Like many organizations, the National Geospatial Intelligence Agency is moving to integrate AI tools into their business operations.

Jay Harless, director of human development at NGA, said the agency is trying to strike a balance: move fast enough to keep pace in what U.S. national security officials increasingly view as an AI arms race with adversarial countries like Russia, China, but not so fast that it disrupts proven intelligence-gathering methods.

“One of our primary drivers is that our adversaries were investing heavily, and so there is the pressure to keep ahead of and do that safely,” Harless said Tuesday at the Workday Federal Forum, presented by Scoop News Group. “We also realize that some of our adversaries may not have the same legal and ethical boundaries that us and our partners all need.”

Harless said the agency and others in the intelligence community are working to build systems with agentic AI that operates that can accelerate decision making “within secure boundaries.” That means building new IT infrastructure, validation protocols, monitoring for bias or rogue behavior, and putting accountability mechanisms in place.

“We’re moving fast, and moving fast safely by distinguishing what should be automated, what should be augmented and what should be kept purely human, because there are some things that will always be [human-operated],” he said.

A key piece is figuring out exactly how AI should fit into the work. Sasha Muth, NGA’s deputy director of human development, said the agency envisions a three-to-five-year effort to transform its workforce and IT infrastructure for the AI age. This year will be spent largely putting “structural things in place” for when and how analysts use AI, and reassessing what qualifications the agency should require for entry-level jobs.

But that effort is also causing tensions within the workforce, and Muth acknowledged that part of the challenge is convincing rank-and-file employees that the technology is going to help them – not replace them. The agency hired its first Chief AI Officer in 2024, and its upcoming three-year strategic plan will focus on change management, professional development and updating employees’ job skills. 

Muth said they are focused on evolving their human capital needs because one of her biggest fears is that over that five-year transition “we‘re going to lose a lot of our expertise” by automating functions and not doing enough to modernize job requirements.

“We do see it as a big transformation, not only for just utilizing the technology, but moving our workforce along with us, having them excited about the changes and not fearful, because there’s a lot of fear…that their job is going away, that they won’t have a job,” she said.

The post Spy agency officials say job loss anxiety, moving fast ‘safely’ among top challenges in AI workforce overhaul appeared first on CyberScoop.

With the country’s cybersecurity workforce still experiencing major shortages, a bipartisan, bicameral group of lawmakers is pushing to enlist the Department of Labor to help tackle the problem.

The Cyber Ready Workforce Act would direct the DOL to establish a grant program that supports the “creation, implementation, and expansion of registered apprenticeship programs in cybersecurity,” per a press release announcing the bill’s introduction this week.

“As cyberattacks become more common and complex, we need to ensure we have the workers with the training and skills necessary to protect our cyber infrastructure and Americans’ personal data,” Sen. Jacky Rosen, D-Nev., one of the bill’s co-sponsors, said in a statement. “This bipartisan legislation will help fill gaps in our cybersecurity workforce and will open the door to more good-paying, cutting edge jobs for Nevadans, regardless of whether or not they have a college degree.”

Another co-sponsor, Sen. Marsha Blackburn, said in a statement that the legislation would provide “targeted support” for businesses, colleges and nonprofits that need more cyber protections. The country’s “severe talent shortage” in cyber “poses a serious threat to our national security and economic growth,” the Tennessee Republican said.

The introduction of the legislation Tuesday isn’t Rosen and Blackburn’s first bite at the apple, but previous efforts stalled out in the Senate. This time around, the senators added a pair of House co-sponsors — Reps. Susie Lee, D-Nev., and Brian Fitzpatrick, R-Pa. — to the pitch. It also comes at a time when the Trump administration has directed the DOL to do more with apprenticeships and technology.

Lee said in a statement that in Nevada alone, there’s a shortage of 4,000 cybersecurity professionals. Some estimates put the nationwide cyber workforce deficit at nearly half a million jobs.

“Whether you know it or not, cybersecurity … impacts all of us, from our small businesses, to utility grids, to our national security. But we don’t have enough talent to fill these jobs.” Lee said. “This bill will help ensure that we don’t fall behind when it comes to cybersecurity, while putting Nevada at the forefront of the high-demand, high-impact, and high-paying jobs of the future.”

According to a fact sheet posted to Lee’s congressional website, the bill calls on the Labor Department to award grants to “workforce intermediaries” that will grow the number of registered cybersecurity apprenticeship programs. 

Grant funding should be used for developing curricula and providing technical instruction. It could also go toward marketing and recruitment programs, support services such as career counseling and mentorship, and assistance for things like transportation, housing and childcare costs.

The legislation also encourages grant recipients to connect and collaborate with workforce intermediaries in business, nonprofit and academic settings. Coordinating on resources in cyber apprenticeship programs should ensure federal investments aren’t going toward duplicative efforts, per the fact sheet. 

“The continued shortage of cybersecurity professionals has exposed our nation to severe vulnerabilities, threatening our economy and national security,” Fitzpatrick said in a statement. “Now, more than ever, a strong cybersecurity workforce is necessary to protect our interests at home and abroad.”

Addressing the cybersecurity workforce shortage has been a priority for many lawmakers over the past several years, with legislation seeking to establish cyber grants at two-year colleges and minority-serving institutions, create new federal cyber training programs, give money to CISA for minority recruitment efforts and more.

The post Lawmakers renew push for Labor Department-backed cyber apprenticeship grants appeared first on CyberScoop.

CISOs are facing unprecedented challenges to their mental health due to today’s rapidly evolving threat landscape. They are often held accountable if a breach or disruption occurs, and the average tenure for a CISO tends to decrease significantly after such incidents. This constant pressure makes it difficult for them to find peace, let alone get a good night’s sleep. Meanwhile, threats are increasing in speed and complexity, but budgets and board interest are starting to decline: a bad combination.

Proofpoint reports that CISOs are experiencing a record level of burnout. 76% of CISOs feel they are at risk of experiencing a material cyberattack within the next 12 months. Another survey finds  that many CISOs operate in an environment where their roles are misunderstood, under-supported, or burdened with unrealistic expectations.

CISOs occupy one of the most pressure-packed seats in modern organizations. They have become accustomed to constant fatigue while protecting intellectual property, customer data, brand reputation, and ensuring regulatory compliance—all while balancing technology, law, business strategy, and crisis management. Yet, while cybersecurity news often highlights major breaches or zero-day exploits, it rarely addresses a quieter, ongoing problem: CISO burnout and the deeper, systemic problem of security exhaustion. 

Regardless of the industry—be it healthcare, financial services, utilities, or transportation— critical infrastructure will always be a target.  This ongoing threat transforms professional fatigue into a national security concern.

Why do CISOs burn out?

The role of a CISO has evolved significantly. According to Cybersecurity Dive,  CISOs around the world now have more authority and influence in corporate governance, with more reporting directly to the CEO than ever before. The days of a CISO focusing solely on technical tasks are over. Today’s CISO is actively involved in risk management, strategic planning, revenue generation, employee training and awareness, physical security, recovery, and more. 

Here’s a sample of what CISOs juggle to be successful: 

24/7/365 – Cyber risk is a constant, not a project with a clear end date. Attackers probe for weaknesses at all hours, meaning the threat environment never rests. For CISOs managing critical infrastructure, this ongoing vigilance means sleepless nights — downtime isn’t just a financial concern but can also threaten public safety. 

High-stakes accountability with low-level control: CISOs are increasingly held accountable, even though their actual control can be limited. Boards, regulators, and even national authorities increasingly hold these leaders responsible for security incidents. Yet they must rely on operational technology (OT) teams, outdated systems, third-party vendors, and the everyday actions of employees — any of which can become an attack vector.

At the same time, there is often a mismatch between the resources provided and the expectations placed on CISOs. Effective security requires skilled staff, advanced tools, and constant training—yet many organizations, especially public utilities or municipal systems, struggle with limited budgets and personnel. The result is CISOs feeling like their enterprises are one incident away from disaster.

Complex regulatory overload: Regulatory compliance compounds this pressure. Critical infrastructure CISOs must navigate overlapping compliance frameworks, which is a maze of acronyms: NERC CIP, HIPAA, TSA directives, and a growing list of cybersecurity performance goals from agencies like CISA. While following these frameworks is necessary, the sheer volume of audits and paperwork can divert time and attention away from actually reducing risk.

Recovering from Incident Recovery: The work does not pause after an incident occurs. Each attack, audits, or compliance request can set up days or weeks of reactive cycles, especially for CISOs in sectors like healthcare or energy. Recovery isn’t just about restoring data and systems, but also requires re-establishing communications re-established, resolving vulnerabilities and conducting post-mortems. The result is a sense of no true downtime –only the anticipation of the next incident.

Isolation and expectation management: Finally, CISOs often face professional isolation as their role evolves. Collaboration with C-suite counterparts—many of whom come from non-technical backgrounds—can be a challenge to work with, requiring effort to build trust and integrate lessons learned. At the same time, CISOs must clearly communicate technical risk, advocate for risk-reduction resources, and help reinforce strong governance and clarity of authority for security programs across the organization.   

What security exhaustion looks like

Burnout and exhaustion show up in predictable, yet sometimes subtle ways. Recognizing these warning signs early – both at the individual and organizational level – is essential to prevent the long-term declines in resilience.

• Cognitive fatigue: Difficulty concentrating, diminished decision-making quality, and reduced ability to think strategically, especially after long stretches of incident response.
• Reactive leadership: A preference for short-term firefighting over building sustainable resilience.
• Attrition and turnover: Burnt-out CISOs, analysts, engineers, and consultants leave, taking institutional knowledge with them. This problem is particularly severe in critical infrastructure, where sector-specific expertise takes years to build.
• Risk blindness: Over time, defenders can become desensitized to alerts and threats, increasing the likelihood of missing important signals.
• Reduced innovation: Exhaustion drains curiosity and motivation, making it harder to explore new defensive technologies like zero trust architectures or OT network segmentation. Groupthink can undermine creativity for the sake of completing tasks.

Patching the vulnerabilities

Beyond the human cost, CISO burnout has measurable organizational — and societal — impacts.

• Operational fragility: Overreliance on a few senior leaders creates single points of failure. In critical infrastructure, that fragility can translate into cascading service disruptions that affect entire regions and key assets.
• Compliance risk: Exhausted teams may miss audit deadlines or fail to implement required controls, leading to regulatory penalties and reduced stakeholder trust.
• Increased incident likelihood: Reactive teams struggle to maintain threat intelligence, patch management, and incident detection. In OT environments, those gaps can lead to operational shutdowns or physical damage.
• Talent drain: A reputation for poor work-life balance makes it even more difficult to attract experienced cybersecurity professionals—a problem that is already especially challenging in the utilities, healthcare, and transportation sectors.

How to reduce burnout 

Align Authority with Accountability: If CISOs are responsible for outcomes that affect national or public safety, they need the corresponding authority and budget to match that responsibility. This means having the power to make decisions over third-party vendors, technology upgrades, and what risks the organization is willing to accept. In regulated sectors, boards and regulators should ensure security leaders are empowered, not just held accountable.

Make security a shared responsibility: Security shouldn’t rest on the shoulders of a single team. By embedding secure-by-design principles into engineering, OT, and business processes, organizations can ensure that everyone—from line managers and engineers to plant operators—takes ownership of basic cyber hygiene. This approach not only reduces the workload on security teams but also strengthens the organization’s collective defense posture.

Build a war room, not a warzone: Incident response should be structured, not chaotic. Conduct regular tabletop exercises involving both IT and OT stakeholders. Clear playbooks and delegation frameworks prevent all crises from escalating to the CISO’s desk and beyond.

Embrace work-life balance: Establish structured on-call rotations and ensure that staff have adequate recovery time after major incidents. Encourage leaders to prioritize time off and set an example by maintaining healthy boundaries. For critical infrastructure CISOs, this may involve creating deputy roles or appointing regional alternates to avoid relying on a single individual. Security work is inherently stressful, particularly when public safety is at stake. Provide access to confidential counseling, employee assistance programs, and peer support networks. It’s also important to normalize open conversations about mental health among executives and at industry conferences.

Give people their recognition: Publicly acknowledging the work of the CISO and their team helps retain top talent and fosters a supportive, positive culture throughout the organization. 

Tackling burnout requires changes at both the organizational and individual levels. Companies need to invest in people, improve processes, and implement automation so their cybersecurity teams can do their best work–instead of just getting by. A truly sustainable cybersecurity program protects not only data and systems, but also the well-being of the people responsible for defending them.

In the end, defending critical infrastructure is not only about technology; it’s about endurance. And endurance requires care, balance, and the recognition that cybersecurity is a human mission as much as a technical one.

Brian Harrell currently serves as the Chief Security Officer for a large energy company with assets and operations in 25 states. He is a former Assistant Secretary for Infrastructure Protection at the Department of Homeland Security. 

David Mussington, CISSP served as CISA’s Executive Assistant Director for Infrastructure Security and now as Professor of the Practice at the University of Maryland. 

The post The realities of CISO burnout and exhaustion appeared first on CyberScoop.