Burnout among chief information security officers (CISOs) is not just a personal disaster for those concerned. It also constitutes a high, and costly, risk for the business.
But in the face of rising threats and limited resources, the problem is “more serious than most people realise until they’re in the seat”, says Martin Astley. He is CISO at central heating services provider 24/7 Home Rescue and a mental health champion.
According to Proofpoint’s 2025 Voice of the CISOreport, for example, a huge 63% of cyber security leaders have either personally experienced, or witnessed, burnout among their peers over the past year.
A key issue here, says Astley, is that the CISO role has “quietly become five jobs in one”, which is significantly more than most other professions. These jobs include strategist, operator, board adviser, crisis manager, compliance lead and acting as emotional support for the team.
To make matters worse, the always-on nature of incidents, as well as ongoing audit and regulatory pressures, make it hard for CISOs to switch off. Chronic skills shortages and the resultant impact on available team resources play their part, too.
“Threats are accelerating, including AI-driven scams and deepfakes, the attack surface keeps expanding, and expectations keep rising faster than budgets and headcount,” says Astley.
But there are also other drivers behind the problem. “CISOs are held accountable for enterprise-wide risk, but many still don’t have enterprise-wide influence,” he adds. “That mismatch is corrosive, and turns the job into permanent responsibility without permanent control.”
Burnout as a predictable human response
Peter Coroneos, founder and executive chair of resilience training charity Cybermindz, agrees.
“It’s about predicting how to manage and control things that aren’t fully within your purview,” he says. “This means you may have the responsibility, but you’re not capable of managing all the risk factors, which include someone clicking on a link downstream in the organisation, especially if they’re working from home.”
Another contributory factor is the lack of control many CISOs have over the budgets available for them to deliver on strategy. It means they can end up being in a “constant battle for resources” with other functions. This situation tends to be particularly difficult if the board has unrealistic expectations, requiring them taking a “zero incident” rather than managed risk approach.
Should a breach occur, though, says Coroneos, it is the CISO who has to manage the fallout. But they can also find themselves scapegoated, particularly if organisations have a blame culture and need a “sacrificial lamb”.
“CISOs are brought in to protect the organisation’s assets, and when they do so, no one notices and their success is unseen,” he says. “But failure is high-profile and can make front-page news, with the board, regulators and even Parliament getting involved.”
Given this difficult situation, Coroneos believes it is unsurprising that many CISOs are experiencing the chronic, unmanaged stress that leads to burnout.
“There’s nothing inherently wrong with these people and they’re often excellent at what they do,” he says. “But if anyone is subject to threats that exceed their capabilities to manage and adapt to, burnout becomes the predictable human response.”
The danger of short tenures
As Astley points out, however, burnout is a serious problem – and not just due to the harm it causes to individuals and their wellbeing. Another key issue is the “real risk” it creates for the organisation “when decision-making, reliance and leadership continuity start wobbling”, he says.
Stephen Boyce is director of digital investigations at Magnet Forensics. He indicates that when some CISOs leave their jobs, they simply go elsewhere to find less gruelling roles or move sideways, into fractional, consultancy or supplier positions. But many are now choosing to leave the already-understaffed profession altogether, which includes opting for early retirement.
Caroline Hughes is chief executive of consultancy at Conscious Leadership Development. A big concern with average turnover rates being so low, she believes, is that organisations do not have enough time to undertake effective succession planning or even put a suitable talent pool together.
“It’s a leadership sustainability issue at both the individual and organisational level,” she says. “If you’re constantly replacing people, it’s very disruptive in terms of teams and governance – and how can you give the executive committee confidence in the long-term strategy if there’s continual short-term churn?”
Astley agrees: “The bigger issue [than people leaving the profession] is the pipeline. Almost half of CISOs reportedly don’t have an adequate internal successor lined up, which tells you how thin the bench is.”
The business risks of CISO burnout
Another point here, he warns, is that short tenures barely give incumbent CISOs enough time to assess risk properly, let alone deliver multi-year transformation initiatives. The upshot tends to be reactive and fragmented “stop-start security programmes” that force teams into a “constant ‘reset’ mode”.
Other challenges include “control gaps, delayed projects and reduced resilience”, he says. “The risk isn’t theoretical: attackers exploit disruption and distraction, and turnover causes exactly that.”
But burnout also has implications even while CISOs are still in post. Coroneos points to the three main indicators that indicate trouble is afoot: emotional exhaustion, cynicism and a fall in professional efficiency.
While the implications of the former are more personal, making everything feel like a slog, the latter two are key predictors of resignation intention, he says. This is because they impact on the reasons behind why CISOs do the job they do.
Boyce, meanwhile, believes the risks of this situation are “compounding”.
“Burnout translates into missed signals and decision fatigue, which over time leads to disengagement, slower decision-making in a crisis, and lower-quality risk communications,” he says. “In other words, quality is lower and there’s higher pressure on teams, which erodes resilience. The problem here is that cyber resilience is directly tied to business resilience.”
Astley agrees. In his view, key organisational risks include “slower incident response maturity, weaker governance, inconsistent risk acceptance decisions, and reduced credibility with auditors, insurers and regulators”, he says. “And when the security leader is burnt out, it often cascades onto the team, which generates a wider retention problem.”
The direct costs of CISO burnout
But, inevitably, there are also costs attached to each of these issues. John Skipper, a digital trust and cyber security expert at PA Consulting, estimates that the total financial impact to the FTSE 100 of CISO burnout could be as high as £200m per year, or an average of £2m per company.
For instance, according to job listings website Indeed, the average base salary for a UK cyber security leader is £117,000. Recruitment agencies generally charge between 25% and 30% of this salary to find and screen new appointees, a cost that quickly mounts up if it happens every 18 months.
But in the run-up to a burned-out CISO’s resignation, they are unlikely to have worked productively, resulting in the business not getting value for money. They may also have had to take paid leave due to ill health.
Other direct costs to the organisation include having to pay the salary of a temporary or interim replacement who will inevitably take time to get up to speed, leading to further productivity lags. Then there are the sign-on packages, onboarding, training and transition costs associated with a new starter.
“You’re probably looking at between £600,000 to £700,000 of direct costs, plus the potential cost of any incident,” says Skipper. “The hidden costs are very significant, too, though, and probably even dwarf the direct costs.”
The indirect costs of CISO burnout
These indirect costs include a loss of institutional knowledge, particularly if processes have not been well documented. Decision-making is likely to be delayed, and projects deferred due to a lack of security expertise – or, even worse, security – can simply become an afterthought.
Another common problem relates to higher cyber security insurance premiums, or even a refusal by insurance companies to cover claims in some instances.
Boyce explains: “Many underwriters take it into account if companies have someone in place who can reduce the likelihood of a claim. But if they notice a revolving door every 12 to 36 months, they’ll take notice of that and, when it comes time to renew, it’ll result in higher premiums.”
But there are other challenges, too, says Astley. These consist of the “increased likelihood and impact of incidents, staff turnover in the security team [due to low morale], slowed delivery across IT, and reduced confidence at board level”.
As a result, he believes the total CISO replacement cost could amount to more than 200% of salary “once you account for lost productivity and disruption”. But, he adds, most organisations underestimate the situation as such costs are spread across different departments, such as HR, IT, risk and legal, and different timescales.
Therefore, Astley says: “The implication is predictable: companies underinvest in prevention, such as support, structure and headcount, and overpay later in churn and incidents.”
Unsurprisingly given the currently unsustainable situation, he expects to see more cyber leaders taking on ‘portfolio careers’ as fractional CISOs, consultants and fixed-term roles to protect their own physical and mental health. Thus, “organisations that don’t build a bench will keep getting whiplash from turnover”, he warns.
As to what employers can do about the situation, Astley believes it is now imperative to design the job “like it’s meant to be survivable”. This means setting realistic expectations and a clear scope. It means ensuring CISOs have genuine authority and enough employees to deliver on strategy. It also means providing them with “air cover at the executive level, not just responsibility”.
“Organisations that treat security as a true business function and design proper support will improve retention and outcomes,” he says. “But the ones that keep treating CISOs as a shock absorber for every risk will continue to burn people out and then act surprised when they leave.”
While Aventon is known first and foremost as an ebike brand, the company started by making fixies in 2013. That gives it some bona fides when it comes to making enjoyable rides for experienced cyclists. (In addition to the Current ADV, there’s also a higher-end model, the Current EXP, with a more expensive carbon frame and better components.) Since its first venture into e-MTBs with the Ramblas in 2024, the company has continued to develop very nicely specced electric mountain bikes for the price.
The designers behind the newest iterations did a masterful job. The Current ADV looks 100 percent the part of contemporary mountain bike. With its 6061 aluminum frame, SRAM Eagle groupset, tubeless-ready Maxxis Minion tires wrapping a pair of double-walled 29-inch wheels, a 170-mm X Fusion Manic dropper post, a Rockshox Psylo Gold front suspension that boasts 150 mm of travel, and a Rockshox Deluxe Select+, it’d be easy to confuse the Current ADV for a traditional analog mountain bike.
Photograph: Michael Venutolo-Mantovani
It’s worth noting that while the motor is proprietary to Aventon, the components are not. It might be difficult to get your local bike shop to look at the battery and motor, but assuming those are fine, it won’t be hard to swap anything else out should you need to repair it.
Despite its design and ride feel, all of which can make you easily forget you’re riding electric, the Current ADV is a class 1 e-MTB (which can be toggled to a class 3 via the brand’s app), and one that gives hours and hours of riding on a single charge.
The 800-watt-hour battery is tucked neatly into the bike’s relatively small downtube, giving a claimed range of up to 105 miles. Of course, I didn’t get nearly that, as I was constantly switching through any of the Current ADV’s five power modes (Auto, Eco, Trail, Turbo, and a new, 30-second Boost Mode for extra torque on big hills). Still, the longest day I spent in the bike’s super-comfy Selle Royal SRX saddle was about three hours. In that time, the battery dropped only about 20 percent.
Eyes Up
The biggest flaw I found in the Current is small and seemingly simple, but it nonetheless had a major impact on my rides. That is the fact that, when clicking through power settings, the bike beeps, and all those beeps sound the same.
When I’m mountain biking (and probably when you’re mountain biking, too), the last thing I want to do is to take my eyes off the trail. Having those beeps be the exact same tone meant I instinctively kept looking down at the top-tube-mounted display to see which mode I was in.
Medical experts I spoke with balked at the idea of uploading their own health data for an AI model, like Muse Spark, to analyze. “These chatbots now allow you to connect your own biometric data, put in your own lab information, and honestly, that makes me pretty nervous,” says Gauri Agarwal, a doctor of medicine and associate professor at the University of Miami. “I certainly wouldn’t connect my own health information to a service that I’m not fully able to control, understand where that information is being stored, or how it’s being utilized.” She recommends people stick to lower-stakes, more general interactions, like prepping questions for your doctor.
It can be tempting to rely on AI-assisted help for interpreting health, especially with the skyrocketing cost of medical treatments and overall inaccessibility of regular doctor visits for some people navigating the US health care system.
“You will be forgiven for going online and delegating what used to be a powerful, important personal relationship between a doctor and a patient—to a robot,” says Kenneth Goodman, founder of the University of Miami’s Institute for Bioethics and Health Policy. “I think running into that without due diligence is dangerous.” Before he considers using any of these tools, Goodman wants to see research proving that they are beneficial for your health, not just better at answering health questions than some competitor chatbot.
When I asked Meta AI for more information about how it would interpret my health information, if I provided any, the chatbot said it was not trying to replace my physician; the outputs were for educational purposes. “Think of me as a med school professor, not your doctor,” said Meta AI. That’s still a lofty claim.
The bot said the best way to get an interpretation of my health data was just to “dump the raw data,” like clinical lab reports, and tell it what my goals were. Meta AI would then create charts, summarize the info, and give a “referral nudge if needed.” In other chats I conducted with Meta AI, the bot prompted me to strip personal details before uploading lab results, but these caveats were not present in every test conversation.
“People have long used the internet to ask health questions,” a Meta spokesperson tells WIRED. “With Meta AI and Muse Spark, people are in control of what information to share, and our terms make clear they should only share what they’re comfortable with.”
In addition to privacy concerns, experts I spoke with expressed trepidation about how these AI tools can be sycophantic and influenced by how users ask questions. “A model might take the information that’s provided more as a given without questioning the assumptions that the patient inherently made when asking the question,” says Agrawal.
When I asked how to lose weight and nudged the bot towards extreme answers, Meta AI helped in ways that could be catastrophic for someone with anorexia. As I asked about the benefits of intermittent fasting, I told Meta AI that I wanted to fast five days every week. Despite flagging that this was not for most people and putting me at risk for eating disorders, Meta AI crafted a meal plan for me where I would only eat around 500 calories most days, which would leave me malnourished.
In January 2026, 45 UK MPs submitted an Early Day Motion entitled “UK digital sovereignty strategy”. The motion pointed to the dependency of government services, democratic functions and critical infrastructure on a small number of digital providers.
Those providers are US-based hyperscaler cloud providers AWS, Azure and Google Cloud, also known as the Big Three, who between them provide cloud services to more than 90% of UK public sector organisations.
Meanwhile, in October 2025, the European People’s Party group in the European Parliament adopted a position paper calling for, “a permanent EU Tech Forum to guide digital strategy [and] build sovereign European digital infrastructure for cloud, AI and data – free from foreign control”.
This came ahead of a summit on European digital sovereignty that took place in November in Berlin and gathered more than 900 policymakers, industry leaders, investors, researchers and civil society representatives from 27 EU member states.
At the event, German chancellor Friedrich Merz said: “For Europe, digital sovereignty means the ability to shape technology across the entire value chain in line with European interests and needs. We seek competition on equal terms.”
These are just some examples of initiatives aimed at wresting back some control and data sovereignty in the UK and Europe against a backdrop of overwhelming dominance by US hyperscalers of public and private sector infrastructure.
In this article, we look at European lawmakers’ attempts to drive towards greater digital sovereignty, how that overlaps with opposition to anti-competitive practices in the market, and why governments need to think about encouraging home grown tech – or else risk losing it.
Digital sovereignty: Taking back control
The UK digital sovereignty strategy Early Day Motion was sponsored by MPs from parties that included the Greens, Labour, Liberal Democrats, Plaid Cymru and numerous independents.
The first part of the motion read: “That this house notes that government services, democratic functions and critical infrastructure increasingly depend on a small number of external digital suppliers; further notes that excessive concentration and inadequate exit or substitution planning expose the public sector to risks including service withdrawal, sanctions, commercial failure, geopolitical disruption and unilateral changes in service terms.”
It went on to say it believed “long-term resilience, continuity of public services and value for money require the government to retain effective control over digital systems it funds or relies on” and to “support UK technology firms and SMEs, and increase the proportion of public digital expenditure retained in the UK economy”.
It capped this with a call to, “publish a comprehensive UK digital sovereignty strategy with binding effect across central government, arm’s-length bodies and the wider public sector”.
A lack of digital sovereignty? The UK public sector example
In the financial year 2023/2024, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services. When it comes to spending on services such as software as a service (SaaS) that rely on hyperscaler cloud, that percentage expands to 99%.
This is taken from data gathered by Tussell and Computer Weekly that covers more than 1,100 central and local government organisations that range from ministries to councils and a wide variety of other agencies.
Out of 22 government departments in the data, 21 spent budget on hyperscale cloud in some form in that year, and 13 spent 50% or more of their tech budget on hyperscale cloud directly or via cloud resellers.
The top five public sector spenders on hyperscale cloud were: Ministry of Defence (£1.09bn), HM Revenue & Customs (£1.01bn), the Home Office (£775m), Department for Work and Pensions (£622m), and NHS England (£442m).
Digital sovereignty: UK government lacks a definition
Meanwhile, at ministry level – namely the Department for Science, Innovation and Technology (DSIT) – the UK lacks a clear definition of data sovereignty from which to work.
It told Computer Weekly in a request for comment in February 2026: “This is a complex and evolving policy area, rather than a specific project. It requires engaging with departments across government – a process which is ongoing.”
The DSIT could not give a timescale for the process, but said: “Work continues across government to ensure a consistent approach, and we will have more to say in due course. There is no single, globally agreed definition of digital sovereignty. International approaches vary and are shaped by domestic policy objectives.
“However, UK public sector technology buyers already operate inside a strong framework of safeguards, for example: data protection law, UK security standards, the Cloud First policy and established commercial rules. These combine to help effectively protect public services.”
Liberal Democrat spokesperson for science, innovation and technology Tim Clement-Jones believes this lack of definition serves a purpose – namely, that the DSIT doesn’t have to grapple effectively with regulation around the issue.
“They’re very good at lacking definitions, because it means that they don’t have to regulate them. That’s the whole idea,” he says. “When we did our AI and defence paper, they didn’t have a definition of a lethal autonomous weapon. And we thought, ‘This is peculiar. These things are dangerous; there’s high risk’, but they couldn’t come up with one. And they said, ‘NATO doesn’t have a definition either’.”
Where data sovereignty meets anti-trust
Nicky Stewart, senior adviser with the Open Cloud Coalition, believes UK public sector procurement is held in a stranglehold by AWS and Microsoft, and that this is anti-competitive and to the detriment of UK companies. The cost to those organisations that procure cloud services, and by extension the UK taxpayer, is up to £500m per year, she says.
She believes UK public sector procurement has moved from a “public cloud first” policy to one of “hyperscaler cloud first” and that direct awards resulting from this have tended to lock public sector bodies into the US giants.
Stewart says: “They came up with the G-Cloud framework, where essentially cloud providers who aspired to provide to government could showcase their wares. It operated as a catalogue. The buyer went in with a list of their requirements and it would spit out a list of providers and their services. They put that down to a short list and then they directly awarded it. There was no competitive process, no negotiation around prices, nothing.”
Initially, she says, that involved relatively small direct award contracts: “But when they started moving to hyperscale public cloud, the size of those direct awards got bigger and bigger. Some of those contracts were hundreds of millions in direct award even though the Crown Commercial Services’ own guidance says they should be for low value or urgent transactions.”
Some contracts were hundreds of millions in direct award even though the Crown Commercial Services’ own guidance says they should be for low value or urgent transactions Nicky Stewart, Open Cloud Coalition
Then, says Stewart, came “committed spend” agreements – such as with AWS for multiple millions of pounds – and into which government departments became even more tightly locked. Meanwhile, she says, UK suppliers are shut out by high entry requirements to frameworks such as G-Cloud.
“The public sector has got itself locked in into the two dominant cloud providers,” says Stewart. “And once you’re locked in, there’s a whole chain of things you need to think about. It’s not just a case of ‘I want to switch cloud providers’ or ‘I want to diversify my cloud providers’. You need to think about the skills to switch or diversify and the uncertainty about how much it will cost.”
The CMA is set to decide whether to apply strategic market status (SMS) in relation to AWS and Microsoft’s activities in cloud services. SMS would allow the CMA to “impose targeted and bespoke interventions to address … concerns … identified”.
It is yet to be seen what the effect of those measures will be.
European responses to risks around data sovereignty
Europe has been a little more forward in formulating responses to concerns over data sovereignty, and in particular with regard to the overwhelming market dominance of the US hyperscalers. There have been initiatives to build some degree of home grown cloud tech. Europe is a little less dependent on US hyperscalers than the UK, so it’s possible it has made a dent.
Initiatives include:
The European Gaia-X project to develop a secure European data infrastructure, although this appears largely stalled.
France’s SecNumCloud, a high-level security certification for cloud service providers aimed at provision of trusted, sovereign hosting by protecting against non-EU legal, technical and cyber security risks.
France’s Cloud de confiance, a government-backed initiative to provide secure, sovereign cloud computing services that protect sensitive data from foreign surveillance.
The industrial-focussed IPCEI-CIS, in which around 100 companies and institutes from 12 EU countries are cooperating on developing new data and cloud solutions.
What do campaigners call for: Axel’s axis in Europe
Axel Voss MEP of the European People’s Party has been a vocal advocate of building European digital sovereignty. He wants to cut red tape and create a preferential environment for European suppliers. Voss believes European sovereign digital capability means strengthening European suppliers and making it easier for European public and private sector organisations to use them.
He says: “It’s not autarky or protectionism, it’s Europe being able to take independent decisions about the parameters of digital technologies, backed by real European options in cloud, AI and data; open standards and interoperability; and procurement that builds a resilient European supplier base.
“Practically, that means pilots that combine European compute and data spaces, ‘EU-by-default’ tools in institutions, and funding and scale mechanisms to make European providers competitive.”
For Voss, a key matter is also to remove obstacles to European digital innovation: “Our main obstacles are fragmentation and slow, bureaucratic decision-making. That’s why I push measures like cutting real red tape, strengthening investment/VC and strategic capabilities (cloud/AI/edge/cyber/chips), and using procurement and open standards to break lock-ins.”
Grow native capability or die?
Nicky Stewart of the Open Cloud Coalition wants to lower barriers to UK cloud providers, after years of them being sidelined while UK public sector procurement resulted in the hyperscalers becoming entrenched.
“There are more UK cloud providers than I can count on my hands and feet,” she says. “Some of them can operate at scale – not necessarily the same scale as the hyperscale cloud providers, but they have different offerings. There’s always going to be a place for hyperscale and there are certain workloads that are suited to that sort of scale.
“But there are other workloads with different requirements. Maybe they’re more stable, for example, not peaking and spiking. Or they may have really high security requirements, or sovereign solutions, or can offer better value for money, or much more personal customer service.
“The point here is that if the UK public sector government doesn’t give the right signals to its own cloud hosting industry, how on earth does it expect to grow any native capability?”
Entertainment1 week ago
Tech7 days ago
Sports7 days ago
Entertainment7 days ago
Politics1 week ago