Cybersecurity Professionals Are Burning Out on Extra Hours Every Week

The gap between capital investment and workforce enablement means organizations are deploying AI tools without giving practitioners the preparation needed to oversee them.

“The budget isn’t the problem,” Circus said. “Organizations are buying the tools and skipping the next step: practical, role-specific enablement.” That means training that answers the questions security leaders encounter in daily operations: how to validate what an AI system is reporting, when to override it, and how to explain an AI-driven decision to a board or regulator.

Circus said dedicated AI governance functions will need to be embedded within security teams as operational roles with defined accountability. That includes formal ownership of AI outputs, escalation paths when automation produces a bad result, and decision frameworks that specify when human intervention is required. “Organizations need to go a step beyond deploying AI tools and treat AI adoption as a leadership transformation,” Circus said. “Who owns this output? Who gets the call at 2 AM when the automated system makes a bad call? Until those questions have answers baked into the org structure, organizations are just redistributing risk.”

Cybersecurity professionals in the U.S. are working an average of 10.8 extra hours per week beyond their contracted schedules, according to survey data collected from 300 cybersecurity and IT leaders by Sapio Research. That figure effectively adds a sixth working day to the standard week for a large portion of the field. Nearly half of respondents reported working 11 or more overtime hours weekly, and one in five logged more than 16 additional hours.

Many organizations are adding AI governance responsibilities to security leaders without adjusting the underlying job structure. “Layering on AI oversight responsibilities without redesigning how teams are organized just accelerates burnout. The org chart itself needs to be reworked.” Ravid Circus, CPO at Seemplicity, told Help Net Security. “The org chart itself needs to be reworked.”