Addressing this pressure requires a blend of people-focused culture, supportive processes, and the right tools. Platforms such as Microsoft Viva Insights and Microsoft Defender for Endpoint can provide valuable visibility into workloads and system demands helping leaders spot strain early and better balance vigilance with wellbeing.
While technology and processes often take centre stage in security discussions, there is an equally critical, yet sometimes overlooked, dimension to organisational resilience: the mental health and wellbeing of the people behind the screens. Cyber fatigue — or security burnout — is emerging as a hidden risk within cybersecurity teams, threatening not only individual wellbeing but also organisational security itself.
Cyber fatigue is more than just stress; it is a pervasive exhaustion that seeps into decision-making, engagement and effectiveness. Unlike obvious signs of burnout, such as overt tiredness, cyber fatigue often manifests quietly, through slowed responses, disengagement and even mistakes that open the door to security vulnerabilities.
According to Datacom’s 2025 State of Cybersecurity Index, this risk is very real: 61% of New Zealand security leaders and 58% of their Australian counterparts recognise burnout within their cybersecurity or IT teams. The number one cause is a lack of adequate resources, which forces the same people to bear the brunt of responsibility repeatedly.
Mark Micklefield, Associate Director — Security Consulting, explains, “There’s a real fatigue that sets in — and it happens quickly. People get tired fast, especially during incident recovery. You can’t expect the same people to carry the load the whole way through.”
David Stafford-Gaffney, Associate Director — Cybersecurity Consulting, adds, “No one estimates how many people it takes to bring everything back online. And by the time you realise, your key people are exhausted.”
Platforms like Microsoft Teams and Viva Pulse can play a role here by embedding short wellbeing check-ins into everyday workflows- offering light touch support without interrupting the rhythm of incident response.
Collin Penman, Datacom’s Chief Information Security Officer (CISO), spoke candidly about the mental health challenges in cybersecurity at the 2024 iSANZ Awards, reflecting on the immense pressures facing professionals in this field.
"I know first-hand how challenging the current landscape has been for each organisation, but also how deeply rewarding our field can be,” Penman explained in his speech.
He emphasised that cybersecurity is more than a technical endeavour — it involves safeguarding businesses, protecting people and ensuring a safer society. This weight of responsibility demands significant mental and emotional strength.
“Our people are our greatest asset. As leaders, it’s vital that we foster not only technical excellence but also create environments where our teams feel supported, valued and understood. This means acknowledging when the pressure is high, balancing workloads and encouraging open conversations about mental health,” Penman said.
In a recent interview with CIO Magazine, Penman further highlighted that addressing cyber fatigue requires more than adding tools or technology. “You can have the best security stack in the world, but if your people don’t know what to do, or don’t have backup — it won’t matter.”
Fatigue is rarely the result of a single event. It accumulates over time, often when organisations rely on too few people, under-resource teams or fail to provide adequate support and confidence in roles. The constant pressure to prevent cyber incidents takes a toll, leading to diminished performance and increased risk exposure.
Stafford-Gaffney explains, “You won’t always see people putting their hand up and saying they’re struggling. Sometimes they just stop or check out. They make decisions that don’t align. That’s where you start seeing risk creep in — not because people don’t care, but because they’re overloaded.”
Addressing cyber fatigue requires deliberate planning and cultural change. Datacom recommends a multifaceted approach to reduce burnout without lowering standards or increasing risk:
Debriefs are critical to understand what worked, what needs to change and which team members may need extra support.
Mark Micklefield sums it up: “We talk about governance, controls and tooling, but not enough about people. If we want to be truly resilient, that has to change.”
Cyber fatigue does not announce itself loudly, but its consequences can be far-reaching. Organisations must shift from focusing solely on systems and tools to recognising that their people are one of their biggest risks and assets.
Through better planning, fostering supportive environments and acknowledging fatigue not as weakness but as real risk, organisations can build resilience that endures.
As Penman said at the iSANZ Awards, when you think about the individuals behind security achievements “their mental and emotional wellbeing is as critical as any firewall or security control”.
Supporting that wellbeing means combining empathy with smart use of enterprise tools. Solutions such as Microsoft Secure Score and Microsoft 365 Defender can help maintain a strong security posture while also streamlining workload, reducing unnecessary strain on defenders.
It is time for organisations to care for their cybersecurity teams with the same resolve and commitment they bring to defending digital frontiers.
Effective cybersecurity starts with more than just technology — it begins with a mindset. At Datacom, we combine innovative technology with expert guidance to help protect your systems, people and data. By addressing both the technical and cultural aspects of cybersecurity, we empower your organisation to reduce risks and build resilient, lasting defences against cyber threats.
