtime with emergencies, reward them with comp time or additional PTO to help offset the stress of the event.

Foster a “When Not If” Approach to Breaches and Attacks

Cybersecurity leaders are responsible for preventing attacks, and reducing the impact if an attack does occur. However, the increasing number and sophistication of attacks in recent years make the weight of this responsibility even more stressful. Organizational leaders should shift their thinking to assuming that an attack will occur and then give cybersecurity leaders the resources to minimize the disruptions. By reducing the responsibility for eliminating attacks from cybersecurity leaders and instead focusing on reducing the damage, cybersecurity leaders feel empowered instead of burdened.

Cybersecurity is always going to be a high-stress job. But when organizations provide cybersecurity leaders with the tools and support needed, they can reduce attrition in leadership roles. When cybersecurity leaders are engaged and satisfied, their team is likely to be more productive and happy as well, which reduces overall turnover. With a well-functioning cybersecurity team, your organization can proactively reduce risk and attacks.

More from News

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read

Will Threat Actors Face Layoffs in 2023?

2 min read - You can’t look at the news these days without reading about layoffs in the technology sector. Roger Lee, founder of told that more than 120,000 tech employees lost their jobs in 2023 as of Feb 27, compared to 161,411 in all of 2022. However, all layoffs aren’t bad news. Most people don’t think of criminals losing their jobs. But if the criminal activity isn’t making money, then it makes no sense to continue. And that is happening in…

2 min read