Let’s cut the usual cybersecurity bullshit about tech for a minute. Forget the zero-trust frameworks, the AI-powered threat detection, all of it. Let’s talk about the people. The ones pulling the insane hours, living under constant pressure, the ones treated like disposable cogs in the machine until they shatter.
I wrote about the sleep-deprived sysadmin before, trying to capture what that life feels like – the exhaustion, the mistakes, the slow grind. Back then, it was more gut feeling, observation, and lived experience. Now? Now we have cold, hard data from Forrester confirming it’s not just a feeling – it’s an epidemic. And honestly, the numbers (presented by Madelein van der Hout, more in Dutch here) suggest the problem is even larger and more damaging than I might have guessed.
This isn’t just an abstract issue anymore. It has names, faces, and devastating consequences.
The Epidemic Isn’t Silent: These Numbers Should Be a Wake-Up Call#
Forrester calls it a ‘silent epidemic’. Maybe from a distance. Up close, it’s a screaming siren. Look at these numbers – they quantify the reality many of us live:
- 66% of security team members report significant stress. Two out of three colleagues likely struggling.
- 51% have needed medication for their mental health. Half! Half the defenders medicated just to cope.
- 19% downing more than three drinks a day. A desperate attempt to numb the pressure.
These numbers quantify the reality I described in that earlier post. They represent real human suffering. And that sysadmin I wrote about? Yeah, that wasn’t some hypothetical colleague. That was me. That was years of running on fumes, caffeine, and sheer adrenaline, pushing myself past every reasonable limit for the job, for the mission, for the country. Believing the ‘hero’ bullshit – the kind that makes you think sacrificing everything for high-stakes projects like building the Dutch national COVID-19 QR code system for the RIVM (our public health institute – essentially the digital ‘COVID pass’) is noble – ignoring the warning signs, until my body just… broke.
And let’s be fair here, it wasn’t always external pressure alone. My manager and management in general, did try. They often said things like “learn to be assertive,” “look after yourself,” “don’t burn yourself out.” And they meant it, I believe. But it’s complicated, isn’t it? There’s loyalty. You see your colleagues drowning, struggling to keep up, and you feel you can’t let them down. You push on, partly for them. And at the same time, the very managers advising self-care are also stakeholders. They have their own pressures, deadlines, and needs, applying pressure themselves, sometimes unknowingly, sometimes because they’re caught in the same system. It’s a constant push and pull. So, caught in that bind between advice, loyalty, and project demands, I pushed on.
The bill always comes due. Right now, as I write this, I’m fighting my way back from heart failure. I’m dealing with the chronic pain of Tietze’s syndrome. Doctors are looking at fibromyalgia. This is the long-term cost of giving everything, of grinding myself into dust because the culture demanded it, loyalty compelled it, and I let it happen. I am, quite literally, fucked because of this. So when I see these Forrester numbers, I don’t just see data points confirming my warnings; I see the roadmap that led me here, magnified to an industry-wide scale.
It’s Not Just Personal – It’s Sabotaging Our Security (And Our Lives)#
The fact that this industry consumes people like this should be enough. But let’s talk security impact, because maybe that’ll get through. This burnout isn’t just destroying lives; it’s actively undermining our defenses, just as I warned before, but now confirmed by data.
The WHO warns about stroke risk. Forrester finds 64% admit stress tanks their productivity. And trust me, when you’re running on empty – the state these numbers prove is rampant – judgment goes out the window. Reaction times plummet. You will make mistakes.
- You’ll miss the subtle log entry.
- You’ll fat-finger the firewall rule.
- You’ll freeze during an incident because your brain is fried.
- You’ll click the damn link because you’re too exhausted to think straight.
I know this because I’ve been there, operating in that fog. It’s not incompetence; it’s the inevitable consequence of treating humans like machines with infinite uptime. It’s a massive, unacknowledged security risk fueled by systemic neglect.
So, What the Hell Do We Do? Enough Platitudes, Time for Action.#
Okay, the situation is dire. The data confirms the warnings, and my story is just one extreme example of the human cost. Complaining changes nothing. We need real, tangible action, not corporate wellness fluff. The solutions remain largely the same, but the urgency is amplified:
- Spotting the Signs (Before It’s Too Late): And I mean really seeing people. Not just asking “How are you?” but creating a culture where someone can actually say “I’m drowning” without fear. Recognizing that chronic exhaustion isn’t a badge of honor, it’s a warning light.
- Real Recovery, Not Pizza Parties: People need manageable workloads. Realistic expectations. Actual downtime – mandatory leave that’s enforced, disconnection from work. Psychological safety. This requires leadership to value sustainable performance over short-term heroics that lead to long-term breakdown.
- Protecting People Like They Matter (Because They Do): Stop the “most valuable asset” lip service. Prove it. Invest in well-being. Set boundaries. Push back against insane demands. The cost of burning someone out – the loss of knowledge, the impact on morale, the potential for catastrophic errors, the human cost – is far greater than investing in preventing it. Don’t let others end up like me.
My Take: This Isn’t Optional. It’s Life or Death.#
Let’s be brutally clear. Burnout in cybersecurity isn’t an individual failing. It’s a feature, not a bug, of a system often built on unrealistic expectations, chronic understaffing, poor leadership, and a culture that eats its own. The new data confirms it’s widespread, and my ongoing health battle underscores the devastating consequences. It’s actively weakening our defenses by destroying the defenders.
For me, this isn’t theoretical anymore. Prioritizing well-being isn’t ‘soft skills’; it’s fundamental. It’s about preventing others from paying the price I’m paying. It’s mission-critical, not just for security, but for the lives involved.
We have to demand better. For ourselves, for our colleagues, for the future of this field. We need to build cultures where people can have a career and a life, not choose between them. Because the human cost is real, it’s devastating, and I am living proof. Don’t let it happen to you or your team.