A recent report looking at the state of mental health in cybersecurity has revealed some very worrying industry statistics. Worrying, but sadly not at all surprising. Cybersecurity professionals are not alone in working within a stressful, at times unbearably so, industry. However, that a survey of more than 1,000 professionals from security teams across the U.S. and Europe found that half (50.8%) had been prescribed meds for their mental health, cannot be ignored.
Mental health at work is a two-way street
I’m not going to spend the entirety of this article throwing down numbers from the report. You can read it here, but as well as that medication statistic, three others bear repeating. Perhaps unsurprisingly, given everything that has happened globally across the last 12 months, 27% said their mental health had declined in that time. Then there’s the double-whammy of 64% confirming mental health issues have impacted their ability to get work done, with the exact same number saying that getting that work done has impacted their mental health.
I have a reason beyond the journalistic desire for information, beyond natural human empathy, to want to know more about the anxiety, burnout, depression, and stress within cybersecurity as an industry. I have been experiencing all four of these since before the pandemic hit, have considered suicide, and am now on medication for both anxiety and depression. This is a selfish desire to understand what I can do beyond keep taking the tablets, an editorial cry for help if you will, but one that might just help others as well.
Why are cybersecurity professionals so prone to mental health issues?
I’ll start with one thing that I completely understand as apposite, but find putting into practice harder than I should: work-life balance is more than a buzzword, it’s one of the most essential ingredients in the mental health recipe. Unfortunately, when the dark dog comes calling, common sense and understanding tend to get lost in the abyss. This editorial exploration of mental health within the cybersecurity industry begins, as seems appropriate, with Thomas Kinsella. I asked the co-founder of security automation company Tines, responsible for the report that this article hangs from, if cybersecurity is more prone to mental health issues than other IT sectors?
“Working in cybersecurity is highly rewarding, professionally and personally, but it can also be a highly stressful job,” Kinsella says, “compared to other industry sectors, cybersecurity professionals are facing threats that are increasingly sophisticated, used by adversaries whose tools and techniques change so fast in this space that even the most advanced and prepared companies can suffer incidents – it can be relentless.” It’s the unpredictable nature of the job, described by Kinsella as a “Sword of Damocles hanging over your head, even when things are going well,” that feeling of never knowing when the next incident will happen, that’s core to the problem. “It affects so many people, even those who might not feel it in the moment,” he continues, “often it’s only when you have the benefit of hindsight and clarity to look back on a security incident, you realize your mental health was in tatters at that time.”
“Concerning levels of stress and burnout”
Lisa Ventura, qualified mental health first aider and founder of Cyber Security Unity, isn’t surprised that there’s an ongoing decline in the mental health of security professionals. “The pandemic hit cybersecurity professionals hard, both in a personal capacity and at work,” Ventura says, “although it isn’t the only factor that contributed to the rise in stress and burnout in the industry.” There was also the rush to implement digital processes to help manage business, workflows and to keep the communication going when the pandemic hit which, she says, resulted in “cyber criminals seeing this gap and taking advantage of vulnerable systems to launch their attacks.” Throw in security teams already working in overdrive and the result was many professionals reporting “concerning levels of stress and burnout,” Ventura says, with “many even considering leaving their roles because of it.” Certainly, it’s hard to disagree with her opinion that overextended cybersecurity professionals are under tremendous strain in the ‘always-on’ environment they find themselves working within. “With cyber security teams continuing to operate in remote environments, often with low budgets and inadequate infrastructure,” she concludes, “many are struggling to keep up and in turn, this is greatly affecting their mental health.”
“CISOs: the throat to choke”
Karen F. Worstell, is a senior cybersecurity strategist, network and advanced security, at VMware as well as a highly regarded speaker when it comes to avoiding burnout. In the VMware Global Incident Response Threat Report published last year, some 51% of cybersecurity professionals self-identified as burnt out and 65% of those were considering leaving the industry because of unmanaged workplace stress. Like Ventura, Worstell points to the “always-on vigilance at work that often spills over into personal time” as being a primary cause of unmanaged workplace stress leading to burnout.
“CISOs are in the position of being ‘the throat to choke’ when things go wrong,” Worstell says, “and are frequently tried and convicted in the court of public opinion, even among their own CISO colleagues.” The temptation to project “one’s own fear of failure in the security realm” onto those who’ve been effectively compromised is, she concludes, “apparently overwhelming to many as they seek career and self-preservation.”
Mental health well-being in the workplace
So, all that helps understand the why, which brings us in turn to the what: what can cybersecurity professionals do in order to avoid mental health issues, or at least mitigate them if avoidance proves impossible?
Douglas Brush, is a global CISO advisor and neurodiversity advocate at Splunk. Many cybersecurity professionals suffering from anxiety, burnout, and depression turn to “unhealthy coping mechanisms, exacerbating underlying psychological and physical health issues,” he says. Indeed, Brush could be talking about me here: denial, alcohol, and ultimately thoughts of suicide were part of my coping playbook along the way. So, what does he recommend by way of something better? “I encourage people to focus on self-care,” Brush says, “this is what you do deliberately to establish and maintain health, prevent and deal with long-term illness.” Thinking in terms of proactive and preventative steps is helpful. Some bullet points from Brush include:
- Talk openly about mental health – don’t be afraid to ask a friend for help
- Celebrate the small wins
- Choose empowerment over shame – it’s OK not to feel OK
- Stop doom-scrolling on social media
- Exercise, meditate and set daily routines including sleep
- Set realistic goals, set personal boundaries
Kinsella, meanwhile, advises people to understand their “default operating mode” and, he says, “try to recognize the signs when you start to shift away from that. It doesn’t have to be a spiral, it could be just a case of not feeling like yourself.” Like Brush, Kinsella also emphasizes the importance of talking to someone. “On several occasions, I’ve had some majorly stressful situations and felt burned out and overwhelmed,” he says, “talking to someone professional who can give you tips and techniques, or even just sharing your experience with someone you trust, who will listen and guide you, can be helpful.” Finally, Kinsella stresses the importance of escaping that always-on culture and finding “ways to fill your cup outside of work.” Getting outside and into nature, especially as part of a daily routine, is one recommended route you could take.
Knowing when to care, and when to let it go, is also vital if you are to prevent burnout, Worstell says. “The world right now is pulling our attention in so many directions with great urgency: war, pandemic, inflation, climate change, online cybercrime, refugees all impact us as caring human beings.” But, as Worstell reminds us, it’s OK to set boundaries for the things that matter most to you personally. “As a cyber defender,” she says, “this will mean leaving work at work to give you the bandwidth to focus on personal goals that matter to your life.”
Getting help, where to turn
But what if the mitigation advice isn’t working, or has come too late? If you’re already dealing with mental health issues, what can you do, and where can you go, to get help? Everyone that I spoke to suggested that your workplace is a good starting point. “Many organizations, such as Splunk, have wellbeing programs and employee resource groups (ERGs) that focus on Neurodiversity and mental health,” Brush told me, “find the one in your organization and talk to others.” However, as Kinsella points out, “not every employee feels like the workplace is a safe place to talk about mental health.” It really is a conversation that organizations and industry leaders need to normalize, he says, to “regularly encourage people to bring their authentic selves to work and to lean on the various supports and resources that are available when they need to.”
If your organization does have an employee assistance or resource program, don’t be scared to use it though. These typically provide both counseling and referral services, Kinsella advises, “in most cases, employers offer these as a benefit, and they are confidential and free of charge to employees.” He also emphasizes that this isn’t easy, but you can always start small by sending a text message to someone you trust, for example. “When you’re down even finding the strength to reach out to someone is hard,” Kinsella concludes, “managers and leaders on security teams must be looking out for their staff proactively.” If your organization has a mental health first aider they are “specially trained to help, listen and signpost you to relevant help and support,” Ventura, who is trained in this role herself, adds.
I will leave the last words to the inimitable Karen F. Worstell: “Remember that there is a fine line between genius and madness. Don’t allow your unique gifts and talents to go unused or unappreciated. In all time, and in all the world, there has never been, nor will there ever be another like you. It may take focus and energy to find the place where you belong, not just fit. It may be that you need to make that place more than find it, but you are always a part of the greater whole.”
Mental health help online resource list
If you are having thoughts about harming yourself, please seek medical attention as a matter of urgency. I can relate my own personal experience of this, having had suicidal thoughts on a number of occasions, the most recent being at the start of this year. It’s difficult to take that step of admitting you don’t want to be here anymore, or feel that you may harm yourself in some way, but believe me when I tell you there are people who won’t judge you but will listen and help. The first links in the U.K. and U.S. resources below are good starting points. You can also simply type ‘suicide’ into Google or your search engine of choice and resources local to you will be displayed.
Please do let me know of other online resources for those with mental health issues and I will endeavour to keep the list updated.
U.K. mental health resources
U.S. mental health resources
National Suicide Prevention Lifeline
The Center for Workplace Mental Health
American Psychological Association
Global mental health resources
Mojo Maker (podcast) for Women in Tech
#BeAnAlly Anti-Burnout Guidebook