Daily insights for people development professionals to transform workplace learning and performance together

Burnout in the basement: The unseen cost of ignoring cyber awareness

René-Sylvain Bédard 7 August 2025 in Business and industry, Culture, Digital literacy & digital poverty, Features, Technology - 6 Minutes
Explosive Computer Overheating Concept in Dramatic Lighting

René-Sylvain Bédard exposes the leadership gaps fuelling cybersecurity burnout. From misplaced responsibility to executive blind spots, cyber teams are left overwhelmed and unheard. He argues for a shift in mindset, where L&D plays a vital role in awareness, resilience, and restoring balance for those defending us against constant digital threats.

In most organisations today, cybersecurity knowledge is often overlooked in employee training, leaving both staff and dedicated cyber teams overworked and exposed. Based on this, and the rise of cyberattacks, are you really surprised that they are the ones facing burnout the most?

I have been in the Information Technology (IT) industry for over 30 years. I have seen it over and over again. A situation occurs that raises awareness about cybersecurity, and I put a team in place to resolve that issue. Usually, a mix of internal and new hires, a band-aid solution.

Your most critical defenders are sitting in a basement, with very little attention

Then the team starts making recommendations, taking its place in the company’s ecosystem. Some are adopted, while others are considered to have too much of an impact on the business or require too much change management. In reality, this team is a small sub-group of the main IT team, often three or four levels removed from the executives. They have very little airtime with the executives that they protect. Your most critical defenders are sitting in a basement, with very little attention. And even if they screamed, few people would hear them.

When responsibility gets lost in the handover

The worst executive approach that I have witnessed over the years is delegative obfuscation. When training is overlooked or delegated inappropriately, it can lead to critical knowledge gaps. It plays out like this:

[executive] ‘You’re the new intern in technology?’
[intern] ‘Yes sir, that’s me!’
[executive] ‘I need someone to take care of this cybersecurity everyone is talking about. I heard you are good with computers?’
[intern] ‘Well I did have a course on computer security in my three-year program…’
[executive] ‘Perfect! You are now responsible for cybersecurity’

And the worst part, the executives are considering that issue as fixed. The checkbox has been ticked. We all understand that this issue has just been swept under the rug. There is no way this creative and bright-eyed young intern will ever get any policies or processes altered to be more secure.

My main concern with this type of delegation is that the executive seems to think that this problem is now solved. It is not. Furthermore, they somehow missed the most crucial point: that they are responsible in the end. Executives are fully accountable and are exposed to being sued by their staff, customers and suppliers, should the company’s environment be compromised.

Executive dirt protection program

The other issue is that executives get protected from dirt. And the larger the organisation, the more layers of filtering exist. Here is a real story: I met with an executive board which tasked me to do an audit and intrusion test mission. As I present, I inform them that there were delays induced in the project as the team was regularly called in to deal with incidents that were happening on a regular basis.

They were shocked, one of them even told me: “That’s impossible, we never have any cyber incident…” They had eight the week before. And their staff were getting up in the middle of the night to resolve attacks so the business would be open as usual the next morning. The board had no idea.

Then there is voluntary blindness

Talk no evil, see no evil, hear no evil, so there is no evil. I can’t agree with that. The concern is as follows: if you have not deployed any sensors into your environment, and are not actively monitoring your environment, you can’t know if you are being attacked.

Learning and development teams can play a pivotal role in breaking this cycle

No news does not mean good news. It simply means you are not being attentive. It also means you are not doing your job. Considering the law, if you are breached, you need to prove that you have done all in your power to protect said data. Did you? Can you prove it? Do you have logs, reports, or some kind of ledger that demonstrates that you were watching? If you are blind, you are obviously not actively watching. Learning and development teams can play a pivotal role in breaking this cycle by designing programs that bring transparency to risks, educating executives on what they don’t know, and what they need to know.

Where does your CISO sit?

If you have a fractional or a full-time Chief Information Security Officer, where do they sit in your hierarchy? Are they part of your board? Do they have any kind of organisational authority?

Here are some stats that may be shocking, but also are very grounded in reality:

  • Over 80-91% of CISOs self-report high or severe stress levels

  • 73% of US CISOs have experienced burnout in the past year alone

  • 46% of global CISOs have been in their role for less than two years-showing high turnover

  • 62% of CISOs cite “excessive expectations” by leadership as a top stressor, with 90% concerned about the well-being of their security teams

  • Over 8% of CISOs reported considerations of leaving the profession entirely due to ongoing stress and mental health challenges

If you are tasked with making sure the ship does not sink, but you are given no tools or authority, there is very little you can do. Furthermore, once an incident occurs, everyone will point at you for answers. Know where your L&D leaders sit. Are they empowered to build cybersecurity awareness into onboarding and ongoing development programs?

There are a huge number of reasons for the burnouts:

  • Highly pressurised workloads
  • High expectations
  • Enormous responsibilities
  • Rising numbers of cyberattacks, both in quantity and complexity
  • Very little recognition from peers and executives
  • Bad corporate reputation
  • Long hours, very little space for disconnecting. After all, cybercriminals do not take vacations…

How can you make it better?

Here are a few tips to help support those who protect you:

  • Educate yourself as a business leader and understand cybersecurity

  • Make sure your executive team is on board with cybersecurity, and understand the necessity and implications

  • Put in the proper channels so that information is reported to your executive team and your board, as they are also liable in the event of an incident

  • Recognise your defenders, make sure they are properly protected and make sure they have backups, so they can safely disconnect and rest

  • Put a program in place to make sure they have resources they can talk to if and when they need to.

I sincerely hope this can help you realise that those silent defenders are keeping your business alive, they need to be recognised and protected. For all your sakes.

René-Sylvain Bédard is founder of Indominus Managed Security and author of Secure by Design

Related Posts

Laptop displaying artificial intelligence chipset on screen with notebook and pen on desk
From resistance to uptake: Close skills gaps with AI-enabled learning
8 October 2025
Multi-Ethnic Hands Holding The Word Values
Can strategic growth and people-first values truly go hand in hand?
3 October 2025
preferences in letterpress type
From preference to performance: adapting training for new hires
1 October 2025

René-Sylvain Bédard

Learn More →