13 Jun 2024

The risk of a thousand paper cuts – the human-centred problem seen with stress and burnout in cyber security

New report draws on survey data from Black Hat Europe attendees to outline this growing concern and what can be done to address it.

Using the analogy of what starts as a little inconvenience (a single papercut) then transforms into a significant wound (the cut never healed and more were added over time), MultiTeam Solutions and QA Consulting have published a report about an additional threat to organisations’ cyber resilience – the stress and burnout of their cyber security teams.

The ‘papercuts’ in this regard include things like trying to maintain constant alertness; handling false positives; repetitive tasks, keeping pace with the ever-evolving threat landscape; being regularly on call; no recognition for hard work and effort; the need to keep on top of and comply with new policies and regulations; and, of course, there are the breaches and attacks themselves.

Upon surveying 173 cyber security professionals at Black Hat Europe in December 2023, Stress & Burnout in Cybersecurity – The Risk of a Thousand Papercuts documents that although 52% of respondents to the survey saw themselves as being ‘quite resilient to stress’, this appeared to be resilience to ‘single papercuts’ because more than 50% of those same respondents expected to reach a point of burnout within the next year or sooner.

That expectation is often paired with a plan to leave their organisation; and this then has a knock-on effect on the stress levels of those they leave behind; plus, they carry their wounds to a new organisation. Consequently, stress and burnout are endemic across the cyber industry and the report states that this won’t change unless we better support cyber security professionals.

The good news is that 79% of the survey respondents said that they are at least somewhat comfortable sharing their burnout with their supervisors, and 81% said that their Senior Level Managers at least somewhat understand their stress. But they are often unequipped to support the social-emotional needs of their people and they’re likely under stress themselves.

So, what are the recommendations?

The report suggests that the response to address staff burnout must be incremental rather than radical and focus on 5 Impact Areas, prioritising the Area that’s already the strongest:

  1. Strengthening interpersonal connections built on authenticity.
  2. Replacing judgement with curiosity.
  3. Providing feedback with a supportive, growth mindset.
  4. Listening actively.
  5. Promoting supportive strategies in the workplace.

What can organisations do right now to heal and prevent stress and burnout?

techUK is proud to be a signatory of the Mental Health in Cyber Security (MHiCS) Charter; and we would encourage other organisations to sign up, too.

The MHiCS Charter was launched in response to rising stress levels in cyber security leaders due to the complex nature of their roles and the ever-evolving cyber threat landscape.

As a signatory, techUK has committed to raise awareness that the mental health and wellbeing of an organisation’s cyber security team is essential to maintaining that organisation’s overall cyber resilience.

To create a MHiCS Charter for your organisation and find out more, email [email protected]

You can also become part of the MHiCS community by joining the LinkedIn group here.

Download Stress & Burnout in Cybersecurity – The Risk of a Thousand Papercuts by here:

Report on Stress & Burnout in Cybersecurity


Come along to techUK’s FREE, open-to-all webinar on 20th June where our fantastic panelists will be exploring the impact of stressful work situations and environments on the mental health of cyber security professionals, and more broadly what this means for their employers’/organisations’ cyber resilience. Register to attend here.

Dan Patefield

Dan Patefield

Head of Cyber and National Security, techUK

Jill Broom

Jill Broom

Programme Manager, Cyber Security, techUK

Annie Collings

Annie Collings

Programme Manager, Cyber Security and Central Government, techUK