Stress and burnout have long been recognized as significant issues for cybersecurity workers, who are always on call and have to be ready to deal with the unexpected. The actions they take during cyber-attacks are also critical to their organizations’ operations and, in some instances, are even the difference between staying in business or going bust. This type of pressure can make the cybersecurity industry especially prone to mental health challenges.
Quentyn Taylor, Canon EMEA’s senior director in information security and global response, explained: “There are certain career pressures that exist within cybersecurity roles that aren’t necessarily present in many other enterprise IT jobs. Cyber-threats can happen at any given time, and when an incident occurs, cybersecurity professionals are expected to be ‘on.’ For example, it’s not uncommon during incidents for cybersecurity professionals to need to actually book ‘sleep time’ in their calendars to ensure they can get enough rest. This level of high-pressure to be on reactive standby 24/7, 365 days a year can negatively impact individuals’ mental health and, if left unchecked, lead to low-level stress.”
The COVID-19 crisis has only exacerbated the pressure on the cybersecurity workforce, with cyber-attacks surging over this period. For example, CIISec’s 2020/21 State of the Profession report found that over half (51%) of cybersecurity professionals are kept up at night by the stress of the job and work challenges.
Cybersecurity professionals’ workloads are unlikely to relent either, with the Russia-Ukraine conflict likely to create a more dangerous cyber-threat environment over the medium to long term.
Adding further fuel to the fire is the ongoing cyber skills gap, which often means security personnel are covering multiple workloads. While this issue is receiving more coverage, the skills crisis is showing no signs of abating; in fact, research suggests many skilled cybersecurity workers are considering quitting the sector due to unsustainable workloads.
“Cybersecurity is 24/7 by its nature. The whole business is 24 hours a day; it’s always on, which means you’ll never be able to do everything. And this backlog just keeps growing and growing. Burnout has been an issue for a long time, and stress-related mental-health concerns aren’t new challenges to cybersecurity professionals. This great burnout has already been happening, and it’s just come to a cataclysm,” commented Ian McShane, vice president of strategy at Arctic Wolf.
In this environment, it is vital organizations put in place strategies to ease the burden on their cybersecurity staff, and offer them meaningful mental health support. Canon’s Taylor outlined a range of approaches that can be taken in this regard. “Businesses absolutely need to support their cybersecurity workers more by taking an interest in the way they approach their roles, which will help them to spot issues and provide the necessary support to individuals,” he said. “Leaders should also explore the option of enlisting mentors who are not a part of the IT industry to provide perspective and ensure their mentees are not constantly overworked. More broadly, hiring a diverse range of staff also helps to encourage a balance of viewpoints and build a working environment that nurtures employees rather than pile on the pressure in critical situations such as cyber threats.”
Strategies to support workers’ mental health should also form part of incident response processes – an especially difficult and stressful time for those working in the sector. Laurie Mercer, a security engineer at HackerOne, noted: “When a cyber-attack happens, guilt and blame often follow – but this is counterproductive. Openness, transparency, and speed are pivotal in effectively resolving a breach. It is generally a time of high stress and short tempers; however, as with most things in business, proper planning and processes are paramount.
“Planning must include ensuring that an up-to-date roster of expert contractors is available, restoring critical infrastructure quickly, and taking care of staff wellbeing – both psychological and physical. Workloads will invariably spike, leading to people working longer hours with shorter breaks, and managers must be prepared to step in to monitor activity levels and ensure their staff members are not burning out as these instances can be marathons rather than sprints.”
This year’s Mental Health Awareness Week comes at a particularly stressful and challenging time for cybersecurity workers. It is vital the mental health of these staff is included in organizations’ overall cybersecurity strategies going forward – both from a moral and societal point of view, but also to ensure IT teams are filled with fresh and focused workers, ready to take on the growing cyber-threat landscape.