Recently, I sat down for a chat with Dr. Andrew Reeves, to talk about about one of the most interesting topics I’ve had on our TL;DR webinar series — the mental health of cybersecurity and IT professionals, our unsung guardians of our data, privacy, and organizational integrity.
Behind the myriad of firewalls and incident response plans lies a workforce increasingly pushed to its limits—they are truly fighting an invisible war where the rules constantly change, the enemy never sleeps, and victory is measured not in conquests but in disasters averted.
Trapped in a reactive cycle
“Putting out fires, don’t have time to solve issues, just praying that no additional issues come up and they don’t get a call at 3am.”
This sentiment is the daily reality for many cybersecurity professionals. Their work lives are characterized by a perpetual state of reaction—responding to threats that have already materialized rather than having the time and resources to build truly secure environments from the ground up.
What makes this particularly draining is the fundamental lack of control. Security teams are frequently tasked with securing products and systems they had no hand in designing. They’re expected to wrap impenetrable security around architectures that may have been built with convenience, not protection, as the priority.
The psychological toll of asymmetry
In cybersecurity, we face a profound asymmetry that creates unique psychological pressure:
Defenders have to succeed 100% of the time. Attackers only need to succeed once.
This imbalance creates a working environment where perfection isn’t just desired—it’s demanded. A single oversight or missed vulnerability can undo years of diligent work. Few other professions operate under such unforgiving mathematics.
Caught in the middle
For those in cybersecurity middle management, the stress compounds. They stand at the intersection of conflicting priorities:
- Front-line teams needing more resources, tools, and support
- Upper management demanding cost-cutting and efficiency
- Users resisting security measures that slow down their workflows
- The constant evolution of threats requiring continuous learning and adaptation
Many of today’s mid-level cybersecurity leaders entered the field when it was still developing, experiencing harsh environments and unreasonable expectations. Now in leadership positions, some overcorrect—shouldering too much responsibility themselves rather than delegating, afraid of subjecting their teams to the burnout they experienced.
The appreciation gap – where’s the love??
Perhaps most demoralizing is what many cybersecurity professionals describe as a “general lack of appreciation” for their work. Success in cybersecurity is largely invisible—attacks that never happened, data that wasn’t stolen, systems that weren’t compromised.
When security teams request implementing measures like multi-factor authentication, they often face organizational resistance and complaints about added friction. Yet when breaches occur, hindsight suddenly becomes 20/20, and the very same security measures that were resisted become obvious steps that “should have been taken.”
Changing the paradigm: Go from reactive to proactive
One bright spot emerging in the field is the shift toward more proactive approaches:
“Rather than waiting for the attacker to attack, set up traps. What if we proactively mess with them, try to learn something about them, slow them down and confuse them? Give them fake versions of what they’re after, so they think they have it when they actually have nonsense data.”
This approach of “taking the fight back to the attacker” represents more than just a tactical shift—it’s a psychological one that returns a sense of agency to defenders who have long felt they could only react to threats.
Building psychological safety
For cybersecurity teams to thrive, organizations must cultivate psychological safety—environments where professionals can admit mistakes, share vulnerabilities, and speak candidly about risks without fear of becoming scapegoats.
While many cybersecurity teams have developed this safety internally, they often feel they must be guarded when communicating with other departments or leadership. This creates silos exactly where transparency is most needed.
Organizations need a fundamental mindset shift: cyber attacks are not a matter of “if” but “when.” When this reality is accepted at all levels, blame becomes less relevant than learning and improvement.
The power of simulation and practice
One promising approach to both preparedness and stress reduction is the growing use of cybersecurity wargaming and simulations. These exercises bring together not just security teams but stakeholders from across the organization to practice responses to realistic attack scenarios.
Such simulations serve multiple purposes:
- Testing processes and technologies under stress
- Creating learning opportunities without real-world consequences
- Building cross-functional relationships before they’re needed in a crisis
- Demonstrating to executive leadership the challenges and complexities of cybersecurity
Looking forward
As we look to the future, several trends will intensify the pressure on cybersecurity teams:
- Increasingly sophisticated nation-state attacks driven by geopolitical tensions
- The dual nature of AI as both shield and weapon in the security landscape
- The growing scale and complexity of the systems requiring protection
- The challenge of establishing trust in complex systems built from components that can’t individually be fully trusted
A human conclusion
For all the technical challenges and evolving threats, we must remember that cybersecurity is ultimately a human discipline performed by people with human limitations. To put it simply, cybersecurity professionals don’t just need training—they need vacation days and a hug from time to time.
Organizations that recognize this truth—that behind every security policy, firewall rule, and incident response plan are human beings doing their best against impossible odds—will not only build stronger security postures but also sustain the people who make those defenses possible.
By changing how we talk about, support, and appreciate cybersecurity teams, we can help ensure that those tasked with protecting our digital assets aren’t sacrificing their wellbeing in the process.
Our N2W team gets it
At N2W, we understand all too well how IT teams are literally ‘taking one for the team’ in the form of mental health. Our daily conversations reveal this unspoken truth and we see first hand how our product single handedly reduces the stress and complexity of backup operations. By being able to recover full production environments at a moment’s notice and running automatic and regular disaster recovery drills, IT teams are able to take back control, feel empowered and sleep soundly at night without dreading that 3am call.
Get your free N2W Trial for 30 days for seamless multicloud cloud data protection, cost effective long-term storage and rapid compliance.
