According to new research, 80% of Fortune 1000 CISOs believe that the stress of their job is adversely impacting other aspects of their lives, with 60% reporting that their role has negatively impacted their mental or physical health.
These statistics come from RSAC’s latest Cybersecurity Insights & Futures report, which was released today. Based on insights from CISOs across 140+ countries, the report explores the top priorities and challenges for the modern CISO and predicts how these trends might evolve over the next year.
Tackling Burnout
Burnout isn’t just an issue that affects CISOs; a 2024 Forrester study found that 78% of cybersecurity workers are at serious risk of burnout.
“This is definitely a high-stakes field, and we are exposed to pretty dark parts of the internet. We work with threats to people’s safety, stolen identities, harassment campaigns, and that really takes an emotional toll,” explains Olga Polishchuck, VP of Investigations at ZeroFox, in an exclusive interview with Expert Insights.
“My biggest advice would be to build your support system early. Don’t isolate; find communities, find peers, find those who can understand some of the emotional weight of your work, and also try to follow the mindset that always being on doesn’t make you a hero.”
However, while many CISOs express a desire to support their teams by fighting for more resources for them or insisting that they take vacation days, many forget to extend this consideration to themselves, or simply struggle with knowing where to begin.
“Keeping up with everything is hard, but figuring out the most important handful of things to focus on is incredibly challenging,” Tia Hopkins, Chief Cyber Resilience Officer and Field CTO at eSentire, tells Expert Insights.
“So, figure out the things that you are going to do that are going to have the greatest impact on the business while you continue to do the day to day. Prioritization is huge when it comes to burnout, because we have to have a focus.
“Things are always going to come up, so if you’re running around just grabbing things as they come, you’ll never be able to set boundaries and settle down and manage your time.”
Additionally, while CISOs can take steps in their personal lives to address burnout—such as focusing on self-care—, it’s also important to address the cause of the issue, which can typically be attributed to excessively high expectations combined with a lack of resources (whether organizational, such as team members and budget, or personal, such as energy and creativity).
The Weight Of The Law
One reason that many CISOs may be feeling the weight of expectation and obligation so heavily is the threat of litigation: specifically, the possibility that they’re personally liable for security breaches.
And for many CISOs, this is a very real possibility; 47% of CISOs at mid-sized firms (those with 500 employees or more) are not indemnified, RSAC’s report found. This could be a real cause of stress, considering the various charges against CISOs that have hit the headlines in recent years, such as the 2020 criminal charges brought against Uber CISO Joseph Sullivan following a 2016 data breach at the company, the 2023 fraud charges brought against SolarWinds CISO Timothy K. Brown in 2023, and the Dutch Data Protection Authority’s ongoing investigation into whether it can hold Clearview AI’s directors personally responsible for GDPR violations, having already fined the company itself.
While RSAC predicts that US CISOs will need to worry less about personal legal accountability for security breaches from 2026 onwards due to changes in US SEC enforcement priorities (specifically, a narrower focus on cybersecurity enforcement and a higher threshold for what the organization will consider material cybersecurity disclosures), the company recommends that all CISOs globally work with their General Counsel and HR departments to establish protections for themselves.
“CISOs need to work hand in hand with their General Counsel to ensure they’re covered under Directors and Officers (D&O) insurance (or via an alternative mechanism, such as a letter of indemnity) and that their employment agreements reflect that protection,” Darren Shou, Chief Strategy Officer at RSAC, tells Expert Insights. “HR also plays a key role—many indemnification terms live inside employment contracts and company bylaws, so HR is the mechanism for formalizing what the GC designs.
“When CISOs know their org stands behind them, they can make bold, risk-based decisions instead of defensive ones. Indemnification isn’t a perk—it’s a prerequisite for sound judgment.”
Recruitment Vs. Retention
Despite the pressure associated with cybersecurity roles, two-thirds of CISOs reported a 6-month team turnover rate of less than 5%. And according to a recent study by ISC2, at the start of this year, nearly half of hiring managers were able to fill even senior cybersecurity roles in three months or fewer.
However, RSAC warns that these figures create a false illusion of job satisfaction when, in reality, the current job market just isn’t presenting security professionals with as many opportunities.
As such, this figure is likely to increase as we move into 2026 and 2027, as organizations increasingly struggle to provide competitive salaries, adequate benefits, and opportunities to train and upskill, thus forcing employees back into job-hunting mode.
To get ahead of this, Shou tells Expert Insights, organizations need to focus on working with their employees.
“The playbook for retention isn’t purely financial. The strongest teams focus on growth, culture, and visibility. Co-create learning and career paths—like sponsoring a certification or sending someone to training—signal belief in the individual. You can’t retain talent by outspending everyone—you retain it by outleading everyone.
“As we say in the report, ‘To avoid losing your essential cybersecurity staffers, work with them to define and document their desired growth trajectories. Find out what they value most for that time horizon (it isn’t always a raise or a promotion) and make sure that the chosen path will provide it.’ Don’t assume the problem is the salary or the benefits just because those are the most common sources of dissatisfaction. Instead, sit down with each of the five people you absolutely cannot live without to learn what they’re most excited about doing next, and find a way to offer that to them proactively (as opposed to waiting until they tell you they have a job offer and want to resign).”
