The human cost of cybersecurity and what we should do about it

Cybersecurity professionals love their work. That’s true, isn’t it?

Yes, to a point. A new survey of 501 UK CIOs, security analysts and IT professionals found 96% recommend cybersecurity as an industry to work in.

That’s a great approval rating for any industry. But the research also uncovered another, more uncomfortable reality. More than eight-in-ten (84%) cybersecurity professionals fear a serious breach or incident could cost them their job at any moment.

Almost six-in-ten (59%) say their teams suffer from high levels of stress, and more than a third (34%) constantly worry a serious mistake by someone in their team could end their career.

One response to these findings may be that a senior role in cybersecurity is inherently demanding. It is a fast-paced, high-pressure field, shaped by serious and often consequential threats.

High stress, some might argue, comes with the territory and is not for the faint of heart. Yet this underestimates the emotional and psychological impact on cybersecurity teams – not just in relation to major incidents, but also the day-to-day tasks that can grind down enthusiasm and job satisfaction.

In regulated sectors, individual accountability, onerous reporting deadlines and governance requirements impose a heavy load on security professionals. In 2023, for example, the Prudential Regulation Authority fined the former TSB Bank CIO £81,000 for failures to manage and supervise its IT migration program.

Supported by small teams

Many cyber professionals work in small teams and are exposed to risks that are always hard to assess. They are expected to operate knowing a malicious actor could destroy their career, cripple the organization that employs them and put colleagues out of work.

Cyber incidents are often discussed in terms of financial and operational impact, but the human cost is frequently overlooked. The constant fear creates an environment where anxiety and burnout are never far away, even when incidents are outside an individual’s direct control.

Time to reassess support for security teams

Organizations need to think about how they support these critically important professionals and help alleviate the burdens technically and psychologically. Many are likely to have gone through bad experiences, leading to absences from work and prolonged underperformance. Without support, severe depression can be one of the consequences.

The toll can indeed be significant and as the National Cybersecurity Centre (NCSC) advises, steps to support cyber professionals should be part of any organization's resilience preparations.

Heavy workloads and constant pressure during an incident only increase the likelihood of mistakes. The sense of being overwhelmed and isolated can be crushing. Even people who thrive during an incident and are consumed by the challenge can be at risk of burnout.

These are not rare events. In the research, 64% of respondents said they have dealt with a significant breach or data incident, with 20% experiencing such attacks on multiple occasions.

More than a quarter (27%) had to spend time away from work because of burnout or anxiety, others have either been demoted, passed over for promotion, fired, or witnessed colleagues suffer the same fate. Some 14% found they were blamed for the breach.

Include stress-reduction in response planning

There are many steps to alleviate the pressure on security teams that an organization can put in place as part of its incident response plan, such as providing effective backup, defining roles with greater clarity, and rehearsing a clearcut communications plan.

Preparation and rehearsals are vital, as everyone should know. But it is important that plans treat psychological pressure as a risk and build in staff resilience. Professionals need the freedom to be honest about where they see gaps and deficiencies and be ready to admit feeling overwhelmed and in need of help.

A dynamic and positive culture is one in which cyber professionals are appreciated as enablers who support innovation and growth. This should provide more effective resilience from both technical and personnel perspectives.

Business leadership needs to address the psychological aspect of resilience

There is a boardroom aspect to this as well. The research found many cyber professionals believe their senior leadership teams are more aware of cybersecurity and the requirements of compliance, which is welcome. Yet sometimes a little knowledge is a dangerous thing. Boardroom executives should be less ready to cast blame around.

They should realize that low morale has serious consequences for the whole organization. It undermines performance during “normal times”, heightens risk during incidents and can continue to downgrade staff capabilities long into the aftermath. Security staff need to be psychologically fit so they can deal with the day-to-day workload while remaining prepared for whatever is thrown at them in an incident.

These are not trivial questions. The UK Government’s 2025 Cyber Breaches Survey found 43% of businesses were attacked or suffered some form of breach in the previous 12 months. We know too, that the continuing shortage of staff with cyber skills is unlikely to be alleviated quickly. The Government’s own labor market analysis shows a cyber workforce gap of 3,800 professionals.

What is important now is that leadership teams see the mental resilience of their security team as a well-being concern that is also a business risk. They must take steps to ensure that teams are fully supported and that resilience remains as strong as possible through a combination of better planning and improved culture.

Check out list of the best employee experience tools.