CYBER threats are no longer just a concern for reputational, operational or financial damage.
As attacks become more frequent and sophisticated, a hidden risk has emerged — the growing toll on the mental health of cybersecurity professionals. The pressure is mounting, revealing a side of the industry that needs urgent attention.
A recent report by Sophos, 'The Future of Cybersecurity', highlights the escalating issue of burnout, fatigue and disconnection between cybersecurity workers and leadership.
If left unchecked, these issues could have serious implications for organisations trying to maintain a strong security posture.
Burnout among cybersecurity professionals
In Malaysia, a staggering 91 per cent of respondents in the Sophos study reported that their cybersecurity teams had either experienced or were currently suffering from fatigue and burnout.
The main causes? Insufficient resources, according to 58 per cent of respondents, and increased pressure from executives and board members, as noted by 44 per cent.
Sophos field chief technology officer for Asia Pacific/Japan Aaron Bugal said these factors significantly contribute to the mental strain of cyber defenders.
"The situation is often made worse by poor recruitment practices, where many professionals enter the field only to find that their roles do not match their skills or career aspirations," he said.
"Without proper consultation and support, employees are left overwhelmed, creating a breeding ground for frustration and burnout. Worryingly, 19 per cent of respondents admitted that this stress had contributed to a security breach within their organisation," he added.
"To combat this growing issue, organisations must invest in providing the right tools, training and opportunities for their cybersecurity teams. By enabling employees to develop their skills and focus on areas where they excel, companies can alleviate some of the pressures and improve the mental wellbeing of their staff," he said.
Leadership's role in cyber resilience
A robust cybersecurity culture needs to be driven from the top down.
However, the Sophos report revealed that 49 per cent of respondents believed their company's board members lacked a thorough understanding of cybersecurity requirements and 46 per cent said the same of senior executives. This disconnect between leadership and frontline cybersecurity teams is concerning.
"When leaders fail to grasp their responsibilities around cybersecurity, they can overestimate their organisation's level of protection, creating a false sense of security," said Bugal.
"This isn't just a personnel issue; it's a major risk management concern. If executives and board members don't address the mental health crisis facing their cybersecurity teams, the result could be burnout, turnover or worse — mistakes that lead to costly data breaches," he added.
Education and support
Organisations need to educate their leadership about the realities of cybersecurity, drawing on real-life examples where human error led to breaches. This will help shift mindsets and foster a culture of resilience and support.
In Malaysia, 98 per cent of respondents agreed that changes in legislation and regulations that hold boards accountable for cybersecurity would lead to greater focus and stronger resilience at the leadership level.
Bugal said while there is no quick solution to reducing workplace stress in the cybersecurity sector, attitudes are starting to shift. Tech leaders at all levels can take steps to create healthier working environments.
This includes ensuring that cybersecurity professionals have the right tools and processes to minimise repetitive tasks and manage risks effectively. Regular communication between managers and teams can also help identify stress points before they become overwhelming.
"Recognising the stress faced by cybersecurity workers and taking steps to address it is vital for building a resilient security culture. Normalising conversations about mental health and providing the necessary support will not only benefit employees, but also enhance the overall security posture of organisations," Bugal said.