CISO Burnout Crisis: Why 63% of Security Leaders Are Running on Empty

The Scale of the CISO Burnout Epidemic

Proofpoint’s 2025 Voice of the CISO report, surveying 1,600 security leaders across 16 countries, found that 63% have experienced or witnessed burnout within the past year. Sophos places the figure even higher at 76%. Meanwhile, 94% of CISOs report being stressed at work, and 66% say they face excessive expectations.

Gartner predicted in 2023 that nearly half of cybersecurity leaders would change jobs by 2025, with 25% leaving the profession entirely. That prediction has largely materialized: 24% of Fortune 500 CISOs have been in their current role for just one year, and average single-company tenure hovers at 18 to 26 months, far below the C-suite average of 4.9 years.

Three Forces Driving CISOs to the Breaking Point

Personal Liability and the SolarWinds Precedent

The SEC’s 2023 fraud charges against SolarWinds CISO Timothy Brown marked the first time a sitting CISO faced personal liability for cybersecurity failures. Although the SEC dismissed the case in November 2025, the precedent reshaped the profession. A Fastly survey of 1,800 IT leaders found that 93% of organizations updated policies to address CISO liability, with 41% involving CISOs more deeply in board decisions and 38% providing increased legal support.

Under current SEC disclosure rules, public companies must report material cybersecurity incidents within four business days. CISOs now carry the dual burden of responding to incidents while managing regulatory disclosure timelines, knowing that missteps could trigger personal consequences.

Alert Fatigue and the 24/7 Burden

Over 90% of CISOs report frequent 40-plus-hour work weeks, with 95% working beyond contracted hours. More troubling, 83% spend half their evenings and weekends thinking about work, and 71% describe their work-life balance as heavily weighted toward work.

The cybersecurity skills gap compounds the pressure. The ISC2 2025 Workforce Study reports that 59% of organizations face critical skills gaps, up from 44% the prior year. When teams are understaffed, CISOs absorb the overflow, and 88% of organizations have experienced cybersecurity consequences attributable to these shortages.

Expanding Scope Without Expanding Support

CISOs are being handed AI governance, cloud security, supply chain risk, and privacy compliance on top of existing mandates, without adjusting job structures or budgets. Proofpoint found that 76% of CISOs feel at risk of a material cyberattack in the next 12 months, up from 70% previously, yet 58% admit their organizations are unprepared to respond.

The compensation paradox underscores the dysfunction. CISO pay rose 6.7% in 2025, with packages ranging from $250,000 to $700,000. Yet satisfaction is declining. Higher pay without structural support is essentially hazard pay: it acknowledges the danger without reducing it.

The Downstream Damage to Enterprise Security

CISO burnout is not just a human resources problem. It degrades enterprise security posture directly. According to Cynet’s CISO Stress Survey, 65% of CISOs say stress compromises their ability to protect their organization. When the person responsible for security cannot function at full capacity, the entire organization becomes more vulnerable.

The cascading effects are measurable. 74% of CISOs report losing team members to stress-related turnover. 92% of CISOs who experienced data loss say departing employees played a role, up from 73% the previous year. Organizations with poor security visibility suffer 63% burnout rates versus 44% for those using risk-based monitoring tools. Burnout feeds attrition, attrition feeds breaches, and breaches feed more burnout.

Breaking the Cycle

Addressing CISO burnout requires structural changes, not wellness webinars. The evidence points to several high-impact interventions.

Board-level accountability. CISOs need direct reporting lines to the board and explicit authority matching their responsibility. When security is a shared business risk rather than one person’s burden, isolation-driven burnout diminishes.

Defined scope boundaries. Organizations must stop treating the CISO role as a catch-all. AI governance, privacy, and supply chain security should have dedicated ownership with clear escalation paths.

Visibility-driven operations. Bitsight’s research shows a 19-percentage-point burnout gap between teams with strong asset monitoring and those without. Better threat prioritization tools reduce cognitive load directly.

Peer support networks. The RSA Conference highlighted that CISOs who engage in peer communities report higher resilience and lower isolation scores.

Realistic staffing and budgets. With 33% of organizations lacking resources to adequately staff security teams, expecting CISOs to compensate through personal sacrifice is a countdown to failure.

Sources & Further Reading

• 2025 Voice of the CISO Report — Proofpoint
• Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025 — Gartner
• 2025 ISC2 Cybersecurity Workforce Study — ISC2
• The State of Cybersecurity Burnout in 2025 — Bitsight
• CISO Liability Risks Spur Policy Changes at 93% of Organizations — Infosecurity Magazine
• SolarWinds Dismissed: What the SEC’s U-turn Signals for Cyber Enforcement — Harvard Law
• The Strongest Security Starts Within: CISO Health Priority in 2026 — RSA Conference
• Over 90% of CISOs Report Frequent 40+ Hour Work Weeks — Security Magazine