New research reveals that cybersecurity burnout costs US enterprises over $626 million annually and UK enterprises over £130 million annually

Cybersecurity and infosecurity professionals say that work-related stress, fatigue, and burnout are making them less productive, including taking extended sick leave – costing US enterprises almost $626 million and UK enterprises almost £130 million in lost productivity every year. That’s according to a new study, “Building a firewall against cybersecurity burnout”, released today by the Cyber Performance Center, Hack The Box.

Cybersecurity has an essential role to play for businesses, clearly demonstrated by the inclusion of CISOs on the board. With increased numbers of threats rising 600% since the pandemic, the proliferation of criminal groups, and the emergence of new technologies, the industry is demanding elite performance professionals. However, the industry is facing a mental health crisis with 84% of workers experiencing stress, fatigue, and burnout.

This poor mental well-being at work is costing the industry millions at a time when there is a rising skills shortage. 74% of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems, with staff reporting taking an average of 3.4 sick days per year due to work-related mental well-being problems. This is also translating into lost productivity with an average of 3.4 hours of work lost per month, or 5.1 working days per year to poor mental well-being. This lost productivity is costing medium to large enterprises alone over $626 million per year in the US and £130 million in the UK. 

Research also shows that there is a significant gap in understanding between the board and cyber teams. 90% of CISOs globally say they are concerned about the impact of stress, fatigue, and burnout on their workforce’s well-being, whereas only 47% of CEOs globally seem to be equally concerned about their cybersecurity teams' stress, fatigue, and burnout on increased errors. This gap in understanding is not being prioritized across the board.  

In addition, the gap is present in the reasons for burnout too. 66% of business leaders globally say that the top reasons why cybersecurity professionals are working over their contracted hours are due to increased numbers of cybersecurity threats and unpredictable threats after work hours. In contrast, 89% of cybersecurity professionals globally say the workload, volume of projects to deliver, and the time needed to deliver tasks are the key causes of burnout. In addition, they are experiencing pressure to perform outside their skillset, which ranks as a second key cause of burnout with 66%.

This gap is causing an issue where businesses are trying to provide disconnected solutions. For the workload issue, only 44% of businesses are investing in additional temporary staff when teams are stretched to avoid burnout and stress. In addition, cybersecurity professionals are calling for a skillset-based solution yet only 47% of businesses are outsourcing upskilling platforms and providers to ensure employees have the latest training and tools to deliver against their roles.

Haris Pylarinos, Founder and CEO at Hack The Box says: “Cybersecurity professionals are at the forefront of a battle they know they are going to lose at some point, it is just a matter of time. It’s a challenging industry and businesses need to recognize that without motivation, cybersecurity professionals won’t be at the top of their game. We’ve worked with both cybersecurity and business leaders to understand the challenges the industry faces. What we’ve discovered shows just how difficult the job is and that there is a significant gap of understanding between the board and the professionals.  

“We’re calling for business leaders to work more closely with cybersecurity professionals to make mental well-being a priority and actually provide the solutions they need to succeed. It’s not just the right thing to do, it makes business sense.

“We know we have a part to play too in making the industry better. As part of our Cyber Performance Center, we see the solution to bridging that gap as an investment in people’s careers, development, and well-being, which results in a better security posture and improved alignment of cybersecurity with business objectives.”  

Sarb Sembhi, CTO at Virtually Informed and Chair of the Mental Health in Cyber Security supported the findings saying: “Stress, burnout and mental health in cyber security is at an all-time high. It’s also not just the junior members of the team, but right up to the CISO level too. It’s a difficult topic to navigate as it’s so personal to the individual, but building in the right support and processes has so many advantages for the people and the enterprise. We need to equip cybersecurity professionals with the tools to effectively manage the stressful situation of a cyber crisis. We’ve seen how a cybersecurity crisis can have the same effect as serious trauma on an individual’s body. It’s shocking. The profession needs to work together on this, or the most experienced professionals will leave with no way to defend our essential enterprise services and departments.”

To read the full report Building a Firewall Against Cybersecurity Burnout, click here. 

Methodology

• Hack The Box commissioned an independent market research company, Censuswide, to survey two samples. The first sample was 1,001 full-time enterprise business leaders specialized in cybersecurity and infosecurity in medium and large enterprises between May 20, 2024, and May 24, 2024. The second sample was 1,207 full-time cybersecurity & infosecurity professionals within medium and large enterprises in the UK and US between May 20, 2024, and May 24, 2024. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council. Unless stated otherwise, all figures were drawn from this poll.

• According to the Infosecurity Institute, the average yearly salary for cybersecurity professionals is $125,000. Hack The Box assumed 232 working days in the year (allowing for an average of 18 holiday days and 10 bank holidays).  $125,000 divided by 232 gave the average daily wage of $538.79 per day. Hack The Box’s research showed the average number of sick days taken in the past year per worker (3.4) and the average number of days lost to poor productivity estimated as 3.4 hours per month per worker = 40.8 hours per year = 5.1 days per year assuming an 8-hour working day. This equals 8.5 days per year per worker lost to poor mental health. This was multiplied by the total number of cybersecurity professionals in the US (228,000**ISC2) to get the total number of days lost by the industry to poor mental well-being each year as 1,162,800. Hack The Box then multiplied this total number of 1,162,800 days by the average daily wage of a cybersecurity professional to arrive at its final figure ($626,505,012).