Why A Strong Cyber Culture Starts with Mental Health 

On any given day, CISOs and their security teams are on the front lines battling ransomware, nation-state attacks, phishing, and other threats with the potential to compromise systems, steal critical data, and wreak havoc on the organization’s financial and reputational standing. All too often, CISOs have to be on high alert and ready to combat threats at a moment’s notice, sometimes for days on end.

For CISOs and security professionals alike, the constant state of vigilance takes a toll. “If you have to deal with a significant cyber incident, there goes your weekend. Or maybe your kids are at a birthday party or have a special event, and you can’t be there. You’re out working because the company is down,” said Lane Sullivan, CISO at Magellan Health and a Top Global CISO award winner by Cyber Defense Magazine.

Altogether, the prolonged stress, continuous combat mentality, and time away from loved ones can lead to anxiety, burnout, and other mental health issues. “There are a lot of processes that we have to perform very quickly. We're also hyper-vigilant about every log might contain an indicator of compromise,” said Melina Scotto, CISO of Fortune 500 companies and CISO advisor. “And then you have this happening cumulatively over the course of your career. You have repeated exposure to these stressful situations, and the ongoing cyber threats might lead to burnout and mental exhaustion over time. That impacts mental health for sure.”

To understand the impact on organizations, all you have to do is look at the data. According to Splunk’s 2024 State of Security report, 76% of security leaders globally said their team members had been forced to take on responsibilities they were not ready for in the past year, and 70% said that their revised workload led them to consider looking for a new role. 

In light of these developments, it’s not surprising that mental health has become a top concern for CISOs — and rightly so. Burnout rates for cyber professionals are on the rise, attributed to factors such as new pressures, keeping pace with security threats, and ongoing talent shortages.

The good news is that the last few years have seen a groundswell of awareness around mental health in security. With growing awareness comes more resources and ways to help employees who are struggling. Here are a few best practices that CISOs can adopt to support their teams. 

Soften your language

As somebody who has spent a non-trivial amount of time in conflict environments from Afghanistan to Iraq, it’s difficult to shake the battlefieldspeak. But, addressing your mental health often starts with changing the way you think and speak. Words like “cyber warfare,” “cyber espionage,” and “firefighting” are deeply ingrained and prolific in security professionals’ day-to-day vocabulary. But not everything is a code red or requires a state of hypervigilance, Scotto argues.

Instead CISOs have the opportunity to re-prioritize what’s most important and model a sense of perspective to their teams. That means using language that reflects the importance of their job while steering clear of battle metaphors that might invoke anxiety or other negative emotions. 

“Cyber security is often described in military terms,” Scotto said. “I don't think we have to amplify a sense of urgency all the time. Certainly during an attack, but on a normal day, we don't need to be amping up the negative energy. Our language should be measured and not as staccato or aggressive.”

Communicate often to generate partnership

Much of CISO’s added stress isn’t just attributed to an increasingly sophisticated threat landscape, although it’s a big factor. Global compliance mandates place new complexities and new pressures on CISOs as they narrow incident reporting windows to days or even just hours after detection. When an incident does occur, CISOs face consequences ranging from intensified board/media scrutiny and job loss to steep fines and severe legal penalties in worst-case scenarios.

The result is that CISOs and their teams can sometimes be pushed to take a CYA mentality or default to a defensive posture when faced with scrutiny or questioning from their own teams, business partners, or the board. This air of “you couldn’t possibly understand, so stop bothering me” can backfire when CISOs need to enlist a ‘whole of organization’ approach to incidents that will require a trustful, constant flow of information across parties that are not working together day-to-day. 

The antidote is to communicate regularly to boards and fellow leaders, which not only keeps them informed about the status of the security environment but also opens the door for partnership when addressing some of the most daunting issues. 

“It's really about ensuring there are no surprises communicating up and making sure that we have all of the resources that we're going to need,” said Scotto.

Model transparency and openness

While security professionals might be struggling from being on high alert with little respite, it can be difficult to get them to talk about it and open up about their experiences. In fact, the stigma around mental health often prevents security professionals dealing with an issue from telling their managers or seeking the help they need.

That’s where CISOs can step in to help. Sullivan says that CISOs have the ability to model transparency and openness from the top down. In addition to being openly communicative, they can also encourage their team members to talk about what is bothering them or what keeps them up at night. 

“I think that we can create better awareness around mental health and make sure that we as leaders create that culture. Just being there to listen and creating an outlet is enough for people to feel like they can get concerns off their shoulders and move forward.”

Not only does talking about mental health create a safe space and help team members navigate their challenges, it increases awareness throughout the team, creating a foundation for addressing the problems and finding solutions. 

“As we see high levels of burnout and stress, we can start to acknowledge and specifically address those concerns and pull back on the reasons those people get overwhelmed,” Sullivan said. 

Put your people on shifts

One of the simplest yet most effective ways to support mental health during incidents is implementing shift rotations. A reactive approach—waiting until the team is already burned out—can exacerbate the stress and anxiety. Instead, as soon as you identify a potential incident, assign shifts to ensure no one is on-call or working for extended periods without breaks, including yourself as the CISO.

By dividing the workload early, you create a sustainable response environment, preventing burnout while maintaining operational efficiency.

Encourage your team’s daily self-care

For CISOs and their teams, stress is a daily reality and will likely not disappear anytime soon. That’s why it’s increasingly important for CISOs to ensure that their team members are focused on their mental well-being and practicing self-care. 

For example, Sullivan says that his organization’s incident response plans include addressing the mental health of the team following an incident. But it also can be something as simple as ending meetings 10 minutes before the hour, encouraging team members to take their vacation days, taking breaks, or creating a ‘no meeting Friday’ policy.

Scotto encourages her teams to take time that is just for them. “If that means working out or walking the dog, or gardening, or listening to music, whatever they do, it should be something that is not cyber security related to fill your tank.” 

To learn more about how security leaders are responding to regulatory pressures, the rise of sophisticated threats, and mental health issues on their teams, download Splunk 2024 State of Security and Splunk’s CISO Report.