Kathryn Pick explores the growing impact of stress, burnout and anxiety on security leaders across the industry
Cybersecurity is a fascinating, fulfilling and fun industry to work in, but along with the exciting highs of a job well done, there can be devastating lows, feelings of failure and a constant pressure focused squarely on your department, and in turn, you as a CISO.
For Gary Hayslip, director of information security at SoftBank, the downsides could have meant more than just an end to his career, but also damage to his health.
“Back in early 2017, when I was the CISO for the City of San Diego, I had been in the role for almost four years, and at the time I had been ignoring the signs that I was losing my battle with stress and job fatigue,” he tells Infosecurity.
“The job itself was amazing, and the teams and people I worked with were incredible, but as the seventh largest city in the US, we were a big target, and that weighed heavily on me. So much so, in fact, that I had never taken a vacation longer than a couple of days – along with that stress was the constant struggle for resources that all CISOs deal with.”
The result for him was a terrifying experience. “One day, I was sitting in my office, light-headed with chest pains, lacking the strength to pick up my phone and call my wife to tell her I loved her,” he explains. “In that moment, it was like time slowed down and I realized I didn’t like my job anymore. I had gained weight and I had distanced myself from my family and friends because I was so busy.
“I had let the role and the stress drive me into being an arrogant ass, and on that afternoon, I came back down to earth.”
Hayslip sought help from his doctor, and is now thriving in a new career, but he is far from alone in his experience.
“In that moment, it was like time slowed down and I realized I didn’t like my job anymore"
Looking to Quit
A report from Symantec this year claimed IT security leaders across Europe are considering quitting their job over the stress they are suffering due to mounting threats, compliance pressures and growing complexity.
The joint report prepared by research consultancy Thread and Chris Brauer of Goldsmiths, University of London, was based on interviews with 3000 security decision makers in the UK, Germany and France, 82% of the pros claimed they feel burned out, with nearly two-thirds saying they are thinking about leaving their job or quitting the industry altogether.
A similar report from Nominet, which polled over 400 security bosses on both sides of the Atlantic, found that 91% of respondents suffer moderate or high stress, with 60% saying that they rarely disconnect from their job – despite 88% already working over 40 hours per week.
Of the CISOs polled, 27% said stress is impacting their mental or physical health, while 23% said the role is damaging their personal relationships.
Even more striking was that 17% admitted they have turned to medication or alcohol to deal with workplace stress.
Cath Goulding, CISO at Nominet, says: “When we consulted a psychologist, he stated that this would have an impact on their [security leaders] quality of work, and also their career progression.
“Consequently, compared to the rest of the job market, CISOs are on average in their roles half the amount of time; two compared to 4.2 years.”
What Are the Pressures?
Psychotherapist David Slade, who runs workshops for CREST on the topic, says there are reams of stresses specific to the cybersecurity industry.
“Some of the key issues that come up from CISOs include a lack of downtime due to the relentless and expanding nature of threats, the scale of skills shortages, increasing regulation and personal liability, and also often having to work in isolation without support,” he says.
Jinan Budge, principal security analyst for Forrester, adds that CISOs also feel they are being used as scapegoats.
“For example, when there’s a breach, they feel like they will be the ones in the spotlight or the first ones to go,” she says.
She explains that CISOs are leading change programs that are unprecedented in scope and size, and getting hired to fix a problem, but instead of being given the budget and real accountability, they get platitudes.
Budge also thinks the lack of understanding of security issues is another factor. “Whilst cybersecurity is now a boardroom issue, and board members everywhere are realizing the importance of security, I am seeing a very distinct difference between awareness and understanding,” she says.
“Whilst awareness of security has increased ten-fold, this is not accompanied by understanding. This gap results in kneejerk reactions and continued lack of support.”
Slade says, although many of the stresses that exist can be found in other workplaces too, it is the combined effect of the many strands of information security that make it a particularly stressful environment to work in.
Budge agrees: “It could be said that a lot of the above are challenges that come with any leadership position. Indeed, when I publicly write or speak about this in blogs, on social media or at conferences, I get a lot of support, but I also get a lot of ‘what-about-ism.’
“My social media comments go wild with many of my respected colleagues arguing for and against me focusing on this issue.”
"When there’s a breach, they feel like they will be the ones in the spotlight or the first ones to go"
What Is the Impact?
Hal Lonas, the chief technology officer at online back-up company Carbonite, says all roles within the cybersecurity industry are very prone to burnout. “Cyber-criminals are relentless and the constant defense posture that infosec professionals must take can take a real toll on mental health,” he argues.
“In addition to cyber-criminals, infosec professionals face threats from well-intentioned but uninformed employees and vendors. It can be incredibly taxing to constantly be in ‘reactive’ mode, never being able to rest or get ahead no matter how hard we work, which is why burnout is a very real threat.”
Slade says it has a number of impacts on workers. “Many security leaders feel insecure, fearing dismissal, and feel like they are being set up to fail,” he says. “They find it very hard to disconnect from work matters, and disengage from feeling a sense of job satisfaction and purpose due to excessive stress.”
He says that not only does it have an affect on their personal lives and relationships, it hits the job too. “It negatively affects productivity, vigilance and performance, with more sick leave and missed opportunities.”
Hayslip may have escaped the worst-case aftershock of this stress, but he admits: “Over the last couple of years I have had several friends who were CISOs die of heart attacks very young or turn to alcohol to cope with the stress and blew up their careers.
“It was seeing this impact of stress on friends around me that really opened up my eyes to what it was doing to me.”
"Cyber-criminals are relentless and the constant defense posture that infosec professionals must take can take a real toll on mental health"
What Can be Done?
Budge says it may be because cybersecurity is such a male dominated industry or that many CISOs have not received the necessary leadership skills to do the job, but we should stop shying away from talking about the issue of stress in security roles.
“It’s important to bring this issue to the forefront as soon as possible,” she says. “Neglecting it, trying to minimize it or pretending it doesn’t exist may lead to serious consequences for those who are suffering.
“Mental health is never easy to raise or talk about, but raise it we must. We see, for example, a lot of suicide in professions such as dentists and doctors, and without oversimplifying this issue, this can occur when people don’t feel comfortable to raise issues.”
Lonas says to combat burnout, preventative measures must be utilized. “All companies and managers need to be on the lookout for signs of burnout among their teams and encourage a healthy work/life balance with regular time off,” he explains.
Slade agrees, calling for an additional safety net of HR undertaking a key supporting role, either in support of a remote line manager or as a mentor.
UK mental health charity Mind says for those in charge, it is about sending a clear message that staff wellbeing matters. “Colleagues take cues from how leaders behave,” the charity says. “Simple actions such as supporting a campaign to encourage staff to take lunch breaks or to work healthy hours has an impact.”
Raising awareness of the issue is also key. “In many workplaces, mental health is the elephant in the room,” Mind adds. “Too often, employees are too scared to talk to their managers and problems can spiral. Employers need to raise awareness and promote discussions of mental health and wellbeing to proactively challenge this harmful culture.”
The charity also gives tips for those experiencing stress first hand, whatever their level of seniority. “We know you’ll have times when you need to work overtime to meet deadlines, but try to make this the exception, not the norm.
“Long hours mean you may be working harder, but not better – they’ll quickly take their toll on your concentration, productiveness and health.”
There should also be clear boundaries between work and home, Mind advises. “Try not to let work spill over into your personal life. If you need to bring work home, designate a separate area for work and stick to it – you’ll find it much easier to then close the door on work.”
The most important thing is, if you need help, ask for it. “If you feel your workload is spiraling out of control, take the opportunity to discuss it with your manager or supervisor,” Mind says. “If you can’t resolve the problem of unrealistic goals, organizational problems or deadlines in this way, talk to your personnel department, trade union representative or other relevant members of staff.”
Budge argues that, at the very least, the industry needs to get to the core of why this stress is occurring. “We need to speak out about how to manage it, make sure that we are personally OK, and check in with our colleagues and fellow professionals to see if they are OK.
“To manage this stress, being a leader is job number one, and being a technician comes second.”