$626 Million: The true cost of burnout in cybersecurity

Hack the Box (HTB) recently commissioned an independent report with market research firm Censuswide to investigate the ramifications of burnout for financial performance and employee well-being.

The survey sample included 1,001 CEOs and executives, 1,207 CISOs, and other cybersecurity professionals in the US and UK. 

We found that CEOs and C-level executives generally estimated the cost of employee burnout at around $3 million per year. 

However, based on our findings, the real cost to productivity (which factors in the number of work days lost to poor mental health) is significantly higher:

$626 million in the US, and $130 million in the UK, every year.

$626 million is a big number. How did we get to it?

First, we asked CEOs in the UK and US to estimate their overall costs from burnout—including replacing staff, recruitment, overtime, and any other relevant associated costs. Our survey found that the majority placed their estimates in the $3-4 million dollar range. 

To build a more accurate picture of the true cost, we then began with two average figures. 

The average number of sick days staff take is 3.4 per year, and the average number of hours lost to poor productivity is 3.4 per month. This amounts to over 40 hours per year. 

From there, we used average salaries and team sizes to estimate the costs of sick time, working time, and recruiting or replacing staff. This highlighted a wide gap between C-level expectations and the actual cost of burnout in cybersecurity. 

There’s C-level disconnect on the criticality of burnout

Andrea Succi, CISO at Ferrari Group, shares that “the ‘always-on’ nature of the job, coupled with a global shortage of skilled cybersecurity professionals” means many are working long hours under  scrutiny.

Intense workloads are an everyday reality for security teams. However, CEOs aren’t fully aware of the impact this has on staff morale. Our report found a gap between CISOs and CEOs regarding their level of concern about burnout. 

While 90% of cybersecurity leaders reported concerns about team burnout, only 73% of executives expressed similar concerns.

This points to a level of disconnection between executive teams and cybersecurity teams working overtime on the frontlines to defend business-critical environments.

Per the surveyed CEOs, there were a variety of reasons their cybersecurity employees worked over their contracted hours. The three most common responses chalked burnout to the following:

• An increase in the number of cybersecurity threats. 

• The unpredictability of threats that occur after working hours.

• Time for training extra skills.

Longer hours. Less vacation. Less well being 

Survey findings paint a sobering picture of work-related well-being for security professionals. Many admitted to working longer hours and taking fewer vacation and sick days due to intense workloads. 

About two-thirds of respondents (68%) said they were working 10-50 hours of unpaid overtime every week, and about a third (35%) said they had used fewer than 3 to 5 days of vacation time to help meet heavy workloads. 

But even more of them, 76% of the people we surveyed, reported calling out sick for their work-related well-being. This is also affecting peoples’ home lives: 12% of cybersecurity employees reported missing personal milestones, like commitments at their child’s school or family parties, due to demands at work. 

According to ISC2, the global number of cybersecurity staff is around 5.5 million people, which means that this small statistic represents around 660,000 children having birthdays without a cybersecurity parent present. 

Burnout-induced human errors lead to security breaches

Companies are not immune to the impacts of burnt-out cybersecurity teams. According to Statista’s 2023 research, 78% of UK CISOs agreed that human error was their organization's biggest cyber vulnerability. 

Also in 2023, Security data company Devo ran a study of 200 participants, which found that 83% of security professionals admitted burnout-induced errors within their department had led directly to a security breach.

As we learned earlier, these errors can cost companies a lot—and likely more than CEOs and board members may anticipate. For example, reports indicate that the WannaCry ransomware, which brought the UK’s National Health Service (NHS) to a grinding halt in May of 2017, cost the NHS around £92 million.

What can we do about burnout?

The burnout situation in the cybersecurity industry is dire, but it is not hopeless. There are some solutions to these problems, and our research points to two key recommendations: 

1. Provide the right teams, tools, and training 

If people lack clear roles and responsibilities, they may take on too much or leave tasks for other people.

If they lack the skills to use certain tools or address threats, they may be afraid to speak up.

If teams don’t have enough staff, people may need to work longer hours or skip vacations to complete their workloads. 

We recommend focusing on having the right people, tools, and right training to enable security professionals to keep up with the threat lanscape. And this requires acting on our second recommendation. 

2. Connect the board with cyber 

Our survey revealed a stark disconnect between C-level executive teams and their cybersecurity teams. One way to mitigate this would be to include the CISO in boardroom conversations. 

Putting a cybersecurity expert connected to the IT and security teams in the room can give company leaders more perspective on security threats, unlocking the staff or training needed to address them. 

This in turn reduces the risk of unrealistic expectations, enables buy-in for security resources, and keeps the C-suite invested in security as a business-critical function. 

Recommended read: How CISOs can better connect with their boards. 

Today’s cyber threats present a flux of new challenges to organizations. And unskilled, burnt-out teams pose a real risk to the security of your business. 

This is why cybersecurity performance programs and continuous improvement are no longer a nice-to-have, but a necessity.

A people-first approach to cyber performance

• Risk mitigation: Timely content offers training on the latest CVEs in real-world environments, reducing risk and exposure to these vulnerabilities.

• Employee retention: Cybersecurity teams that are offered upskilling opportunities are far more engaged and less likely to burn out.

• Performance benchmarking: Conduct CTFs and gap analysis to identify weaknesses in your security posture.

• Tailored training to industry standards: HTB content is mapped to MITRE ATT&CK and NIST NICE frameworks so you can assess your cyber preparedness in different areas.

• Boost organizational awareness: HTB can assess cyber readiness and performance company-wide with effective practices like tabletop exercises (TTXs) or nearly practical assessments designed for security staff and non-technical teams.

Book a call

Free trial the Cyber Performance Center