Security

RSAC 2025: How to Reduce Burnout Among Cybersecurity Employees

The profession is understaffed, overworked and prone to high turnover. Here are some ideas to keep your team engaged.

Bob is the managing editor of BizTech magazine.

For virtually its entire existence, the cybersecurity profession has confronted two big challenges: a critical shortage of well-trained professionals, and significant burnout among those working in the field.

Each problem reinforces the other. The shortage of cyberdefenders means those in the business have fewer colleagues and less help, and that in turn increases burnout. At the same time, “it’s hard to get people into an industry where you’re going to have to throw that work-life balance out the window,” said Emy Dunfee, director of security and incident management at FirstBank, a regional institution with branches in Colorado and Arizona.

Speaking at RSAC Conference 2025 — the annual gathering of cybersecurity experts, business and technology leaders, government officials, journalists, analysts and others that runs until May 1 in San Francisco — Dunfee and FirstBank’s CISO, Brenden Smith, offered their advice on how to reduce burnout among security staff, along with some war stories from the trenches.

Click the banner below to learn why a cyber resilience strategy helps ensure business continuity.

Reduce Cyberdefender Burnout With Extra Time Off

It’s important for leaders to signal to their teams in concrete ways that they understand the challenges they face, and they want to help, Dunfee and Smith said. That’s especially true in cybersecurity, where frontline employees might receive a midnight text about an incident in progress that gets them out of bed and onto their computers, where they’ll spend the rest of the night responding to the threat.

Such was the case late Sunday into Monday for some members of FirstBank’s security team, Dunfee said.

When situations like that arise, Dunfee said, affected workers can take some time off shortly afterward through “flex time” that does not draw from their bank of paid time off. The company provides eight hours of flex time for each five hours of time spent responding to a cyber incident. Employees get more flex time than time worked during an incident because of the nature of the work.

“I don’t care if you’re not there for a full eight hours” of an incident, she said. “It’s an incredibly emotional time. It’s very draining. You have to get pulled away from your family, and it’s very intensive work. You might miss a child’s birthday party.”

Some employees don’t want to take flex time after an incident, but Dunfee insists they take at least half a day.

Click the banner below to receive related insights after our event coverage.

Give Cyberdefenders Something Real to Investigate

Another burnout prevention measure at FirstBank: Always-on red-team exercises. The organization contracts with a third party to conduct hacks that may arise at any time.

How does it reduce workers’ stress to be under constant threat of attack from a red-team adversary? By giving security professionals something to chase that they know they can catch. Teams work with security tools that generate alerts whenever something seems slightly amiss; the large majority are false alarms.

“Those high false-positive environments, they lead to this frustration among the security team,” Smith said. “It’s like, ‘I’ve dialed in to 99 alerts that didn’t matter, how am I going to dial into this next one?’ But when your team catches the red team, they get to celebrate that.”

It’s expensive to have a third-party red team running 365 days a year, but it keeps the team engaged and sharp. He communicates with the red team regularly to ensure it dials back its efforts when the FirstBank team has been running hot, and then increases its efforts with more exotic attacks during slow periods.

Finally, Smith and Dunfee said, don’t be afraid to be a bit silly and have some fun. For example, when someone on her team excels in a small way, she might send them a “pizza party coupon,” which she creates by hand. Then there’s a real pizza party in the office.

It’s important, though, that team members understand that leadership knows that such gestures are not meant as replacements for more meaningful incentives, Dunfee stressed.

“If you’re doing the homemade pizza party coupon, make sure they understand that’s it’s just a fun, ironic gift,” she said. “You don’t want to have the ‘We only get pizza parties, we never get raises’ conversation. That does not work out well.”

Keep this page bookmarked for articles and videos from the event, follow us on X (formerly Twitter) @BizTechMagazine and join the event conversation at #RSAC.