The Hidden Culture Crisis and Human Burden Undermining Cybersecurity Resilience

Jenai Marinkovic
Author: Jenai Marinkovic, President, Chairman of the Board - GRC for Intelligent Ecosystems Foundation
Date Published: 1 October 2024
Read Time: 9 minutes

The cybersecurity industry is facing a growing internal crisis that is not rooted in technology or external threats but in the culture underpinning our current workforce.

We have a culture in crisis.

A culture crisis occurs when a breakdown in values, behaviors and societal norms negatively impacts employee well-being and performance. This results in low morale, high turnover, lack of trust, disengagement and potentially even ethical lapses. Dropping levels of management support, poor communication, and empathy worsen the situation, leading to burnout, dissatisfaction and instability within the organization.

The ISACA State of Cybersecurity 2024 report focuses on these challenges. Four years after the pandemic, the cybersecurity industry is grappling with an internal crisis driven by mounting work stress, declining empathy and an aging workforce. A continued reduction in budgets exacerbates these challenges. 

Among the key data points:

  • Empathy decline: “Recent findings show that empathy as a leadership skill has dropped by two percentage points, with only 11% of organizations recognizing it as a critical soft skill.”
  • Work stress: “46% of cybersecurity professionals report high levels of work-related stress, and 81% attribute this to the increasingly complex threat landscape.”
  • Retention issues: “Changes in remote work options have resulted in higher attrition rates, with 32% of respondents citing this as a reason for considering leaving their jobs, up from 28% last year.”
  • Aging workforce: “34% of the cybersecurity workforce is now represented by GenX (ages 45-54), creating a growing leadership gap as senior professionals near retirement with limited succession planning.”

These stress-related factors have resulted in retention challenges, burnout and leadership gaps, and highlight a potential impact on the long-term resilience of the cybersecurity workforce.

The Empathy Gap: The Missing Piece in Cybersecurity Resilience

Cybersecurity thrives on technical innovation, but the human element is often forgotten.

Empathy is the capacity to understand and perceive the emotions of others, combined with the ability to put yourself in their shoes and consider what they may be experiencing or thinking. Empathy is essential in preventing burnout and helping teams withstand the relentless pressure to protect and defend an organization’s ecosystems against an ever-increasing onslaught of fast-moving, highly complex attacks.

The ISACA research reveals a concerning trend—empathy in leadership has declined slightly, with just 11% of organizations now viewing it as an essential soft skill.

While this drop may seem minor, its impact on workplace culture and employee well-being is profound.

As empathy wanes, burnout rises, with 66% of cybersecurity professionals feeling more stressed than five years ago. Why does this matter? 

Empathy allows leaders to notice when their teams are overwhelmed, offer emotional support, and prevent burnout before it becomes a crisis. Without it, stress management becomes purely operational —focused on immediate fixes rather than addressing the underlying emotional strain. The result? Unsustainable workloads, increased turnover, and a disconnected and unsupported workforce.

It’s not just about managing stress, either. The decline in empathy is closely linked to dissatisfaction over inflexible work policies and limited remote work options, which have been rising causes of employee attrition. 

Companies that cultivate emotionally intelligent leadership are better equipped to retain their talent, reduce burnout and create a culture of trust. The world rapidly adopts artificially intelligent systems into its technology and business processes, highlighting the need for human connection, trust and collaboration.

Ignoring the importance of empathy isn’t just a leadership failure—it’s a strategic risk. High stress levels drive disengagement, and critical mistakes are inevitable in underfunded, attention-starved teams, making it more challenging to stay ahead of increasingly complex threats.

Workplace Flexibility and the Coming Retention Crisis

At first glance, retention rates in cybersecurity seem stable, but beneath that surface lies a growing problem. Inflexible work policies and limited remote options are quietly causing dissatisfaction among professionals—an issue that could lead to a wave of attrition when economic conditions shift.

Many professionals stay in their roles not out of loyalty but necessity, a phenomenon known as the “Big Stay.” While this may create an illusion of stability, it is misleading.

Three in 10 (32%) cybersecurity professionals are considering leaving their jobs due to limited remote work options, up from 28% last year. Inflexible work policies, too, are on the rise as reasons for leaving, reaching 22%.

The real crisis will come when economic stability returns and professionals feel empowered to seek new opportunities.

Retention doesn’t equal satisfaction. Once the job market shifts, many professionals will look for more flexible environments. For organizations already struggling with skills shortages, the upcoming retention cliff will leave them unprepared to handle complex and sophisticated attacks.

The Complexity Crisis: How Modern Attacks Are Driving Burnout

Cybersecurity threats have evolved far beyond phishing schemes and malware. Today, professionals must manage nation-state attacks, sophisticated ransomware and threat actors wielding AI to scale their operations faster than human teams can respond. In this environment, professionals constantly analyze complex threat intelligence, adapt their strategies and manage an overwhelming flood of data.

Eight in 10 (81%) cybersecurity professionals cite the increasing complexity of attacks as a primary source of stress, and it’s not hard to understand why. The attack surface is expanding, and threats are becoming more targeted and precise, now driven by AI and machine learning. Security teams are no longer battling human attackers but sophisticated, AI-powered threats that can adapt and evolve faster than traditional defenses. Despite the critical importance of AI-driven security, only 26% of organizations believe that ML SecOps and LLM SecOps skills represent a critical skills gap.

Budget cuts further compound the issue, restricting access to the advanced technologies needed to protect against AI-assisted attacks. As a result, security professionals are left trying to defend their organizations without the tools that could help them stay ahead of increasingly complex, automated threats.

Defending against this level of sophistication demands more specialized knowledge, attention and pressure on teams to prevent a breach. Constantly being on high alert is no longer just mentally exhausting—it’s unsustainable.

The Burden of Unpredictability: A Catalyst for Cybersecurity’s Hidden Culture Crisis

In today’s cybersecurity environment, professionals are constantly confronted with increasingly complex and unpredictable threats. According to the ISACA report, the top three critical skills for 2024 are data protection (46%), identity and access management (45%), and incident response (44%). While these remain crucial, other essential skills, such as cloud computing, have decreased in importance by nine percentage points since 2022, now at 43%. This shift in focus suggests a changing landscape where priorities are shifting, but the demand for constant vigilance remains.

At the heart of this unpredictability lies the constant shift in critical skills and the lack of organizational focus on developing emerging technologies like AI-driven security. DevSecOps, another crucial skill for securing application development, has dropped sharply, falling eight percentage points to 28%. Threat hunting, a proactive approach to identifying potential breaches, has also declined to 26%. Meanwhile, newly emerging skills, such as ML SecOps and LLM SecOps, have only garnered 10% of focus, indicating that many organizations struggle to integrate AI-driven defense strategies into their operations.

The result? A workforce that is left overworked, underprepared and increasingly vulnerable to burnout. Cybersecurity professionals must manage evolving threats and adapt to shifting priorities with limited resources and training. Without clear leadership support and investment in long-term skills development, professionals are caught in reactive firefighting instead of strategic growth.

This constant pressure to adapt to new expectations, without the necessary training or resources, leads to frustration, disengagement and ultimately burnout—core symptoms of a culture in crisis.

Leadership Gaps and the Aging Workforce: A Looming Crisis

The cybersecurity industry is on the brink of a leadership vacuum. With 34% of the workforce now aged 45-54, the sector faces an imminent challenge as senior professionals approach retirement, yet 40% of organizations still report vacancies at the senior manager or director level. These figures suggest that, despite the experience at the top, organizations are not adequately preparing for the transition that will occur as these senior leaders retire.

Worryingly, executive-level cybersecurity vacancies remain high, currently at 28%, reflecting a slight improvement but still signaling a significant gap in leadership capacity. While some view this nominal decline as positive, it obscures the underlying issue: not enough emerging leaders are ready to take over these critical roles. Organizations are struggling to build a strong leadership pipeline, which is essential for maintaining stability in an increasingly complex threat environment.

These leadership vacancies tie directly into the broader culture crisis plaguing the industry. The absence of stable leadership contributes to a lack of clear vision and direction, leaving employees feeling unsupported and unsure of their professional growth. Without strong mentorship and career development opportunities, workers are more likely to disengage, fueling high-stress levels and dissatisfaction within cybersecurity teams.

As vacancies persist at the senior levels, mid-level professionals are often thrust into leadership roles without adequate preparation or support. This can lead to poor decision-making and erode team morale and organizational cohesion. The leadership gap is not just about filling roles—it’s about the lack of structured mentorship, succession planning and investment in long-term leadership development that’s causing a breakdown in organizational culture.

The high reliance on outside consultants (41%) also highlights the growing disconnect between leadership and their teams. As organizations increasingly depend on external expertise to fill these critical gaps, internal teams feel undervalued and unsupported. This reliance on temporary solutions only compounds the existing issues, weakening the overall workforce structure and increasing the risk of burnout and turnover.

Budget Cuts and Human Costs: A Growing Threat to Cybersecurity Resilience

As cyberattacks grow in sophistication and frequency, one would expect organizations to ramp up their cybersecurity investments. Surprisingly, the opposite is happening, as 44% of organizations report feeling underfunded despite the increasing complexity of attacks. This mismatch between rising threats and mostly stagnant or shrinking budgets puts enormous pressure on cybersecurity teams, leaving them overstretched and under-resourced.

The cost of budget cuts extends far beyond financial constraints—it takes a human toll. Cybersecurity professionals are expected to manage increasingly complex and evolving threats with fewer resources. This “do more with less” approach inevitably leads to burnout, increased workloads and higher turnover. When teams are spread too thin, the likelihood of mistakes—such as misconfiguring systems or overlooking critical vulnerabilities—rises significantly. In cybersecurity, every minute counts, and these mistakes can be catastrophic.

Ultimately, the actual cost of budget cuts isn’t just limited tools or technology—it’s the human cost of defending against evolving cyber threats with fewer and fewer resources. If organizations continue to underfund their cybersecurity efforts, they risk losing top talent and facing a weakened defense posture, leading to potentially devastating breaches.

Strengthening Cybersecurity Through Human-Centered Leadership

The cybersecurity industry is facing a critical moment where addressing the human side of the workforce is essential for long-term resilience. Declining empathy in leadership, rising work stress and inflexible work environments lead to burnout and push professionals to consider leaving the field entirely.

As 11% of professionals switch careers out of cybersecurity, this workplace culture crisis threatens the industry’s sustainability.

To reverse this trend, organizations must rethink their approach to leadership, prioritizing empathy, flexibility and support for their teams’ mental and emotional well-being. Leadership must evolve to recognize the mounting pressure professionals face in defending against increasingly complex threats. Building resilience means creating environments where professionals feel supported in their roles and as individuals.

The future of cybersecurity depends on more than technological advancements—it depends on how we care for the people behind the defenses. A human-centered approach will ensure long-term success in a rapidly evolving threat landscape.

Additional resources