We don’t talk about burnout in security until it’s too late. By then the late nights, the relentless incident churn and the unrelenting pressure to “be everywhere” have already taken their toll. Over the last few years I’ve watched the job of the CISO change from a well-scoped operational remit into an all-encompassing role that stretches across technology, legal, procurement, communications and the boardroom. That’s why so many security leaders are exhausted — and why replacing them with a number on LinkedIn won’t fix the underlying problem.

The problem isn’t soft skills

This isn’t about whether CISOs can tell a business story or learn boardroom shorthand. Many do, and they do it well. The real issue is that the role has been stretched: more responsibilities, more accountability, and more outcomes to own — while authority and the structural support to deliver them often haven’t grown at the same pace. Security now touches continuity, customer trust and regulatory regimes in ways it didn’t a decade ago. Yet a lot of security leaders still report into operational IT structures that constrain honest assessment and decisive action. The result is an impossible tension: asked to manage existential risk, but lacking the independent authority to prioritise it.

Why autonomy matters

You can put responsibility on a person’s shoulders, but unless you give them the matching authority to act, you’ve set them up to fail. Too many CISOs are accountable for business continuity yet still sit in chains of command that favour delivery and availability over pause-and-protect decisions. The structural conflict is obvious when a CISO must argue for slowing a release to patch critical vulnerabilities while their line manager, motivated by delivery metrics, pushes for speed. If security is truly a board-level concern, the CISO needs a direct conduit to the board or audit committee — not a daily filter through the operations hierarchy. That change in governance is not about ego; it’s about signal: it tells the organisation whether cybersecurity is a strategic function or merely a technical checklist.

AI isn’t the silver bullet

Every boardroom now asks: “Can’t AI fix this?” AI is an extraordinary tool — it speeds detection, helps triage and surfaces patterns faster than manual processes. But automation without context is a recipe for new headaches. AI can accelerate operations, but models don’t inherently understand business nuance, regulatory subtleties or proximity to a crown-jewel system. They don’t carry accountability; people do. Worse, AI introduces its own set of risks — prompt injection, model poisoning and data leakage — which demand governance and oversight. We must ask: if AI watches the security stack, then who watches the AI?

There’s another less obvious impact: by automating more junior, routine work without pairing it with purposeful learning, organisations risk hollowing out the talent pipeline. Junior analysts are not expendable widgets — they are the future senior leaders. Automation should elevate them by handling tedium and amplifying learning, not erase the on-ramps to experience. If we substitute machines for apprenticeship, we fix immediate resourcing but starve the next generation of the domain knowledge and judgement that made yesterday’s CISOs effective.

Once the CISO’s remit was fairly focused: guard the perimeter, patch systems, and keep auditors satisfied. Those halcyon days are gone. Today, CISOs steward regulatory alignment, third-party risk, crisis communications, customer confidence and board education — they are the architects of resilience. The title Chief Information Security Officer no longer captures that reality. Whether we call the evolved role “Chief Resilience Officer” or something else, the point matters: the name signals a mandate. It tells the business that the role is about continuity, trust and long-term stability, not simply the management of tools.

Practical steps: how organisations can stop burning out their leaders

If the problem is structural and operational, then the solution must be equally systemic. Here are practical changes that organisations can make now:

• Give matching authority to responsibility. If the CISO is accountable for business continuity, the role must be empowered in governance — direct board access, independent budgetary voice or a dotted line to the audit committee helps.

• Reduce surprise: continuous visibility. A big source of burnout is constant firefighting for unknowns. Continuous external discovery and supplier mapping reduce the unknown, giving teams a reliable, up-to-date picture to work from instead of endless detective work.

• Prioritise by business impact, not volume. Move from volume-based triage to proximity-and-impact driven remediation. Fix what endangers revenue, regulated services or sensitive customer data, rather than chasing every alert with equal intensity.

• Automate thoughtfully, and upskill relentlessly. Use automation to remove repetitive toil, but embed learning and career development into automated workflows so junior staff see how decisions are made and grow into judgement-based roles.

• Align procurement and GRC with security. Treat third-party risk as a shared business process, not a security afterthought. Procurement should enforce security attestations; GRC should codify supplier responsibilities; security should have a definitive seat at the table.

• Change the narrative around metrics. Give CISOs a concise set of board-level KPIs that reflect business risk — these should measure exposure, not just patch velocity or alert counts. This enables security leaders to brief, not to justify every incident.

• Protect the people. Real leadership includes realistic SLAs, decompression time after incidents, and mental-health support. Retention is as much about humane workplace design as competitive pay.

Burnout is an operational problem, not solely a people one

Too often we treat burnout as an individual failing or HR issue. In reality it is the consequence of organisational choices about scope, authority, structure and tooling. If we want to keep the leaders we need, we must stop loading them with impossible expectations and start giving them the tools, authority and environment to succeed. That means better governance, better signals, better prioritisation, and an honest approach to how we automate and grow talent.

At ThingsRecon, we believe part of the answer is clearer, continuous discovery aligned with business impact. But tools alone won’t do it — we need to rethink governance and empower CISOs to make decisions that protect the business, not just the network. If organisations get this right, we won’t just keep experienced CISOs in post; we’ll create the conditions under which they can lead without burning out.

‍