Mental well-being is essential for high performance but is under constant threat from stress in the cybersecurity profession. The loss of mental well-being is a slow and largely invisible process. We discuss its causes, effects, and management.

It is the CISO’s responsibility to build and maintain a high functioning team able to protect the company’s assets and profits in a difficult environment – cybersecurity is a complex, continuous, and adversarial environment like none other outside of military conflict.

Maintaining the team requires retaining the team. That’s one issue. Maximizing its efficiency requires monitoring and promoting the continuous health of everyone – including its CISO. That’s a separate, complex, but necessary task given the unique pressures of cybersecurity.

Burnout and its increasing incidence has become the focus of attention. It is one, perhaps the most dramatic, of the performance-destroying disorders that can affect employees. It could be any employee in any department, but the condition is especially prevalent in the security department. At its worst (or culmination), burnout can lead to a complete inability to function and eventual departure from the company and even the profession. 

It doesn’t suddenly appear overnight. It is a cumulative effect. During this process, the individual’s performance will be diminished, and the symptoms will likely have a negative effect on colleagues. It is vitally important that burnout and its causes are better understood so that it can be managed both for the health of the person and the efficiency of the team.

Stress

Burnout is not an illness, nor is it a mental health issue. The World Health Organization (WHO) has called it an ‘occupational phenomenon’. It is not classified as a medical condition, but is rather a syndrome caused by chronic and unmanaged stress in the workplace. Continuous stress is the problem. 

The implication is that security leaders need to understand stress in cybersecurity: its causes, its effects, and how to manage it. This is complicated since the cause of stress is not limited to work, and the effect of stress is not limited to burnout. While burnout is classified as a workplace condition caused by workplace stress, non-work stress can add to workplace stress. Nevertheless, the common factor is that whatever the cause or effect of stress, the result is a less than maximally efficient workforce long before full burnout manifests.

Cause

The primary cause within security is the continuous, unending, always-on nature of the work. Sometimes it is high activity firefighting during an incident, and sometimes it is the low activity continuous monotony of examining logs and triaging alerts. The switch between the two is instantaneous with no pause – and the required level of continuous concentration is high. There is no ‘project completed’ followed by a celebratory group party and a few days relaxation before the next project.

“Security people are often overwhelmed,” comments Thea Mannix, director of research (and a cyberpsychologist) at Praxis Security Labs. Apart from the day to day work, she adds, “They’re expected to be futurologists able to predict the future, and psychologists able to understand the human elements of security – how users may react to social engineering and how they may subvert security controls to make work easier. And they never get any positive feedback; it’s mostly negative because the whole process of security is mostly negative – stop the outside bad guys doing anything bad, and stop the inside good guys doing anything wrong.”

But there’s also a disturbing edge to this ‘human’ side of cybersecurity. Security teams sometimes work with SBIs and the FBI on criminal investigations. Tim Morris, chief security advisor at Tanium, knows what can be involved because he and his team have done this. “We do cybersecurity to protect data and people. And the only reason we must do this is because there’s an evil side of humanity. We’ve worked with law enforcement, giving them the tools to investigate embezzlement and child pornography. We’ve had to watch videos of murderers and abusers; and that has its toll.”

It also has its frustrations, which are more like the mainstream problems for cybersecurity teams. “You do your forensic investigation, you learn exactly who the bad guy is. You present the evidence. From start to prosecution may take seven years – and the bad guy gets sentenced to eight months. It’s frustrating. It’s like rolling a big boulder up a hill.” That big boulder analogy describes much of cybersecurity’s daily life.

Stress is part of the DNA of cybersecurity, and a key factor in burnout. But there are other causes and other effects of stress. We know that a good work/life balance is essential. But sometimes, it is the life side that causes the most stress. Divorce, for example, is often considered a major stressful life event, second only to the death of a spouse. Financial worries and illness within the family are also major causes of stress.

When employees cross the threshold into the work environment, they will leave talking about these issues behind, but carry the associated stress effects with them. It also works in the other direction: stress at work can cause insomnia at home. And like a boomerang, it returns to work. 

“There is ample research evidence to show [insomnia] can cause problems with cognitive function and alertness, and can increase the likelihood of error,” comments Bec McKeown, founder and principal psychologist at Mind Science Ltd. “As an example, think about having to screen for intrusions when you are tired yet have to make decisions late at night during an incident response… Pretty much anything you do when you are fatigued isn’t going to be optimal.” 

We have, then, a combination of both home and work stress – both of which are primarily emotional stress. But there are more. There are also invisible physiological causes of stress. Here ‘physiological’ is used loosely, simply to distinguish it from psychological (or emotional) stress. One example is seasonal affective disorder (SAD), generally attributed to decreasing levels of sunlight in autumn and a subsequent and rapid reduction in serotonin levels.

It does not affect everyone, but the effects of SAD can include depression, loss of energy, poor concentration, social withdrawal, irritability, and anxiety; and will often last for a few weeks. It is identical to the symptoms of work-related stress. This ‘behavior’ will undoubtedly affect other members of the team – but both the sufferer and colleagues may be unaware of the cause.

A further example can be found in the neurological conditions of ADHD and ASD (more specifically, that part of the spectrum that used to be called ‘Asperger’s’). The benefits of these conditions within cybersecurity are well-documented; and it is widely considered (not necessarily statistically proven) that a higher than average number of security personnel are neurodivergent.

Neurodivergents often colloquially use the terms ‘divergents’ and ‘normies’ as category distinctions – and we’ll use the same terms here. Divergents don’t tend to cause problems directly – but some of the more visible effects of the condition can be misunderstood by normies. 

A study by the UK’s NCSC (Decrypting Diversity, 2021) found that divergents consider themselves subject to career-limiting discrimination at work (37%, the same as gender discrimination and just short of ethnicity discrimination). This discrimination has led to 22% of divergents considering changing employers, and 7% considering leaving the sector despite their value to the company. 

There are several effects from this – the majority normies may misunderstand the minority divergents and exclude them, and the divergents may be disincentivized both by the exclusion and the lack of career opportunities. Incidentally, career exclusion is unwarranted – SecurityWeek believes there is considerable empirical evidence to suggest that many top-performing CISOs are themselves divergents.

We have dwelt on these issues because they all impact the efficiency of the security team. Depression may come from inside or outside the work environment. It may be transitory, or part of a slow accumulation of stress that could ultimately lead to burnout. This reduces the efficiency of the team. It can lead to more errors – and more errors could lead to more breaches. It is incumbent on the CISO, given that resources are finite, to maximize the available resources by managing the stress and depression levels of the security team well before they reach the chronic result of burnout.

Effects and management

Team leaders must understand what they can and cannot do. They cannot, for example, attempt to diagnose or treat mental illness – that requires medical training. It gets complicated when depression can be both a symptom of stress, and a mental illness. The depression we have discussed here is better described as severe mood swings instigated by specific and often temporary, or at least transient, conditions.

“Generally speaking, leaders are not medical clinicians or mental health professionals,” says Omri Weinberg, co-founder and CRO at DoControl, “so, attempting to diagnose conditions is not advisable. However, 100% of people leaders are also people, so there are always opportunities to extend compassion and practice empathy. In office environments, people leaders can and should be observant of team members who have changes in behavior, external factors that can affect physical and mental health states, etc. In remote work organizations, it can be more challenging to observe these factors, but it is really a matter of focus and creating trust.”

One thing that can help is understanding the personality traits of the individual team members – a sort of informal psychological evaluation. A CISO cannot do this formally, but observation of people’s reaction to certain conditions provides most of the clues necessary. Reaction to SOC incidents, for example, can indicate who can and who cannot cope with sudden emergencies. 

“Cybersecurity is so diverse with so many different jobs that a CISO can ensure the right match between person and task,” says Morris. It’s a form of horses for courses, where the CISO takes account of both the technical skills and the personality traits. “It’s not a complete solution, but can prevent the development of imposter syndrome in the newcomer who is suddenly out of depth, and can limit some of the stress factors that can lead to burnout in the more susceptible team members.”

So, what should the leader look for as a symptom of unmanaged stress? “There are many different stress symptoms,” says McKeown. “It could be that somebody has a very short fuse – they’re getting snappy and irritable with people and seem anxious and struggle to make decisions. These are emotional symptoms, but there can also be physical symptoms: an increase in stomach problems, or more than usual headaches or migraines. Muscle pains, dizziness and nausea can also occur. There are many different things and they’re all going to be different for different people.”

But she adds, “The key is whether someone is behaving in a way that person doesn’t normally behave, to the extent that you notice it. That’s possibly enough. I don’t mean just on one occasion – I mean if it shows a predictable pattern. If somebody is normally easygoing and helpful but starts to become angry and withdrawn – that’s an indicator there’s something else going on.”

It is important that if a leader suspects genuine mental illness, he or she should seek outside help. An increasing number of companies are now employing mental health first aiders (MHFAs). These are employees trained in identifying mental health issues. 

“It’s about having signposts or having knowledge of where to send people. That’s where the Mental Health First Aiders come in, because they self-select to go and train for that sort of thing. They have an interest, and possibly an openness towards people who have mental health issues – so they’re going to be a sympathetic ear. But they’re also trained to know where I can send this person to get expert help. What I’m saying is it is not the responsibility of the CISO to get directly involved in this.”

MFHAs can provide early intervention and knowledge of next steps. At the very least, their existence can normalize open discussion about mental illness and the importance of mental well-being. If a company does not have MHFAs, the CISO should perhaps advocate for their creation.

Key to managing stress is observation and intervention. But this, too, has its own difficulties. We’ve seen that a key indication of something wrong is depression, but depression is not always visible. While depression may be an effect of other causes, the CISO may only see the effects of depression – but they must be recognized for what they are. These effects could include a loss of engagement with less interest in or enthusiasm for the day’s work; reduced levels of concentration possibly leading to more errors of both fact and judgment; irritability and distancing from colleagues, and increased levels of anxiety.

So, observation involves the symptoms of depression, while intervention attempts to alleviate the cause of the depression. This is the next major difficulty – there is no neon sign saying, ‘my depression is work related’ or ‘my depression is home related’.

Consider Maslow’s well-known ‘hierarchy of needs’. The pinnacle is what you require from the cybersecurity team at work: self-actualization. But its achievement is built on a foundation that comes more from home life than from work life: primarily physiological and personal safety needs.

According to the WHO, “In the first year of the COVID-19 pandemic, global prevalence of anxiety and depression increased by a massive 25%.” Loss, fear, isolation, financial worries are all cited as contributing factors. Today, the direct fear of COVID is reducing, but the social effects have been replaced by new or continuing concerns. Financial worries persist – perhaps even worsened by the loss of government support and a rising tide of corporate layoffs. Fear is heightened by increasing geopolitical tensions and horrendous wars reawakening the nuclear shadow.

Put simply, the depression at work that may be reducing the efficiency of your security team may have nothing to do with work – and there is nothing the CISO can do about it. Intervention in domestic worries is just intrusion into personal lives, and wrong on many levels. A CISO can ask, “How are you?” but, “How’s your home life?” becomes intrusive; and a CISO’s role is to protect the company, not solve the problems of society.

“Emotions don’t change significantly between home and work,” explains Mannix. “But at the same time, you can’t have leadership being responsible for the mental health of their employees when they’re not at work. So, the only thing I think we can do is try and generate, as a leader, an environment that offers people maximum flexibility.”

Active intervention must remain within the confines of the work environment. The best kind of intervention is preventative support. A good working environment can counter work-related stress and hopefully prevent it, while simultaneously alleviating home-related stress.

Elements can include developing a good team spirit, regular team meetings that don’t simply discuss critical point project analyses, promoting inclusiveness, protecting the team from unnecessarily overbearing other business leaders, encouragement, ensuring an adequate reimbursement package, making sure that holidays are taken, and adding additional ‘days off’ when possible or required.

Mike Guthrie, MD of security services at Lares Consulting, is a strong believer in these ‘days off’. “We encourage PTO, but real PTO. Our teams are passionate about their work and will often check into Slack even when they are taking time off.” (He is also guilty of this.) “The rest of the team is very good at telling them to log off, sometimes even in a forceful manner to ensure they do so.”

Gareth Lindahl-Wise, CISO at Ontinue, has a four-point plan. The first is flexibility. This can be demonstrated in many ways, but he gives the example of being flexible over remote or office working. “You are likely to get a better quality outcome and reduced mental stress in an environment that can flex,” he says.

The second is ‘automate, automate, automate’.” Free your teams to work on the things that matter by stripping away the things that don’t. The slow degradation of mental well-being and self-worth must be a concern where we don’t do this.”

The third is to ensure that teams understand the value of their work. This is related to the second. Stripping away as much as possible of the boring work surfaces the obviously more difficult and almost certainly more interesting functions. Make sure that team members understand that their work in these areas is highly valued.

The fourth is to demonstrate your appreciation. “Encourage, measure and reward contributions from your teams that improve what you are doing and how you are doing it. Recognition of their contribution goes a long way to help their sense of wellbeing and personal value.”

Done effectively, this could prevent the invisible growth of stress that can lead to burnout. It can also help alleviate non-work stress without being intrusive into the team member’s private life. If it doesn’t work, and the person’s visible signs of stress continue to grow, there is little more that the leader can do beyond doubling down on the existing methods, perhaps insisting the person take several days off rather than just one.

The simple reality is that maintaining mental well-being and maximizing team efficiency is a constant battle in adverse conditions. But the team leader has one further problem: who watches the watcher. The leader must ensure his or her own mental well-being. Burnout is as big a problem for CISOs – if not bigger – as it is for team members.

We’ll leave the final word to Geoff Belknap, CISO at LinkedIn. “I try not to ignore my own physical symptoms,” he says. It’s worth adding that he seeks an open and trusting relationship both with his team and with his C-Level peers; and believes that both sides would be willing to warn him if they thought he was unduly suffering.

“I’ve done this kind of role for 15 years now, and it is unlike any other job I have ever had. It’s not the only type of job that generates high levels of stress, and personally, I thrive in this environment. But it has an impact on you. The human body is not designed to endure this much stress constantly without some sort of regular upkeep – just like you need to maintain a vehicle or any other machine that is doing a job regularly.”

The analogy holds. If you continuously over-rev a vehicle without adequate maintenance, it will eventually have problems. 

Related: Burnout in Cybersecurity – Can It Be Prevented?

Related: Cyber Insights 2024: A Dire Year for CISOs?

Related: Harnessing Neurodiversity Within Cybersecurity Teams

Related: Human Cyber-Risk Can Be Demonstrably Mitigated by Behavior Changing Training