Cyber professionals in the APAC region are no strangers to work-related stress.

Reports have indicated that most cyber workers in the region experience burnout, with as many as 9 in 10 employees impacted on some level. Causes of burnout include a lack of resources and alert fatigue, resulting in employee anxiety or disengagement.

Senior executives at Australian cybersecurity firm Tesserent have offered some advice for CISOs who want to preserve their mental health in the cybersecurity industry. The recommendations come as part of Australia’s R U OK? Day, a mental health initiative.

Why CISOs must focus on cyber security mental health

Mental health problems plague many professions within the cyber industry. CISO roles, in particular, are known to be high-stress positions, partly due to a perpetual and growing threat environment.

This stress has led some workers to make drastic career moves. Globally, Gartner expects nearly half of cyber security leaders to change jobs by the end of 2025, with about a quarter of those leaving for different roles. Meanwhile, cyber industry body AustCyber estimates Australia will be short 17,000 security workers over the next two years.

Burnout causing cyber professionals to leave the industry

Tesserent’s senior executives have seen cybersecurity burnout firsthand in Australia.

Patrick Butler, managing partner of managed and professional services, said he knows “several” CISOs who left their roles, choosing different careers or cyber roles outside of security incident and response.

Jason Plumridge, Tesserent’s CISO, has also witnessed the stress and pressure other CISOs are under.

“I would estimate that, on average, CISOs and other security leaders change roles due to stress and lack of support in 50% of cases,” he said. “But global statistics are reporting the churn is higher.”

SEE: How your business can benefit from a mental health policy

Tesserent senior partner Mark Jones said he has also seen “many people burn out and leave cyber security.”

“I know at least five former senior professionals who departed the industry because the unrelenting pressure was too much,” he said. “There is a lot of out-of-hours work required, and this can take a toll personally on relationships and an individual’s wellbeing.”

Meanwhile, Silas Barnes, offensive security services senior partner at Tesserent, has also seen CISOs leave due to stress and pressure. “One resigned and took a whole year off to recover,” he noted.

How CISOs can manage their mental health

Prepare well

Butler was “totally unprepared” for the stress of cyber security when he entered the industry 16 years ago.

“It took a long time for me to learn how to deal with this stress, and even now I haven’t fully succeeded,” he said.

One moment in particular stands out for him. In 2017, Butler suffered burnout and health problems after an adversary simulation exercise, where his team spent over a week simulating a sophisticated threat actor within the network. He said that by the end of the week, “the sheer exhaustion and burnout took months to recover from.”

CISOs can better cope with stress and pressure if they understand their own weaknesses, measure risks, and prepare for the worst, Butler said.

“Being well-prepared reduces stress during an incident,” he explained. “It is important to share the accountability of risk for security across the organisation.”

Compartmentalise work and life

CISOs must separate the stress of cybersecurity work from their personal lives.

Barnes said he has suffered burnout and exhaustion during his security career. For him, the stress and pressure affected his sleep and his ability to disconnect from work during his off hours.

“The combination of critical responsibilities, high pressure, and devastating consequences of breach events can make it difficult to disconnect, even when on annual leave,” he said.

Butler advises CISOs to strengthen their physical and mental compartmentalisation abilities.

“Find a way to protect your personal time so you can switch off and teach your mind that you have transitioned from work to personal time,” he explained, noting that this approach can allow cyber professionals to “leave the troubles of the day behind.”

Delegate tasks

Plumridge agreed that separating work from personal life through the creation of boundaries is critical. He said CISOs should also strategically delegate tasks to team members to relieve their own stress.

“While a CISO role requires 24/7 contactability in the event of a security incident, this does not mean you have to be personally on call 24/7 mentally and physically,” Plumridge explained.

CISOs should assess and prioritise requirements based on risk and impact to manage time and stress. “CISOs need to trust in the ability of their colleagues to continue the requirements of the role when you are not available and avoid micromanaging every event,” he said.

Practice basic mental health hygiene

Basic mental health and wellness are critical to keeping senior cyber professionals at the top of their game. Barnes recommends that cyber professionals make time for physical activity, stick to a healthy diet, and watch their alcohol intake.

For example, he embraced skydiving as a way to disconnect from work, reduce stress, and immerse himself in the moment.

“Apart from jumping out of planes, I also make sure I take reasonable-sized breaks when I take leave, ensuring it is longer than one or two days, to give myself a chance to fully unwind,” he said.

Focus on continual improvement, not perfection

CISO roles have become complex and encompassing, Plumridge said. This position generates a significant number of competing priorities for attention and action. He said CISOs should recognise they “can control some of these and some they cannot.”

Barnes explained that CISOs can only do their best.

“Don’t waste time chasing perfection, and don’t beat yourself up about not being perfect,” he said. “Instead, focus on the value you are bringing to your organisation and on continuous and sustainable improvement.”

Recognise the impact of social media

Security leaders should assess how much time they spend viewing content from other cyber security professionals and business leaders on business social media platforms, Barnes suggested, because it can lead to negative mental health effects.

“The increased pressure to develop a personal brand or be seen as a ‘thought leader’ by the wider community can bring on feelings of insecurity, inadequacy, and anxiety for those who focus on their day-to-day work,” he said.

CISOs should instead focus on their own personal journey and avoid comparing themselves with others. The picture other professionals present on social media platforms doesn’t necessarily reflect the realities of working within the industry, Barnes noted.

How organisations can protect mental health

Make cyber security a shared organisational responsibility

Tesserent executives argue that cyber security should be a shared responsibility among everyone in an organisation.

“The CISO should feel the support of the whole senior leadership team because cyber resilience is a joint responsibility,” Barnes said.

Kurt Hansen, CEO of Tesserent, said listening to what CISOs say they need to protect the organisation, its people, and its customers will help support the mental health of their cybersecurity team.

A good business structure can thwart cybersecurity threats

A solid business structure is required to manage around-the-clock cyber threat containment and eradication efforts. Butler said this extends beyond incident response teams or the security operations centre to IT and management teams, which need to be “available 24/7 in a major crisis.”

“Often organisations haven’t planned for this, resulting in the significant risk of not having key resources available, or burnout in teams working around-the-clock,” he explained.

Employers should “recognise employees are humans,” Butler said, and create processes, structures, and strategies that minimise the risk of burnout or stress.

“This is not just good for your people but critical in managing risk and eradicating threats effectively,” he added.

Invest in cybersecurity technologies and talent

Organisations need to invest in the technology and talent required to adopt the best possible cybersecurity posture.

Plumridge said that, for many CISOs, the inability to obtain the needed investment in cybersecurity technology to bolster an organisation’s security can cause additional job-related stress.

Employers should also understand that processes and other non-technical human factors also impact security posture.

Plumridge advised that companies “be prepared to pay market rates for the security of the organisation and to obtain the skills and experience you need.”