Preventing CISO Burnout: The Impact of AI on Cybersecurity Leadership

Join CW+

Lets face it, no one talks about burnout in cybersecurity until its already too late. The pressure for CISOs and security leaders has been quietly mounting for years. Late nights, increasing number of incidents, shrinking budgets, ever changing landscape of regulations and threats and the constant expectation to be everywhere and be across everything. Theyre essentially tasked with playing whack-a-mole, but with moles that can breach, exfiltrate or steal valuable data to be held ransom, all while trying to translate the chaos to a boardroom that is pressed for time and even harder pressed for attention or budget. But when the inevitable breach or cyber incident does occur, the CISO is the one left holding the hammer.

To be clear, this isnt a soft-skills issue. Its not that CISOs or security teams cant keep up or lack the ability to speak the language of the boardroom, or that todays security leaders havent perfected the skill of talking like a business person. It is that the CISO and security leader role has been stretched as they become accountable and responsible for more assets, processes and capabilities critical for business operations. The more critical cybersecurity becomes to business continuity, customer trust, and regulatory compliance, the more the CISO role is being morphed beyond recognition, and were approaching breaking point. According to one study, almost a third of CISOs say stress is adversely affecting their performance, and the average tenure of a CISO is now just over two years (26 months). Unless something changes, not just at the individual level, but across the entire security ecosystem, were going to keep losing the very leaders we rely on most whose experience and capabilities have been built over decades of ensuring security enables business.

If like me you sit in enough board meetings, youll hear the same question emerge again and again: Cant AI solve this? Its a tempting idea and it is true that it can be a very valuable tool in the security leaders toolbox. With the right tooling, the right model, the right automation pipeline, we can finally take the pressure off by automating at scale and the pace never seen before. But it is only part of the solution. Sure, AI can accelerate detection, streamline triage, and surface patterns faster than most analysts, but does it understand nuance, context, proximity and business value? Can it carry accountability, and can it take control when things go off script or adapt and change due to business need? At best, AI is an assistant. At worst, its a new attack surface weve barely begun to understand. Prompt injections, model poisoning, and data leakage are just some of the threats outlined in OWASPs top ten risks and mitigations in 2025. So, if AI is watching your security, whos watching the watcher?

Whats more concerning is what this narrative does to the talent pipeline. As we automate more of the entry-level work, we risk eroding the very foundation we need to grow the next generation of cyber professionals. Junior analysts arent just headcount, theyre future CISOs in training. When theyre replaced with automation rather than upskilled alongside it, were solving todays resourcing problem at the cost of tomorrows leadership. And the cycle of burnout continues. Innovation in AI is something to be taken seriously, but we need to be clear-eyed about what it can and cant fix. Over my career I have learned that my key asset is the talent that exists within my team, and focus is needed on how you recruit, select, nurture and promote your team so they can succeed in their roles. That brings quality, loyalty and exceptional customer focused service.

There was a time when the CISOs remit was fairly defined; keep the bad actors out, keep the systems patched, and keep the auditors happy. Halcyon days for many CISOs. Today, their role spans everything from regulatory alignment and third-party risk to crisis comms, customer reassurance, and boardroom education. They arent just guarding against threats. Theyre handling fallouts, preserving reputations, and juggling increasingly high expectations, managing budgets, solving technical debt and telling business aligned stories. In a lot of cases, theyre also the face of resilience for the business. So, is Chief Information Security Officer" even still fit for purpose? If the responsibilities have outgrown the original mandate, maybe its time the role evolved too. Chief Resilience Officer might not roll off the tongue, but its closer to reality, and it signals something the business needs to hear that security is about continuity, trust, and long-term stability, not just tools and tech.

You can give someone the responsibility, but if you dont give them the authority to match, its not leadership, its liability. Thats exactly the position many CISOs find themselves in 2025. They are tasked with protecting the organisation from existential risk yet still report into IT leadership structures that werent designed for independence, oversight, or challenge. When the CISO reports to the CIO, theres often a built-in conflict of interest: the person responsible for securing the infrastructure answers to the person responsible for delivering and optimising it. The CIO may intentionally or not prioritise functionality, availability, and performance, while the CISO may need to slow things down to patch vulnerabilities, harden systems, or push back on risky deployments. If the CISO lacks independence, security decisions may be overridden, downplayed, or even outright deprioritised in favor of delivery timelines or budget goals.

This isnt a clash of egos though, its more about governance. Reporting lines shape how risk is prioritised, how budgets are allocated, and how candid a CISO can be when something needs to be said. If security is genuinely a board-level concern, which it should be, then the CISO needs a line into the board, or at least the audit committee, that isnt filtered through operational layers.

Theres a broader cultural implication, too. When CISOs are treated as subordinates to IT, it sends a message that cybersecurity is a technical function rather than a strategic and business aligned one. And that message filters down fast into hiring, funding decisions, and how incidents are handled when the pressure rises. If organisations want security leaders to act as business enablers and crisis navigators, they need to stop placing them in a structure that ties their hands but instead allows them to lead the business in times of crisis, growth or significant change. Elevating and celebrating individuals is essential but also building a system that is designed to let them succeed rather than hold them back will ensure future leaders can be retained in an organisation and the industry as a whole. Most importantly, they will maintain good mental health in a place where they feel supported and valued.

Tim Grieveson, CSO at ThingsRecon