A Risk We Can’t Ignore: Burnout in Cyber Security

How to Survive the Year-End Rush Without Burning Out Your Security Team

We are reaching that strange part of the year where there are months to go before we reach 2026, but conversely it will all be over in the blink of an eye. Christmas will roll into and out of view, with us all still staring at a sky-high pile of to-do lists, unrealised plans and pipe dreams.

Cyber security can be quite a challenging topic to keep on top of. Security, by its own definition, is not an absolute or binary Good/Bad or Pass/Fail. It’s relative to many factors and as a result, it is the default mode of many passionate individuals to maximise effort and throw everything they have at it. It’s tempting and does commonly lead to better results.

It’s been identified elsewhere that burnout can result from a long period of high effort, combined with no positive impact, recognition or view of a desired end-state or goal. This sounds quite familiar. Once it has happened, it is hard to come back from it as well.

How Overworked Security Teams Increase Human Error Risk

One of the key risks that we have been working through in 2025 is one of human error. Many people in the industry are well-principled and will strive to do the right thing. Those people, when faced with conflicting asks of their time may take shortcuts, which can open an organisation up to invisible risks and configuration drift. At other times, a simple mistake happens due to a lack of proof checking or not having a documented process to follow. An overburdened individual will fall into these traps. Building processes, systems and controls that can reduce human error is a genuine risk management and system architecture topic that should be spoken about more in my opinion.

The alerts are piling up, the business risk thermometer is about to pop and one of your key third parties just got breached. What can we do to steady the ship? How can we find that serene, zen-like “eye of the storm” when everything around us feels urgent?

Strategies to Prevent Burnout for Security Analysts and Engineers

To any Analyst or Engineer, here are some things you can do:

• Be noisy about what you think are not productive uses of your time and what is too much. One example of this is the raft of Informational findings in Vulnerability Management or Attack Surface Tool that look at the usages of specific TLS ciphers, that don’t have any connection to any live exploitation (in one environment, these made 43% of all attack surface findings!) Discuss these issues, challenge the status quo and commit to the outcome of that discussion.
• Leave your ego at the door. I wanted to make an entire blog about this, but we’ll leave it to a bullet point. It’s genuinely great that you’ve got such a level of experience and skill, but there’s always going to be someone who knows more than you. Bringing your ego too heavily into the workplace is going to make you and your team less effective. It pays to be a bit humble, even if you do know more than everyone else in the room. This also helps you hopefully not suffer too badly from the “Atlas Problem” that you are probably feeling right now.
• In almost opposite advice, for 90% of the people reading this: don’t worry too much about imposter syndrome. Experiment, read, gain assistance and prepare. It never goes away, trust me, but it gets quieter with time.

How Managers Can Support Their Teams

If you’re seeing signs of burnout or inefficiency in your team, it’s worth stepping back and asking: are we set up to succeed, or just survive? There are practical shifts you can make to reduce risk and support your team.

• Look up at the board or budget holders. Does their communicated appetite of cyber security risk, and approach to budgeting and spend align with the reality of the decisions? Is their view of the organisation’s cyber security risk well-founded, or does it need discussion and perhaps some influence? Having these types of conversations are completely fundamental to how the team operates and what resources you have to work with.
• Based upon the above – take a view as to how the controls actually align to these postures and overall risk management. Does burning half an FTE’s time on reviewing submitted phishing emails actually benefit the organisation, when you are struggling to keep on top of critical KEV-level vulnerabilities on your public-facing applications?
• Set fundamental direction and connect your team’s work to the organisation’s overall objectives. Celebrate successes visibly.
• Take a view of how well your team is documenting their processes, and how much time they are spending on knowledge sharing across the team. Set them SMART objectives and requirements on how much time is spent doing this.
• Take a look at your own time. How much of your time is spent supporting your team, versus working outwards in the organisation? Set yourself a time-budget for how much you are working with your team.
• Do you have human factors, such as over-work, over-reliance on key individuals & human error on your risk register? If so, let’s get on top of this and manage this like we manage our more technical risks.
• Out of the time sinks – how much of this is appropriate to turn back into technical controls or even outsource? With Wingman Vulnerability Management, we’ve been able to roll out patch management on Qualys VMDR, to reduce remediation effort by 70% internally.

Building Resilient Security Teams

If we want to build resilient teams, we must treat these issues with the same seriousness we give to patching a critical vulnerability. That means clearer processes, better tooling, and the space for our teams to do their best work. The winter months can be a difficult stretch, especially for those already feeling the weight of burnout or constant pressure. If that’s you, I hope this piece offers something useful to reflect on, or at least a reminder that these challenges are worth addressing head-on.