When work stress becomes a security risk
Cybersecurity is a stressful job. The professionals who work in this field are under enormous pressure to ward off attacks and keep their companies secure. But such stress can have serious consequences – for employees and in terms of security. What can companies do to address this?
April 2025, text Andreas Heer 4 min.
Cybersecurity is a must in today’s business world – and a stressful area in which to work. New regulations and forms of attack are constantly raising the stakes in cyber defence. The specialists who work in security operation centres (SOCs) are inundated with alerts. And when there’s a serious attack, they can’t simply finish up and close their laptop at 5 p.m. like in many other office jobs. After all, they are maintaining the security of their company, not putting the final touches to a PowerPoint presentation.
Cybersecurity: a stressful career
It’s not surprising, then, that many professionals want to break free from this stressful environment. In a survey conducted by Bitdefender, more than half said they were keen to find another job. And in a recent study by Tines, two-thirds of respondents complained of serious stress – a trend that is on the rise. The pressure is obvious at the very top as well: in the Nominet CISO report, more than 90% of CISOs indicated that they suffer from moderate or high stress.
There are many reasons for this situation:
- Constant monitoring of thousands of security alerts leads to alert fatigue and cognitive overload, where people are overwhelmed with more information or tasks than they can handle.
- When positions cannot be filled, the existing employees must divide the work amongst themselves. This, combined with the mental pressure, leads to a heavy workload.
- The scarcity or lack of resources means there is not the technical aids needed to automate parts of the work, improve cyber defence and reduce the burden on professionals.
- With the constantly changing threat landscape(opens in new tab), employees have to fit in continuous professional development – on top of all of their work. This also contributes to cognitive overload.
Work stress as a security risk
The consequences of this situation range from persistent stress to burnout. The threat to mental health poses a risk not only to the people themselves but also to their companies, as stressed and overburdened employees are more likely to make mistakes. In the worst case, this can lead to security alerts being overlooked and successful cyberattacks. Cybercriminals are also specifically taking advantage of this and using social engineering to target cybersecurity professionals, who usually have extensive access rights.
Marcus Beyer, Security Awareness Expert at Swisscom, therefore emphasises the need for mindfulness and psychological safety, especially amongst security specialists: ‘We all know that we’re more likely to make mistakes when we’re stressed.’ After all, the responsibilities in cybersecurity and the consequences of errors are more serious than in many other roles: ‘The pressure on professionals is enormous,’ says Beyer. ‘Management expect their company to be kept protected. The cybercriminals, meanwhile, don’t sleep and are constantly looking for new attack vectors.’
Resilience as an objective
Companies have to address these challenges, as good working conditions and motivated, healthy professionals are an important part of the puzzle when it comes to maintaining cyber defence and preventing breaches. Beyer therefore suggests developing targeted mindfulness programmes and psychological safety measures for cybersecurity employees: ‘When an organisation is stressed and tired, that’s a vector of attack.’
But mindfulness alone can’t solve everything. Managers and HR professionals need to create a psychologically safe environment in which employees are empowered to address mistakes, overload and stress. This requires a climate of trust. ‘Psychological safety also promotes cohesion and encourages innovation,’ says Beyer. ‘This is particularly important in the ever-changing field of cybersecurity.’
‘When it comes to physical and workplace safety, there are already appropriate, well-established methods and measures,’ Beyer continues. ‘But we need the equivalent for cybersecurity, where the risks are psychological rather than physical.’ This requires first of all an understanding of where the risks lie and what cybersecurity professionals need in the way of occupational healthcare.
A key term in this context is resilience, across several levels. Organisational resilience refers to an organisation’s ability to adapt to change and disruption. Psychological resilience, meanwhile, means a person’s ability to successfully adapt to (working) life.
Beyer emphasises that both individuals and organisations can learn to be more resilient. ‘For me, a fragile workplace is the result of a lack of psychological safety and mindfulness,’ he explains. ‘Mindfulness can help reduce stress and, with it, the likelihood of errors.’
Cyber resilience starts at the individual level
The psychological health of cybersecurity professionals is a decisive factor in the security of an organisation’s digital infrastructure. It’s therefore important that businesses take targeted measures to support employees’ mental well-being. Mindfulness and psychological safety play a key role here. As Marcus Beyer emphasises, ‘We need to focus much more on creating a mindful workplace so that people can cope with the pressures of cybersecurity. That’s the key to avoiding a fragile workforce.’
With the right organisational setup, companies can integrate daily mindfulness practices that support mental well-being, focused, mindful work, conscious decision-making and more. These are also applicable outside the world of cybersecurity and are often utilised there. It’s now time to deploy these for the benefit of cybersecurity specialists as well.