Mental health in cybersecurity were headline topics at major conferences in the U.S. in the last 12 months, including Black Hat and RSA.
The sources of stress for cybersecurity professionals stem from many factors that are inherently part of working in this field. For example, it can be difficult to ‘turn work off’ and leave for the day, the confidential nature of the job places constraints on personal connections and outlets, and the enduring talent shortage leaves understaffed teams with a growing list of responsibilities.
Additional sources can include:
- The high expectations of being the first to respond to an emergency;
- Security pros feel guilty when something is missed;
- A willingness to take on more responsibilities is considered honorable; and
- Acknowledgment and thanks may be few and far between.
These ideas and more can be found in a presentation titled, Mental Health in Cybersecurity: Preventing Burnout, Building Resilience, which was given at the RSA Conference recently in San Francisco. The presenter, Dr. Ryan Louie, is a medical doctor and a board-certified psychiatrist who has been immersed in this emerging challenge.
We reached out to him to explore this issue and solicit his expert recommendations. He graciously agreed to participate in the Q&A series we’ve been running with cybersecurity thought leaders.
1) We noticed you’ve done some work in the psychiatry field around entrepreneurship– what was the attraction to cybersecurity?
RL: I was inspired by observing the process of innovation. How do people think of new ideas? What allows a person to kind of pull themselves out of a project when it’s not working? What allows a person to see the big picture, to be creative, and still find a way to complete the work?
I found that the unifying theme here was the idea of safety. Safety to think of new ideas, safety to think of other viewpoints, safety for a team to speak up if things aren’t working right.
2) So, if safety is central, what’s the connection to cybersecurity? Why is it important for organizations to think about the mental health of the professionals they employ in cybersecurity?
RL: Fundamentally, security, including cybersecurity, involves what we call the ‘human element.’ People really have to feel good about themselves first before they can really deliver and perform at their best for other people. What makes the cybersecurity workforce so different, is that they have to be in their best condition, mentally, to be in the best position to protect others.
3) Every profession has stress and burnout. What is it about cybersecurity that makes it so unique?
RL: What’s unique about cybersecurity is that there are always emerging threats. These things coming from left field – things that people don’t know about currently.
There is also an adversary. Adversaries are intellectual, innovative, and creative, so there’s that constant need to always be prepared for something.
As a community, we have to be able to understand the stressors that cybersecurity work has on people, and how to address it, and how to respond to it.
4) So, the unknown is a critical factor that makes cybersecurity stressful?
RL: That’s one of the central elements. Cybersecurity is similar to medicine because we can read the textbooks and case studies and see what things are common – but every patient is unique. We always have to open the possibility that there’s something involved that we hadn’t seen before.
In addition, people in the cybersecurity force work oftentimes with very confidential or private information. This has implications in terms of the effect and the significance of this information – and preventing it from getting into the wrong hands.
Because of that, people in cybersecurity can’t just open up about all their problems. They have boundaries in terms of who can be in their support network, and likewise, there are divisions between work and their personal lives. It becomes difficult is when those boundaries become blurred during times of stress.
Another source of stress is when nothing happens. You’d think that’s a good thing, but security people may not get words of thanks. When there are no problems – that’s merely a job well done.
It’s different from other jobs where people are recognized – for example, someone launching a new initiative or the grand opening of a new building – there might be a ribbon-cutting ceremony or other public recognition.
Finally, I’ve also heard from the conference that cybersecurity staff are stretched very thin. There’s a lot of responsibilities, and they’re being asked to cover many different bases and it’s been challenging for the community.
5) That makes sense. When you make a mistake in cybersecurity, everybody knows it, but you make not always be recognized when things are secure. It’s just business as usual.
RL: Right. And furthermore, because the cybersecurity is such a close-knit community, incidents are visible amongst everyone in that community. It’s just a lot of pressure.
6) What are the signs? How can cybersecurity leaders know when their teams are getting stressed to the degree, they risk hitting burnout?
RL: Dr. Christina Maslach from the University of California at Berkley, and who also spoke at the RSA Conference in San Francisco, coined the word ‘burnout’ and pioneered our understanding of it. She describes it as a feeling of being drained.
People become cynical and may become disillusioned by their work. There’s a sense of detachment. People don’t feel as rewarded personally, emotionally, physically in terms of the type of work that they do like they used to.
Dr. Maslach uses the pickle jar as a metaphor: cucumbers are not sour but because they hang around in the jar for a long time, they become sour. It’s because of the constant, chronic, unabating immersion in a sour environment that the cucumber becomes pickled.
It’s a fantastic metaphor that encapsulates a lot of the ideas about burnout in cybersecurity.
7) If a cybersecurity leader observes this sense of disillusionment among their team, what can they do about it?
RL: Having a conversation is a great starting point. You have to get people involved. You have an open conversation to let people know that they’re not alone, that this is something real.
And it has very real technological, business, economic, personal, health implications – there’s a direct impact on how people function, and how they do their work. Once leaders put it into that perspective, the organization is more open to discussing it.
After that, then we should do a self-reflection of sorts. I described this a little bit in my slides for the talk I gave at RSA – it’s a checklist of oneself in terms of stressors, overall satisfaction and purpose. It’s checking in with ourselves and taking an inventory of where are we in terms of how we’re feeling, how we’re doing mentally, how we are functioning in our work.
We can do it for ourselves or we can buddy up with someone that we trust and help each other out – to make it an outside third-person kind-of-assessment. Once we know how we are doing, we can identify the gaps as to where we want to be.
9) But there’s a stigma. This seems touchy-feely. How do can you get over that stigma of talking about mental health?
RL: I don’t think there’s an exact answer to that right now. There are a lot of celebrities that have come out on social media to talk about mental health and that helps. I think when people see that more and more people are being open about it, they will be too.
Leadership has a role here too. Leaders should remove the onus so that the individual doesn’t feel pressured or stigmatized – like they couldn’t handle a level of work.
10) That sounds a lot like culture.
RL: It is.
There are some things in the future of mental health that might help. For example, one frontier is the development of physical markers of mental health. This will bring mental health into the realm of physical health, which it actually is. The brain is a physical organ. We’ve got neurons firing and doing their work at a molecular level. Once we are able to give physical evidence and measurable numbers, I think we’ll take a big step forward.
11) What are the risks if security leaders don’t address this?
RL: If we don’t do anything about it, it will fester, get worse and become ingrained into the culture.
* * *
Thank you, Dr. Louie, for taking some time to talk to us about this important issue. Readers that are interested in learning more will find several presentations Dr. Louie has presented at the RSA Conference archived online here.
He’s also quite active and approachable on Twitter: @RyanLouie.
>>>Are you interested in being interviewed for this Q&A services? If so, please send an email to media (at) bricata (dot) com and be sure to put “Q&A” in the subject line.
If you enjoyed this post, you might also like:
Breaking Down 6 Cybersecurity Salary Surveys: What’s a Security Pro Worth in 2019?