Login
iscover
Aaron Bugal, Field CISO APJ at SophosShare this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Once perceived as a nice-to-have, cyber security is now recognised as an important business function.
The onslaught of cyber attacks in recent years means organisations have increased hiring, invested more in tools, and built new strategies. However, much like any department, for cyber security to thrive – and especially its employees– it must continue to be nurtured and addressed.
Evolving cyber attack tactics, emerging technologies, and shifting regulations have all placed mounting pressures on IT and cyber security teams. We are truly at a point where there are no days off for cyber security – and that means no days off for cyber professionals. This, of course, isn’t sustainable.
Businesses must consider how they are supporting their cyber employees, or else they risk burning out their teams and losing them. Concerningly, a burnt-out cyber security team isn’t just a people issue; it’s a severe business risk for the entire organisation.
Burnout booms for cyber professionals
Cyber burnout is not a growing issue; it’s an established organisational problem. Sophos’ Future of Cybersecurity in APJ 2025 report found that 58 per cent of Australian cyber professionals occasionally feel burnt out (a positive trend down from 69 per cent in 2024). However, more worryingly, one in five (20 per cent) cyber professionals frequently feel burnt out, up from 17 per cent in 2024.
The most common contributors to Australian cyber professionals experiencing burnout are increased threat activity, a lack of budget, and a lack of resources to support cyber security activities. It is worth noting that a lack of budget has caused the same amount of burnout as the threats themselves, an outlier for Australia compared to the Asia-Pacific region.
Burnout for Australian cyber professionals from budget is understandable, as only 15 per cent of cyber security budgets increased by 10 per cent or more last year, well under the APAC average of 24 per cent. In fact, more budgets didn’t increase at all, as one in five (20 per cent) of Australian cyber security budgets stayed the same or decreased (compared to only 14 per cent for APAC). This lack of support stems from common frustrations, as executives assume cyber security is easy and concerns are over-exaggerated, ranked in the top three for Australian cyber professionals.
This pressure has inevitably hurt cyber security and IT teams’ productivity, and Sophos’ Future of Cybersecurity in APJ report found Australian cyber professionals have lost close to five hours of productivity due to stress and burnout. Dangerously, this has a ripple effect on the safety of businesses.
Weak support creates weak security
When the work of cyber teams slows, the entire organisation’s cyber security weakens. Sophos’ Future of Cybersecurity in APJ report uncovered that the top three impacts of cyber professional burnout included a weakened cyber security stance, slower incident response time, and the threat of being breached. Across APAC, 31 per cent of organisations experienced a breach as a result of burnout – an alarming number.
While burnout provides immediate impact on cyber security, it also opens the door to longer-living challenges for organisations. The report noted burnout spiked cyber professionals’ cynicism, detachment, and apathy towards cyber security, and was the cause of 32 per cent of resignations.
If a cyber professional were to resign without a planned replacement, it only widens the gap left for cyber threats to get in, as remaining cyber security teams are expected to plug the hole while still looking after their own responsibilities. This creates a potential cycle of burnout and resignations – and even breaches. Evidently, cyber burnout is not something that can be ignored, and organisations must consider whether they are adequately supporting their cyber security teams.
How to address the cyber stress
If organisations are serious about reducing cyber burnout, they must move beyond lip service and implement tangible, lasting change. Cyber professionals cannot be expected to carry the weight of constant threats without adequate support, yet too often their concerns are ignored, budgets are tightened, and resources fall short.
Businesses need to take deliberate action: invest in counselling (something Sophos’s Future of Cybersecurity in APJ report uncovered 31 per cent of organisations are still not doing) and mental health programs, provide safe spaces for employees to raise concerns, and make cyber security a collective responsibility by educating the entire workforce on proper cyber hygiene.
Equally important is ensuring investment matches the scale of the threat – which means funding teams properly, leveraging automation tools to take pressure off staff, and engaging third-party specialists to share the load when required. If organisations don’t adequately address cyber security, it invites a dangerous cycle of stress, resignations, and weakened defences.
Be the first to hear the latest developments in the cyber industry.
