When we talk about cyber resilience, we tend to focus on technology, response times, and risk metrics. But there’s another cost — quieter, harder to quantify, and often ignored until it’s too late. It’s the human cost of defending against relentless attacks.
Over the past few years, I’ve spoken with incident responders and CISOs who have carried the weight of major breaches — some public, some contained before they hit the headlines. What they describe isn’t just stress; it’s moral injury, sleep disruption, and the heavy sense that no amount of vigilance is ever enough. These are not isolated stories. They are warning signs of a systemic issue in our industry: the toll of constant readiness.
Behind the Screens: The Emotional Reality of an Incident
In the first hours of a live incident, everything sharpens. Alert tones. Slack channels. The hum of adrenaline. At that moment, stress can be useful — it focuses attention and heightens vigilance. But the same alertness that helps us respond quickly can, within minutes, start to erode the very cognitive functions we rely on most: working memory, decision flexibility, and communication.
Research into stress highlighted the relationship between stress and performance and there is an inverted-U pattern: moderate stress aids performance; too much and it collapses.
Under extreme load, responders can fixate on a single hypothesis, communication narrows, and collaboration gives way to command-and-control behaviour. For junior responders, the fear is making a mistake; for leaders, it’s failing to coordinate under pressure.
The Leadership Burden: Accountability Without Recovery
For CISOs, the stress profile is different but equally dangerous. It’s chronic, not acute. You live with accountability every day — to your board, regulators, customers, and the media. When something goes wrong, the sense of personal responsibility can feel overwhelming. I’ve heard senior leaders describe insomnia, strained relationships, and a lingering sense of guilt even after successful recovery.
Nominet’s CISO stress research found that nearly 90% of CISOs experience moderate to high stress, with significant impacts on their health and home life. Other industry surveys echo this, showing burnout rates that would be considered unacceptable in any other safety-critical profession. Yet we rarely talk about it.
This silence creates a dangerous loop: leaders under pressure model endurance rather than resilience, unintentionally teaching their teams that rest is weakness and constant availability is the price of competence.
Why the System Itself Amplifies Stress
Burnout in cyber teams isn’t about individual weakness — it’s a design flaw.
The system rewards hyper-vigilance, punishes downtime, and leaves little room for structured recovery. Ambiguous authority, constant alerts, and after-hours collaboration all amplify the emotional load. Add to that the reputational risk of a public breach, and it’s no surprise that many CISOs describe feeling “always on alert.”
Research from SOC ethnographies shows that even when technical containment succeeds, responders often carry residual anxiety — intrusive thoughts, disrupted sleep, avoidance of work cues. In ransomware cases, employees have reported PTSD-like symptoms months after the event. These are real psychological injuries emerging from a culture that normalises chronic stress as the cost of doing business.
What Helps: Leadership That Protects Thinking Capacity
So, what actually makes a difference? The evidence points to one consistent pattern: clarity, rehearsal, and psychological safety.
Teams perform best when everyone knows their role, escalation criteria are rehearsed, and leaders frame the situation calmly, even when pressure peaks. It’s what high-reliability organisations in aviation and medicine have known for decades — deference to expertise and bounded plans protect both performance and people.
As leaders, that means resisting the temptation to micromanage when the pressure ramps up. It means ensuring your most senior people coordinate rather than code, and that everyone has permission to pause for 60 seconds to breathe and reset. Micro-regulation routines — brief check-ins, rotation schedules, structured handovers — can stabilise attention and prevent cognitive drift. These are not luxuries; they’re operational necessities.
Beyond the Incident: Recovery as Part of Readiness
One of the most overlooked stages in incident response is recovery — not of systems, but of people. Too often, we move straight from “lessons learned” into the next sprint, skipping the human debrief. Yet post-incident decompression is critical. Peer-led debriefs (when properly supervised) help normalise emotional responses and spot those who need more support. Simple metrics — sleep disruption days, overtime hours, peer-support uptake — can sit alongside MTTR as part of a mature resilience dashboard.
The message this sends is powerful: wellbeing is a performance metric, not an HR side quest.
The CISO’s Dilemma: You Can’t Protect What You Don’t Acknowledge
It’s uncomfortable to admit, but many CISOs operate in survival mode.
You’re balancing regulatory pressure, limited budgets, and an always-evolving threat landscape. But the hidden cost of that constant vigilance is cognitive fatigue — a narrowing of perspective that can quietly degrade decision quality and innovation over time.
If we want resilient systems, we need resilient minds leading them. That starts with acknowledging the human limits built into our own operating model. Rest and readiness are not opposites. They’re part of the same continuum.
Final Thought
Cybersecurity has always been a battle of wits — attacker versus defender. But the true contest is often internal: between our biology and the pressure we’re under.
The next time you run a simulation or review a breach, ask not just what your team did, but what it cost them to do it. That’s where real resilience begins.
Share this post: