Mental Health in Cybersecurity: the Hidden Threat

How stressful is your job? Each occupation comes with its own set of challenges, and information security is no exception. As part of mental health awareness month, this week I explore specific challenges we face in our domain.

Whenever you research mental health in the information security professions, burnout appears omnipresent.

According to VMware, 47% of cybersecurity professionals experienced burnout symptoms in the past year, putting them as the most susceptible in the U.-S., right in front of K-12 school teachers. A recent study from Virtually Informed analyzed various sources and came up with staggering numbers:

• Over 50% of information security professionals report work having a negative effect on their mental health,
• Upwards of 64% say their mental health affects the quality of their work,
• Nearly all information security leaders (CISO) work over 40 hours, with 91% reporting "moderate or high stress" and 17% admitting to using medication or alcohol to deal with stress.

Simply put, we are a mess.

How could this be? I share my insider perspective on the factors which lead to burnout in cybersecurity and some solutions, based on the following experiences:

• the personality types who join cybersecurity,
• the incentives and accountability practices organizations have established,
• the expectations,
• how camaraderie can solve the problem.

If you are looking to start a career in infosec or have a loved one in the industry, this is a must-read.

The personality types of cybersecurity professionals

I pivoted from higher education to security in my late twenties because I couldn't bear the economic anxiety of academia. I was attracted to computer science in part because of the 100% employment rate (and chose to major in digital security due to the Mr. Robot TV show). Many of you are probably thinking along those lines: how can a profession with a skillset in high demand, earning big salaries, yield so much misery?

Allow me the cliché: money doesn't fix everything. The root cause of high burnout rates in cybersecurity is the clash between the personality type of people who chose this path and business imperatives.

Cybersecurity is about doing the right thing and doing things right. People in the field push for upholding standards, not taking shortcuts, and showing a high degree of integrity and transparency. At heart, we are protectors. It's not an accident that ex-military and law enforcement individuals commonly join our ranks. It's no coincidence that the logos of the security teams in all the jobs I've had featured shields, swords and knights.

So you have people who believe in standards, in following the rules of the art, and who advocate for taking a step back and thinking about the outcomes of decisions... pitted against quarterly sales objectives and PowerPoint presentations of upcoming features. Guess who wins?

But it gets worse...

Despite being powerless, organizations make us accountable

The most stressful part of working in cybersecurity is the nagging knowledge that if something breaks, you will ultimately be responsible to clean up the mess. Infrastructure engineers and system administrators may take exception to this statement, saying they are on pager duty as well. True, if a system goes down. For a data leak? You bet it's on us. Security operations own the intrusion detection systems, after all. We notice hackers that exploit flaws in servers or applications.

This gets frustrating. An IT director won't patch their servers, and you fear getting the blame. To get out of such a conundrum, we developed the risk management discipline. Basically, we evaluate the probability and impact hackers could have of finding and exploiting the IT director's server flaws, and the IT director has the final call on whether said server gets patched.

The problem with that? Risk acceptance.

See, incentives of IT directors favour business metrics: how many transactions happen in a given system, how much money is being processed, system uptime, etc. "Accepting the risk" can sometimes become the "get the security person off my face" card. Once, a friend of mine had a meeting with an IT director. The meeting lasted under a minute: "Yadda-yadda I accept the risk goodbye".

It only takes a few of these to ruin your morale.

Risk acceptance or not, it becomes hard for passionate cybersecurity professionals to let go of things not being "how they are supposed to be". I've seen many people burn themselves out this way.

And it gets worse.

Impostor syndrome leads to paralysis

Imagine feeling accountable for flaws you have no control over, and feeling incompetent because of it. This is my variation on the "impostor syndrome". It goes like this. You want to convince somebody to update a component, so you will dig up into the documentation to argue endlessly to have the flaw fixed... despite not knowing anything about the topic. Talk about setting yourself up for failure.

See the pattern? We want to protect everything because we know hackers only need to get lucky once. We believe, perhaps overemphatically, that we will handle the mess if things go south. Wanting to do everything, to know everything, to clean up after everybody, so everything goes smoothly and no hiccups and... this is the recipe for burnout.

Yes, parents reading this, this is the exact same effing pattern you feel with your kids.

The stress increases because technology evolves so, so fast; and let me tell you right off the bat no employer gives enough continuous training for you to keep up.

The necessity to use your nights and weekends to remain up-to-date is my go-to example whenever I present in colleges when I get asked what's the biggest challenge to working in our field.

Luckily, we have each other.

The sense of community will get us out of it

My favourite article about stress in information security comes from the Google Cloud CISO Phil Venables. The executive lists the 11 most fundamental soft skills the vocation allows us to develop despite the stress. Number 10 struck a chord with me:

Until you’ve stepped out of security into another risk, IT or business role you don’t realize how unique the camaraderie among security people is. I remember in various industry or geographic disasters over the years that when different companies' IT staff needed to work with each other it was often the security people (who were already connected with each other) that facilitated that connectivity.

Sure, the Guy Fawkes masks are cartoonish. I've never even met anybody wearing one. But there's something to be said about the discipline's roots in hacker culture which transcends to this day, despite cybersecurity growing into a multi-billion dollar industry. Capture the Flag competitions bring hundreds of talented people together.

The stress, in that sense, can turn into a bonding agent. Everybody can tell stories of conflicts with an IT director who accepted too many risks.

If you or someone close to you is feeling down, seek out communities. We're in this together and very welcoming.

Latest InfoSec News

Ex-ByteDance employee Yintao Yu alleges the China Communist Party manipulates TikTok. The former Head of engineering accuses the CCP of pushing its political agenda in the app's content and owning a "death switch" that could turn off the app. Yu also claims TikTok lifted content off Instagram and Snapchat without permission and artificially boosted engagement metrics with bots to attract creators. TikTok is fun, but I wouldn't trust the app to build a meaningful following, let alone a source of income.  Meanwhile, Montana banned TikTok. Hey, one thing's for sure John Dutton wouldn't have any of this TikTok stuff in the Yellowstone ranch, China influence or not.  Story

Disgruntled security engineer steals source code and internal files of Ubiquiti, costing the firm $4Billion market cap. In a story straight from the movies, Nikolas Sharp, a security developer, stole corporate information and sent a ransom note to his employer to return the data, all while being tasked with investigating the incident! During the investigation, he called a journalist, claiming to be a whistleblower who alleged Ubiquiti was covering up the "real" hack. Finally, his defence was basically: "All of this was an elaborate security test guys, it's all part of the plan". You can't make this up. Story

Influencer Caryn Marjorie launches AI avatar chatbot of herself for $1/minute 'flirty and fun' chats; AI goes rogue immediately. Guess what happened. Yes, this is exactly it. Twitch streamer Amouranth is trying the same as well. I'm a dad of 4 boys and now I'm very preoccupied. How do I deal with this? Story.

I really don't recommend ovulation-tracking apps. Trust me, as a dad x 4, the calendar method works just fine with a pen and paper. The Federal Trade Commission (FTC) barred the app Premom from sharing its information with advertisers. Remember: women's health apps are not HIPAA protected. As I wrote, most of the major period and pregnancy apps lack basic protections around data disclosure. They own whatever you put in there for as long as they like. Story

❓ Question of the Week

Have you ever witnessed burnout in a cybersecurity environment?