When more than 6,000 cybersecurity professionals were asked last month in an online poll which area of their industry needs the most investment, the leading answer didn’t have anything to do with adopting the latest technology or bolstering readiness for threats — it was mental health.
Nearly half (45%) of respondents ranked the need for more resources to support a healthier state of mind right at the top of their priorities.
“Cybersecurity is an always-on industry that demands time, patience and resilience from all those involved,” said Nicole Mills, exhibition director at Infosecurity Group, which conducted the poll in the lead-up to the Infosecurity Europe conference in London. “Whether it’s trawling through false positives, analyzing threat intel or managing the response and repercussions of a data breach, the nature of the role, and being accountable for the security and safety of an organization can be overwhelming.”
Stress and burnout have long been recognized as significant issues for cybersecurity workers, Mills pointed out. Chief information security officers (CISOs) and IT security professionals can be especially vulnerable, with expectations that they understand the latest technology and technical aspects and communicate them succinctly. “There is significant pressure to deliver and be on hand to stop attacks,” Mills noted. “Furthermore, there are often pressures from project management or timelines.”
A study from Cynet, “Implications of Stress on CISOs 2023 Report,” found that 94% of CISOs surveyed suffer from work-related stress, with nearly two-thirds (65%) admitting that their stress levels are compromising their ability to protect their organizations. Shockingly, 9 in 10 revealed they work 40 or more hours a week with no break, while 84% had to cancel a vacation due to an urgent work matter. Nearly 8 in 10 say work-related stress impacts their physical and mental health and sleep.
The results, while “devastating,” are not all doom and gloom, stressed Cynet CEO Eyal Gruner. “Our research found that CISOs know exactly what they need to reduce stress levels: more automated tools to manage repetitive tasks, better training, and the ability to outsource some work responsibilities,” he said.
The well-being of those on the frontlines of cybersecurity has been top of mind with mental health professionals as cyberthreats have multiplied, affecting virtually every aspect of our lives and creating an overload of work for those empowered to protect everything from our data and email to our personal identities and national security.
“The pandemic is undoubtedly taking a toll on all of us, but the mental health of cybersecurity professionals, who are working tirelessly to ensure our safety online while facing increasingly sophisticated threats and having to manage remote teams, may be particularly at risk,” said Michael Dadashi, a psychologist and CEO of Infinite Recovery.
Numerous factors can contribute to mental health issues among cybersecurity professionals, Dadashi pointed out, including isolation from team members, lack of meaningful breaks, unrealistic workloads and expectations, an overabundance of responsibilities, and an unsupportive organizational culture or management. Furthermore, with cyber threats constantly evolving and becoming ever more difficult to predict, the overwhelming sense of responsibility to protect data can contribute to feelings of anxiety and helplessness.
Dadashi advised cybersecurity employers to take a proactive approach by providing counseling and support networks; encouraging self-care practices like mindfulness and meditation; offering flexible work hours and remote work options; providing mental health literacy and training; and recognizing the unique stressors faced by cybersecurity professionals. Crucially, organizations should ensure their teams are properly resourced with the tools and support they need to do their jobs effectively.
All signs point to cyberthreats becoming worse. According to the “Email Security Risk Report,” a study released this month by Egress, 92% of organizations fell victim to phishing attacks over the last 12 months, while 91% admitted they experienced email data loss. Unsurprisingly, 99% of cybersecurity leaders confess to being stressed about email security.
“The well-being of employees is of utmost importance, particularly in the high-stress environment of cybersecurity,” said Laura Probert, global chief people officer of email security company Egress. “Companies must demonstrate their commitment to creating a healthy and productive work environment, and to supporting their employees’ career growth.”
Egress has prioritized employee well-being by implementing mental health first aid, comprehensive learning and development programs, and regularly scheduled social events. Its employee assistance program provides free, confidential counselling services.
Some cybersecurity professionals point the finger not only at employers but themselves.
As Ross Flynn, cybersecurity risk manager for the firm Echelon Risk + Cyber, put it: “While organizations can create cultures that foster good mental health practices, it is still up to us as cybersecurity practitioners to practice good boundaries, spend time with loved ones, take breaks when needed and make time for other hobbies outside the field.”