Unsustainable pressures are being placed on cyber leaders and professionals’ mental health because of a combination of factors, such as the growing attack surface, increasing cybersecurity and data regulations and the on-going skills shortage.
“The environment is particularly harsh. I’m really concerned for leaders in this industry – they’re suffering big time,” Jane Frankland, author and founder of KnewStart and the IN Security Movement, told Infosecurity.
“Right now, we’re risking an exodus of leaders in this industry due to the environment, as well as a lower quality of work being produced,” she added.
A number of surveys back up this sentiment. In 2022, a study by Vectra AI found that half of UK cybersecurity chiefs are feeling burnt out and are thinking of resigning due to the immense pressure they’re under.
It is a scenario the industry cannot afford to let take hold, particularly given the sector’s enormous skills shortage.
Against this backdrop, a paper titled Mental Health in Cyber Security was published in May. Authored by three leading security professionals, the document reviews the current research landscape and industry practices in this area and sets out a range of suggested actions.
Speaking to Infosecurity, Sarb Sembhi, CTO at Virtually Informed Limited, explained: “Basically, the paper is a discussion document, we want more discussion.” He hopes this will ultimately lead to collective action among industry stakeholders that starts to mitigate this brewing crisis in the cybersecurity industry.
The changes set out in the document revolve around five stakeholders: research/academia, governments, professional and certifying bodies, enterprises and cybersecurity professionals.
Sembhi’s fellow authors include Peter Olivier, head of security delivery, Admiral Group and Paul Simms, director of cyber security & compliance, Lumanity.
Promoting in-Depth Research
The paper cites a number of studies highlighting disturbing issues regarding mental health in cybersecurity. This includes the Nominet report Life Inside the Perimeter – Understanding the Modern CISO, which found that 91% of CISOs suffer moderate or high stress, while 17% are either medicating or using alcohol to deal with job stress.
While such research is important, Sembhi and his co-authors recognized that these types of studies do not attract sufficient attention from industry groups and governments. “We found that the much of the research could be construed as anecdotal or not rigorous enough, because all these surveys are done by people who want to express an opinion,” he noted.
Therefore, the discussion paper emphasized the urgent need for independent research to be carried out into the state of mental health in cybersecurity and its consequences, alongside practical recommendations for improvement.
Government and Industry Association Actions
Sembhi believes that such insights will ensure industry bodies place a much greater emphasis on mental health in cybersecurity, which will subsequently lead to government agencies, like the UK’s National Cyber Security Centre (NCSC), also focusing on the problem.
“The aim is to get the industry bodies to take it on because if they act collectively, the chances are the government will listen,” he outlined.
“The aim is to get the industry bodies to take it on because if they act collectively, the chances are the government will listen”
Sembhi pointed out that national cybersecurity strategies by governments in countries like the UK and US are reliant upon enterprises’ cyber resilience, which in turn is dependent upon the capabilities of cybersecurity teams and professionals.
Encouragingly, Sembhi has already engaged with industry associations on the issue since publication, and is using events such as Infosecurity Europe 2023 to spotlight the topic further.
The hope is that this will lead to the development of best practice guidance for organizations and security leaders to manage the mental health of cyber professionals. This needs to range from the soft skills and support needed in organizations to how security teams and units are staffed.
For professional and certifying bodies, this information should be incorporated into their knowledge domains, certifications, standards, frameworks and best practices.
Frankland, who peer-reviewed the paper, said she would like to see focused government awareness campaigns around mental health more generally, as “a lot of people don’t recognize the signs of burnout.”
Cyber and Business Leadership
The report also highlighted the responsibilities of organizations and cybersecurity leaders to manage mental health in their teams.
For organizations and business leaders, mental health considerations should be encompassed in their strategic planning with measurable outcomes set out to define success, while the paper states that security leaders “should speak out about stress, raise awareness and identifying signs and symptoms of stress in themselves and their colleagues, and explore ways to support their teams to address the root cause.”
Frankland said the key is establishing a sustainable team and leadership culture in security departments, which she terms as a “high challenge, high support” environment – where “an individual is challenged and supported in equal doses.”
Missing either or both of these elements can result in burnout, noted Frankland. Therefore, security leaders must regularly speak to and understand their team, and quickly respond to signs of burnout and stress. This also requires more input from HR departments, as CISOs often do not have the capacity to manage large teams in this way.
Frankland also highlighted the particular mental health challenges faced by women working in cybersecurity, despite generally being better than men at coping with stress. However, they are often told they must work extra hard to prove their worth, often by other women.
“All that happens is they get to a point where it’s unsustainable, and they become really cynical, depressed or are taken out by an illness,” she noted.
To prevent this, Frankland said it is important that women cyber professionals exercise more self-agency and have the confidence to push back against unsustainable working practices. “We’ve got to get better at this,” she commented.
Sign up for the Women in Cybersecurity event at Infosecurity Europe here.
Mental Health in Cybersecurity Charter
To help kick-off the long journey to tackle mental health in cybersecurity, the paper has also created a five-point charter, which is designed to be adopted by any organization as their acknowledgment of the issue.
Sembhi explained: “We’re asking organizations to align themselves by saying ‘we believe this is an issue that needs looking at and support needs to be provided – that’s basically what’s in the document.”
Sembhi will be joined by a panel of cyber leaders to discuss the topic further during Infosecurity Europe 2023, which is taking place from 20-22 June 2023 at the ExCel, London. The session, ‘Panel: Mental Health and Insider Risk as the Next Big Threat to Cyber Security,’ is taking place from 13.25-13.55 on Thursday 22 June at the Keynote Stage.