Working in cyber security can be intense and strenuous at all levels, so it comes as no surprise that many security professionals report experiencing mental health issues.
Nearly half of CISOs and senior InfoSec professionals could leave in the next five years due to work-related stress, according to Gartner. Meanwhile, a staggering 91% of security professionals report feeling stressed in their role, according to findings from the 2022 Voice of SecOps report.
This has prompted nearly half (45%) of staff to consider quitting their jobs to prioritize mental wellbeing.
Countering a wave of threats
Security staff operate amid an increasingly challenging period fraught with an evolving array of threats. They’re also forced to contend with sophisticated and relentless threat actors.
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigation
Among the most common stress factors identified in the Voice of SecOps report were the “impossibility of stopping every threat” and the “expectation to be constantly on call” in the event of an incident unfolding.
With this in mind, it’s hardly surprising that pressure has been mounting in recent years, according to BAE Systems CISO, Mary Haigh.
Haigh tells ITPro many practitioners now maintain an ‘always on’ mindset, which is having a significant impact on their mental wellbeing and contributing to a wave of fatigue and burnout.
“A cyber attack is one of the top risks for pretty much any organization – and it’s not a case of if it's going to happen, it’s a case of when,” Haigh tells IT Pro. “ This can drive an “always on” mindset which is very damaging for the mental health of cyber security practitioners over the long term.”
Mental health is ‘not a boardroom topic’
Haigh suggests a long-running trend of failing to adequately address mental health issues in business is exacerbating these problems.
Mental health has been thrust firmly into the corporate spotlight in recent years, especially since the onset of the COVID-19 pandemic. But many security practitioners find mental health to be a sideline topic that's perhaps not discussed in-depth due to an expectation their job is inherently stressful.
Technology in the wake of hybrid work has fueled an always-on culture that’s turbocharged a new breed of burnout. But technology can also come to the rescue and boost mental wellbeing.
“For too many organizations, cyber security is not a boardroom topic, meaning that cyber teams have a double whammy of not feeling sufficiently supported or empowered to build resilience against an attack, whilst also knowing just how devastating one could be for the organization and them personally,” she says.
Gartner’s research into mental health in cyber security found many organizations simply do not have the adequate internal resources or safeguards to support staff.
By failing to implement appropriate safeguards, this could create a serious long-term headache for organizations and their ability to mitigate threats, according to Sarah Coleman, chief people officer at Adarma.
“Organizations that do not take proactive measures to alleviate this burden and protect both the mental health and wellbeing of their security teams not only face the risk of losing their best talent, but also put their business and bottom-line at risk,” she says.
“Mental fatigue, high stress and poor wellbeing can lead to a rise in the frequency of security mistakes, sick days, and high turnover.”
The cyber security industry is already contending with a significant global skills shortage, with (ISC)² pinning the personnel deficit at 3.4 million. Coleman says the risk of losing staff due to stress or mental health-related issues should signal a warning for businesses moving forward.
Be proactive with mental health awareness
Haigh and Coleman agree that organizations must take a proactive approach to engaging with staff on mental health.
“A preventative approach is better than a reactive one,” Coleman says. “Adopting a strong people strategy and embracing a company culture that prioritizes mental health is a fundamental step in addressing the issue.”
Haigh says, from the outset, cyber security leaders need to focus on “building strong teams” capable of withstanding the pressure of the role. This is where ‘creative’ hiring can play a key role, she says. For example, leaders can hire based on aptitude, not experience, and then “cyber people up”, so to speak.
“It’s also imperative to work hard on retention by giving employees plenty of opportunities to develop their skills,” Haigh adds. “If teams feel their workload is unachievable they’ll be demotivated, so having the right sized team and very clear priorities is vital.”
Mapping the digital attack surface
Why global organizations are struggling to manage cyber risk
Culture within security teams is equally crucial, Haigh says. The atmosphere within a team “must be one of openness, trust, and transparency” to ensure that staff feel comfortable airing their views and confiding their issues. “Staff who are not listened to tend to feel powerless, and that’s a huge stress factor,” she says.
Proactive safeguards, such as mental health support and training to recognize the signs of stress and burnout are also an imperative for organizations, Jelena Laudver, CybExer’s head of people and culture, tells IT Pro.
Regular check-ins and conversations with team members about their wellbeing and mental health can also help, she says. “By providing these resources, organizations can identify potential mental health issues earlier and provide support and resources as needed.”
Shout about cyber security successes
Celebrating success can be an invaluable way to bolster morale among security personnel, Haigh suggests.
While it’s natural to focus on security failures – after all, they grab headlines – Haigh suggests cyber leaders should do more to highlight successes and the valuable work that teams carry out in their day-to-day activities.
“Too often, cyber security is couched as ‘avoiding the bad happening’ and it’s hard to celebrate that,” she says. “Having an enduring capability that’s clear about its priorities and deliveries allows teams to track progress and celebrate this.
“The rate of change in cyber security – from threats themselves to the technology used to detect and mitigate them – is so high that it’s easy to deliver something and immediately move on to the next thing. It’s on cyber security leadership to shout about successes loudly.”
