In Australia, where the pool of qualified cybersecurity experts is particularly low, many security teams are pulled in too many directions and carry far too much weight. It’s not a new problem but rather an ongoing crisis that leaves security professionals fighting an uphill battle against both cybercriminals and burnout.

I know this from personal experience; burnout was the driving force that made many colleagues in my network step away from their jobs in cybersecurity. Those who do not leave their jobs are often overloaded and running on low energy, which makes it easier for them to make mistakes or miss signs of an attack. If security professionals within the organisation are overwhelmed, distracted or afraid of making mistakes, the pressure can become a safety risk in itself. Creating a workplace culture that actively builds resilience into your people layer, not just cyber, is therefore not a luxury but an urgent necessity.

In order to prevent cybersecurity professionals from burning out, we need to lighten the mental burden and workload of security teams by enabling every person in the organisation to be an active defender against cyber threats. Real protection starts when every department of an organisation grasps its role in identifying and handling cyber risks. That responsibility cannot sit solely with the security team, and expecting it to do so is both unsustainable and potentially actively dangerous. A secure organisation is first and foremost a healthy one, and employees must be given the tools, time and respect they need to stay alert, engaged and safe.

Australian businesses must act now

The situation is especially dire in Australia. SoSafe’s latest Cybercrime Trends Report has shown a sharp uptick in phishing, social engineering, and insider threats, with 96% of Australian businesses experiencing AI-driven cyberattacks in the past year. This is the highest rate among the nine countries surveyed, including the UK, France, Germany, and others. What’s even more alarming is that nearly half (48%) of organisations lack the tools and preparedness needed to detect or defend against these AI-based threats. The use of AI to scale the attacker resources places a particular and acute additional load on teams responsible for security response.

Meanwhile, many CISOs are being asked to do more with less. We’re seeing shrinking budgets and headcount and an even-increasing range of processes and systems to defend, such as the rise of new AI-enabled business services. Therefore, it is important to build a security-aware culture that does not treat cybersecurity as a box-ticking exercise and instead relies on ongoing education and the creation of secure habits and a sense of ownership across the whole organisation, preventing the burden from falling solely on the security teams. In the emergency services, there’s a concept called “self-team-patient”, where a first responder ensures their own safety, which means that they can operate effectively as part of a team, thereby enabling a positive outcome for the patient.  This approach is just as relevant in cyber leadership: CISOs need to protect their own health and the health of their teams, thereby being effective within their wider organisation.  Encouraging staff to self-direct basic cyber hygiene practices to protect themselves and their organisation builds both the foundation for a resilient, secure culture and also new scalability and sustainability for their centralised security functions. 

The evolving role of CISOs

Along with the threat landscape, the expectations for CISOs have changed over the years. The role of a CISO is no longer confined to having technical expertise. As attacks keep getting more complex, security leaders must clearly understand what the firm values most, how much risk it is willing to take, and which day-to-day goals keep growth on track.

Security leaders have to pose tougher, more business-focused questions. I still see firms that invest millions into the most expensive tools and, oddly, can’t answer those questions clearly.

If CISOs are pulled in too many directions with too few resources, the excessive stress can cause them to make bad judgments, leaving them more open to oversights and even outside attacks. Without direction, this can also trickle down to the security teams, who are already getting stretched too thin and might experience burnout themselves. Eventually, we see a chain reaction of bad decision-making within the organisation. 

Rather than stacking widgets and dashboards, a smart CISO identifies the people, data, and systems that keep the company protected and shields them first. They should be people-oriented and approach their role with a strategic and empathic lens. 

To do that, security priorities have to match the firm’s strategy, and the risks must be communicated clearly so that the C-suite and board are aligned. When that happens, security stops being misrepresented as a lonely IT corner and starts feeling as important as any other driver of business success.

A proactive people-first approach

Even companies with the most expensive and sophisticated security systems can fall victim to a simple phishing email and basic social engineering tactics. There’s much more to cybersecurity than buying antivirus software or a firewall. As threat actors are becoming much more sophisticated, using AI tools to mimic human voices, create deepfakes, or engineer targeted attacks, putting humans at the forefront of your cybersecurity strategy is crucial. 

Organisations must also rethink how they measure cyber success. It’s no longer about how many threats were blocked, but how quickly the business responded, recovered and bounced back. For security leaders, this means continuing to educate every employee within the organisation and build security champions within every department. For boards and executives, it means ensuring cyber is not just an agenda item, but a shared responsibility. 

CISOs need to lead a workplace culture where security starts on the first day for everyone instead of being seen as purely a problem for a single team to fix. Strong frameworks and tools matter, but they account for only half the battle. Real progress comes when cyber hygiene are easy to achieve as individuals and secure habits feel as natural as sending emails.

Looking ahead

The future of the cybersecurity landscape in Australia hinges on a fundamental yet crucial shift: prioritising people in cyber security and fostering secure habits among employees. This involves viewing cyber security as a shared responsibility and committing to ongoing awareness initiatives, alongside essential tools and software investments.

Real cyber resilience won't come from pushing tired teams even harder; it will grow when every staff member becomes a proactive defender of the organisation, equipped to identify, handle, and prevent threats before they can breach its defences. 

Only through this human-first approach can we build truly secure organisations capable of withstanding the ever-evolving threat landscape.