The threat within: We need to talk about mental health in cybersecurity

Image by rudzhan via Freepik

July 18, 2022

With fears of a ‘Great Burnout’ to follow the ‘Great Resignation,’ leaders across all industries are grappling with the question of, ‘how do I keep the talent I have?’ This is in addition to filling the innumerable open positions in their organizations. Unfortunately, in the cybersecurity world, the ‘Great Burnout’ is already well underway, and it’s on leaders to address it head-on. Burnout in the cybersecurity industry is a well-documented but often unspoken problem.

More than 80% of cybersecurity personnel said they’re dealing with more stress following the pandemic than before it, according to a report from Cusec, but because evaluating mental health requires a person or team to look inward — rather than focusing externally on an emerging threat — it often does not take priority in the front-line industry of cybersecurity. As cybersecurity leaders evaluate the risks that their organizations face, they must account for the risk that stress and anxiety on workers presents in an industry that never sleeps.

It should not be up to the individual security professionals alone to look after their own work-life balance. That’s why leaders in any organization must accurately understand the burden on their teams and take responsibility for ensuring their staff is well-supported with sufficient personnel.

A leader should be able to evaluate the conditions a cybersecurity team is operating under — including hours, staffing and pay — to determine if a situation is tenable or not. Incessant threats, when combined with long hours, inadequate budgets and ignorant leadership, can drive an organization’s security people into the ground — or out of the industry entirely.

A VMware report found that at least 65% of security professionals say they’ve considered leaving their job because of stress, partially due to increased workloads and stagnant resources during the pandemic. The shortage in skilled cybersecurity staff may influence some organizational leaders to lean even harder on the incident response teams they do have, creating a vicious cycle of burnout that’s exacerbated by an ever-heightened threat environment.

Delivering those resources in the form of additional staff, shorter shifts, better tools, or even outsourcing security operations is essential for organizational leaders who desire long-term success and want to demonstrate that they truly care about their employees. People with a strong sense of duty are often attracted to security work, which is their superpower. That may be great for the success and security of their company, but our greatest strengths often become our weaknesses. If security professionals don’t learn to exercise strong boundary management, they are at risk of destroying themselves through burnout.

Creating strong work-life boundaries requires courage, especially for early-career cybersecurity professionals who are eager to go above and beyond by working longer hours. Boundary management is a two-way street that is manageable only when both the individual contributors and managers discuss it often in an open and candid way. Managing stress and maintaining a workload that challenges but does not cause burnout should be a frequent topic in weekly one-on-one meetings and during touchpoints between leaders and team members. Scheduling additional open conversations with teams that center on healthy habits and boundary maintenance can create a positive culture around work-life balance, empowering teams to define their own strategies to deal with crushing workloads. Normalizing discussions about mental health in the workplace and removing the stigma around asking for help requires a cultural shift that starts with the C-suite.

There are situations, incidents and crises that do require extraordinary and even heroic effort to navigate successfully. These situations can be mitigated by setting up special compensations to help employees recover. These can take the form of additional days off, bonuses and public recognition or other awards that fit your organization’s culture.

I have made it a priority to set work-life boundaries my entire career, whether it’s been at the Federal Bureau of Investigation, Qualtrics, or Arctic Wolf. Now, as a cybersecurity leader, I can use this experience to help my team enjoy satisfying work-life boundaries. I know that with good communication and sufficient support, they will not have to choose between keeping our company secure and enjoying time with their family and friends. When cybersecurity teams are engaged, happy, and physically and mentally healthy, they perform better and keep their organization safer.

Adam Marrè is Vice President, Chief Information Security Officer at Arctic Wolf.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.