Bharat Raigangar, Global Head of Cyber Security & Governance, explores the concept of a cyber burnout paradox and how the industry can best counter this phenomenon in this exclusive feature.
The cybersecurity industry continues to warn of a growing skills shortage. Yet the same industry is simultaneously watching experienced professionals walk away in record numbers. Recent survey data suggests the issue is not a lack of talent—but a failure to retain and properly fund it.
According to ZDNet, nearly half of cybersecurity professionals are considering leaving the field, citing burnout, excessive workloads, and inadequate compensation as primary drivers [1]. The contradiction is hard to ignore: organisations claim they cannot find talent while actively exhausting the people they already have.
This is not a pipeline problem. It is an economic and organizational one.
The fiction of the talent gap
Industry groups regularly publish alarming workforce gap figures. The (ISC)² 2023 Cybersecurity Workforce Study estimates a global shortage of 3.99 million cybersecurity professionals, the highest number ever recorded [2]. However, the same report notes that staffing shortfalls are strongly correlated with underinvestment, unrealistic role expectations, and lack of career development—not a lack of capable candidates.
Compensation data reinforces this point. The SANS 2024 Cybersecurity Workforce Report found that professionals who reported access to funded training and clear advancement paths were significantly more likely to remain in their roles, even under high operational stress [3]. When organisations pay competitively and invest in skills, talent appears.
Instead, hiring practices actively undermine the pipeline. Entry‑level job postings routinely require years of experience, while rigid headcount accounting discourages hiring junior staff who require mentoring. Over time, this erodes institutional knowledge and shifts risk onto increasingly small, overstretched teams.
The result is predictable: burnout accelerates, attrition rises, and the perceived “shortage” worsens.
Security framed as cost, not risk
Security continues to struggle for legitimacy in boardrooms because it is framed as a cost centre rather than a risk‑management function. Unlike revenue‑generating teams, cybersecurity success is measured by incidents that do not happen—making it easy to deprioritise.
That approach has measurable consequences. IBM’s 2023 Cost of a Data Breach Report found that the average global data breach now costs $4.45 million, a 15% increase over three years, with understaffed security teams experiencing significantly higher losses [4]. Organisations that invested in security automation and adequate staffing reduced breach costs by an average of $1.76 million.
Despite this, many firms continue to defer investment until after a major incident—when remediation costs far exceed prevention.
This dynamic explains the rise of regulatory intervention. Frameworks such as the EU’s Digital Operational Resilience Act (DORA) and NIS2 Directive exist because voluntary market behaviour failed to adequately protect shared digital infrastructure. These regulations remove executive discretion to underfund resilience and shift cybersecurity from a discretionary expense to a compliance obligation.
Management without leadership
Burnout is not driven by technical difficulty alone. It is driven by organisational behaviour.
The Microsoft Work Trend Index (2023) found that over 60% of security professionals report feeling overworked, with constant alert fatigue and incident pressure cited as major stressors [5]. Yet instead of addressing workload and staffing ratios, many organisations respond with increased surveillance and mandatory return‑to‑office policies.
For cognitively intensive roles, this approach is counterproductive. A Gartner analysis found that flexible work arrangements improved retention for cybersecurity teams without reducing performance metrics [6]. Measuring productivity by physical presence does not improve security outcomes—it accelerates turnover.
Why people stay
Despite these pressures, cybersecurity remains one of the most intellectually demanding and engaging fields in technology. It requires fluency across engineering, law, psychology, and geopolitics, and it evolves faster than most technical disciplines.
Many senior practitioners increasingly find purpose outside traditional corporate hierarchies—working with startups, advising leadership teams, or mentoring early‑career professionals. These environments demonstrate that when trust, autonomy, and realistic funding are present, burnout is not inevitable.
The real fix
The cybersecurity workforce crisis does not require radical innovation. It requires basic organisational competence:
- Fund security roles at market rates
- Invest in training and succession, not just hiring
- Treat resilience as a business requirement, not a discretionary spend
Until boards and executives accept that cybersecurity failures are a consequence of financial decisions, not staffing luck, the industry will continue to lose experienced professionals faster than it can replace them.
The eventual correction will not come from another workforce report or certification push. It will come from a failure large enough to make underinvestment indefensible—and far more expensive than paying people properly in the first place.
Sources
- ZDNet – “Why cybersecurity burnout is driving talent out of the industry”
- (ISC)² – 2023 Cybersecurity Workforce Study
- SANS Institute – 2024 Cybersecurity Workforce Report
- IBM – Cost of a Data Breach Report 2023
- Microsoft – Work Trend Index 2023
- Gartner – “How Flexible Work Improves Cybersecurity Talent Retention”
Image Credit: Bharat Raiganar
