It’s a bold claim, but the evidence is hard to ignore: chief information security officer (CISO) may be the most stressful job in the corporate world.

A 2023 worldwide study by executive recruitment firm Heidrick and Struggles interviewed 327 CISOs found stress and burnout were the most significant personal risks facing security leaders, cited by 71 percent and 54 percent, respectively.

Another 2023 report, the CISO Workforce Study found the average CISO remains in the role for just 18 to 26 months, well below the 4.9-year average across the broader C-suite.

The high turnover is being driven by relentless workplace pressure, psychological strain and burnout, compounded by poor organisational culture and a lack of executive support.

An impossible balancing act

Nigel Hedges, executive general manager of Cyber and Risk at Sigma Healthcare and Chemist Warehouse, said the role of CISO has evolved from what it was 30 years ago when the IT manager struggled to get a seat at the executive table.

Today's CISO is expected to operate as a senior executive, carry significant accountability and manage enterprise-wide risk — often without the authority or mandate afforded to other executives.

“They’re expected to stop every cyber incident, do more with less, compete with other business priorities, peers and glitzy technology projects.”

Many CISOs are constantly justifying their headcount, jumping through countless hoops for funding and respond to a constant stream of investigations, he adds.

“Also, manage people issues, develop a high performing morality team and attend countless meetings, while the fear of a major cyber incident hangs over, 24/7.”

For Nigel Hedges, the stress of the job took a toll on his health. Photo: Supplied

And while all of this is happening, it’s common for CISOs to neglect their personal and professional development.

“I’ve heard numerous reports of CISOs taking their own annual leave for training.

“They’re criticised or looked upon poorly for attending conferences as ‘junkets’, then expected to take personal leave to attend vendor-sponsored events.”

Burnout is very real

For Hedges, the relentless demands of the role eventually took a serious toll on his health.

During COVID, while working for a previous employer, he spent weeks on end working long shifts of 10 to 12 hours.

“I wasn’t sleeping, eating well or drinking water. I developed kidney stones and had five visits to hospital to remove them.”

Hedges’s priority turned to his health.

Sadly, after three years of working under constant pressure, he resigned from the role.

“It’s little comfort, later I learnt they went through three CISOs in the course of 18 months.

“Since then, in my last two roles including my current role, I take annual leave and enjoy time by the sea.”

Always on call

Unlike most executives, CISOs rarely switch off completely. Cyber threats operate around the clock, generating alerts and demands for attention at all hours.

“Unfortunately, it’s true. I’ve been on many early morning and late evening calls. We’re involved in incidents even when they aren’t cyber incidents.

“I call it the death by a thousand papercuts,” said Hedges.

While he rejects the notion the role carries the same weight as emergency services work, he believes the volume of issues security leaders face creates a unique burden.

“Comparing the role of paramedics, I have the deepest respect, they deal with life and death situations.

“CISO is amplified by the sheer quantity of incidences.

“Hackers don’t work 9 to 5, we’re expected to be on 24/7, Monday to Friday.”

Cyber threats operate around the clock, generating alerts and demands for attention at all hours. Photo: Shhutterstock

While Hedges has great support from his current employer, for some that’s not always the case.

“The role can be very political, highly demanding, and incredibly stressful.

“But, also highly rewarding, if supported by great team members and management.

“That’s when it really works.”

The human cost

Peter Coroneos, founder of Cybermindz, which runs resilience and recovery programs for cyber professionals, said CISOs are defending organisations with finite resources against highly capable and persistent adversaries – and the pressure is relentless.

“Unlike most executives, CISOs do not experience clean breaks between work and personal life.

“Continuous threats, alert triggers always linger.”

He said CISOs are exposed to a level of threat activity that few other executives ever see.

“While the broader C-suite may only be engaged when something goes wrong, the CISO sees every attempted intrusion by cybercriminals – the daily probing, phishing campaigns, exploit attempts and ransomware deployments that never make the news.”

The result is what psychologists describe as ‘chronic stress activation’.

“Disrupted sleep, increased cognitive loads erodes emotional resilience, this spills into relationships, health and coping behaviours.

“Over time, neurologically, chronic stress degrades executive decision-making.”

Coroneos said growing numbers of CISOs have enrolled in Cybermindz programs over the past two years.

“It’s encouraging to see them taking responsibility for factors they can control.

“If we’re not looking after the humans behind the technology, we’re increasing risk for everyone.”

A role few are prepared for

John Taylor, field chief technical officer, APAC, for human risk management platform Mimecast and a former CISO said it’s a role few are prepared for.

“Many begin their careers as technical experts such as engineers, solution architects, and security analysts.

“Promotion to CISO often reflects technical mastery, but the job itself is fundamentally different.

“They’re promoted because they’re exceptional technologists.

“But the role is less about technology and far more about influence, board communication, crisis leadership and enterprise risk.”

Most CISOs end up in the role without truly knowing what it entails. Photo: Shutterstock

It’s often a vastly different job from the one they came from.

“Suddenly they’re responsible not just for systems, but for reputational risk, regulatory exposure and shareholder confidence. Yet there aren’t always structured development and training to prepare them transition.”

Taylor said CISOs often find themselves balancing security concerns against commercial priorities, with expectations continuing to rise.

“Unfortunately, burnout is creating a brain drain with so many high calibre CISO’s moving on.

“This will have a negative effect on the broader economy,” said Taylor.

Knowing when stress becomes burnout

Karen Aroney, founder of ExecFuel and a performance nutritionist with a background in psychology, said there is an important distinction between stress and burnout.

Normal stress is a short‑term, reversible response where your system ramps up to meet a challenge, then settles once the pressure passes.

Burnout, however, develops when stress becomes chronic and prolonged.

“The most dangerous form is the gradual decline into burnout where you look like you’re functioning, but your energy, clarity and motivation have drained away.”

Warning signs include disrupted sleep, afternoon energy crashes, gut issues, weight gain and weakened immunity.

“Mentally, you’ll see irritability, anxiety, narrowing focus, memory lapses and a sense of being constantly behind.

“When motivation drops, you’re feeling flat rather than stressed – it’s a red flag you're moving into burnout territory.”

If burnout isn’t addressed, cortisol stays elevated, energy and blood sugar become unstable, sleep worsens and the body starts storing more harmful belly fat that affects long-term health.

Cognitive performance drops, decision‑making becomes impaired and mental health declines, often leading to extended leave or forced resignation.

As cyber threats continue to escalate, organisations may find that protecting the people responsible for defending them is becoming just as important as protecting the technology itself.