Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

01:00 PM
Kelly Sheridan
Kelly Sheridan
Connect Directly

6 Drivers of Mental and Emotional Stress in Infosec

Pressure comes in many forms but often with the same end result: stress and burnout within the security community.
1 of 7

(Image: Christian Schulz via Shutterstock)

(Image: Christian Schulz via Shutterstock)

Every year, thousands of cybersecurity pros descend on Las Vegas for Black Hat USA, where they learn the latest in security research, hone new skills, and connect with the infosec industry. Most sessions at the conference cover what you'd expect: malware, network defense, platform security, cryptography, and reverse engineering, to name a few.

But not all proposals to present at Black Hat dig into bits and bytes. Rather, they "engender and embody the softer issues" affecting security pros and are often hard to talk about: mental health, addiction, burnout, sexual harassment, and legal obstacles, says Ping Look, member of the Black Hat Review Board.

"Every year we get submissions that don't really belong," says Look, who is also program manager on the Detection and Reaction Team (DART) within Microsoft's Enterprise Cybersecurity Group.

In response, Black Hat is compiling these submissions into a new Community track designed to put the spotlight on these and other relevant topics related to how people live and work.

"This track deals with the human side of things," Look says. Many of these problems are not being addressed in the workplace and are poorly understood by employers. The idea behind Community sessions is to bring common but undiscussed issues into conversation.

"If the conversation is occurring, it's occurring in small collectives, small groups," adds Russ Rodgers, senior cyber consultant at Microsoft. "I don't think it's industrywide yet."

Many of the issues the Community track will bring to light next month aren't new or specific to security, both experts agree. The rise of the Internet has made the world bigger and smaller, and it's driving the prevalence of mental-health issues we're just now starting to recognize and give a bigger spotlight.

"This emerging science in how digital, just being online too much, being isolated, and yet siloing yourself is now having a deep, profound impact on the community," Look says. The instant gratification of the Internet has caused a divide between younger and older generations, and the disparity in their mindsets is one of several issues driving stress within the industry.

Here, we discuss a few more factors driving mental and emotional stress within the security community. Have you noticed these issues in your workplace and/or have any factors to add to this list? Feel free to share your thoughts and continue the conversation in the comments.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

1 of 7
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/18/2018 | 12:19:56 AM
The Personal Cost of CyberWarfare

Thank for headlining your daily digest with the oh-so-unsexy topic of the personal struggles InfoSec & IT Pros face.


In an age where we are constantly expected to do more with less [to nothing], and the Damocles' Sword of failing our customers and shareholders continuously looms overhead – should we ever fail to protect invaluable business data from determined criminals – it's refreshing to see community members start discussions about truly important matters, especially ones many people don't like talking [or hearing] about.

I believe it's imperative we drag these hard truths into the light of public discourse.  I don't know how many customers and managers thoughtfully consider the impact undue stress creates in the lives of their IT/InfoSec professionals – although we certainly hear their dissatisfaction ad-nauseam.  

Corporate political pressures and budgetary constraints aside, we are fighting a seemingly endless and unwinnable war on two fronts, expending the best part of our lives protecting someone else's data – both from well-financed, hardened criminal enterprises and well-meaning-yet-gullible, careless, security-adverse employees.  Battles are often waged at considerable personal expense, with the fallout normally contaminating personal relationships – one thing that can truly help us endure our incessant skirmishes. 


To some extent (though probably not enough), our soldiers and emergency service workers receive public recognition for their honourable sacrifice – made for the betterment of society and complete strangers.  We write stories praising their heroic efforts and reward them with hansom salaries, paid by members of the communities they serve. 

What we do is not that different, except we serve and protect cold, lifeless data – or at least that's what it seems.  Few people recognise the daily work [and cost] required to protect their exponentially-growing wealth of personal information.  There is no praise or glory in success – it's expected.  Only when the aforementioned parties (criminals and careless employees) succeed in damaging economy and society – using our data – are we noticed, and only then for 'our' failure.  (Incidentally, 'excuses' like precipitating budget cuts never seem to make public discussion.)

We are at war, fighting the same enemies with the same goals, fighting for the same causes, and often with the same costs (loss-of-life aside, excluding suicide).  It's time we start examining the outcomes – stress-induced mental health crises, rampant addiction to harmful substances and behaviours (many prescribed by our physicians), damaged and broken personal relationships, etc. – through the same lens as our fellow brothers-and-sisters-in-arms.  To some extent (though again, not nearly enough), Veterans and First-Responders have programs dedicated to helping them address, understand, and work through these life-altering issues.  For the most part, we have unsympathetic bosses telling us to 'leave our personal problems at home' – as if said problems weren't exacerbated by work-related stresses – and HR departments with pink slips. 


We're long overdue for a shift in mindset – it's time we carefully study and candidly discuss the personal impact fighting the Information & CyberSecurity War has on our lives – and look for ways to support and help each other survive with sanity and families intact.


Matthew Arnold   ::   linkedin/in/MatthewPaulArnold


P.S.  This is not intended to be a rant, nor am I trying to raise problems without solutions.  I do know that some companies work hard to create environments that enable their technology professionals to thrive, despite the pressure.  However, industry-wide, these are few and far between.  I have spent almost 20a working in IT-related positions, the last five at HR & Employment Services organisations, interacting with job seekers and hiring managers – many of my own experiences have been confirmed by others in similar situations.  There are disturbing trends occurring in industries determined to stockpile as much personal information as possible, while simultaneously using the smallest possible budget to secure it.  Long-term, there can be no winners in this environment.

User Rank: Ninja
7/9/2018 | 2:00:13 PM
Re: Psych Eval Addition to the Hiring Process Or...
Quick note about faith in humanity.  That was poorly written - what really bugs one about this subject on the cyber sec side is just how plain DUMB people can be.  Walking somebody out with many years of experience over just stupid download of data is damning indeed.  One has to really wonder if people are, AND THEY ARE, that freaking stupid.  I don't care about home computers - whatever floats your boat.  And I have seen a ton of it.  But WORK?  
User Rank: Ninja
7/9/2018 | 9:55:10 AM
Psych Eval Addition to the Hiring Process Or...
Here's the problem you're looking at, plain and simple. I mean this with the greatest respect for folks who are burning out, because I had my bout with it and ended up in the ER more than once for overwork stress. I've been using tech since I was a teen (born in the 70s) and you've either got the tech bug or you don't. No sleep, no food, no friends - often part of the gig. Too many friends, too much to drink, too much to food - can also be part of the gig. It all depends on the job at hand and the goal. But the difference between the average InfoSec professional and the opposition is psychology. You will almost never, and I mean never, have the same way of thinking about your job that they do theirs; because to them it isn't a job, it's the air they breathe. Sorry, that's just how it is.

I've hammered on this in the past. You can't train someone to do InfoSec in a straight-laced Dockers environment who doesn't already have the same mental state as the adversary and expect them to do a stellar job. Or, maybe they do a great job for a while, but then begin to burn out because of what they see (REISEN1955 alludes to fallen faith in humanity when seeing co-workers' porn habits at work). You can't care about that and expect to do well in InfoSec. Honest opinion. In fact, the best InfoSec resource is going to understand the adversary, think like them to some extent, and be just fine with all the bad stuff they see. You can't be affected by it and expect to maintain your effectiveness as an InfoSec professional.

This goes further, of course. Pen-testing is a good example. It's one area I still see in InfoSec that can never, and I mean never, go fully automated. You need a bulldog, a killer, a sadistic and driven-by-the-domination kind of mind that will not stop until they find the last hole in your system. And this is not work that can be done in a 9-5x5 work week. No way. If you can't hack that, you really shouldn't be in the game. Er, industry.

So, yeah, tech can really come down hard on some people. It's a shame, for sure. But it's the gig. I didn't break all those keyboards doing week-long all-nighters by design. That's what you sign up for - you come in knowing what it takes and you do the work. And, honestly, it's kind of the point that human nature takes dark turns that you're in the InfoSec industry, so it should come as no surprise what your co-workers get up to. Maybe take it with a sense of humor, to lighten the load.

If you want solid InfoSec performers, you may want to add a psych-eval to your hiring process, to see where they come from and if they can take the load. Or you could hire some black hatters from the battlefields who are ready to turn. Most of them aren't going to be whining about the hours, about the sad state of humanity or complaining about their work environment. But I get it. It's like war - we don't want to believe we're animals on the battlefield and we want honor in the battle. But at some point you have to face the fact that to do your job well, to beat "them" at their own game, you have to put blood into the battle, and you have to want to be the one coming home, not them.

So the short of it is, this influx of stress-related topics may want to be looked at in more than one way. Who are the people getting stressed and are they right for the industry, and if they are, are their bosses right for the industry - who is defining their work strategy and load. And on the off-chance you have a real talent who is getting crushed, better look at the battle they're fighting because the adversary might be doing something new, something effective, that needs to be studied and white-papered.

But of the human factors noted in the topics being submitted for consideration, I have no tolerance for sexual harassment or gender inequality issues. If our community of digital revolutionaries can get anything right, it's got to be inclusion. We stood for the outsider back in the day, and we can't be seen as being "like the man" today. I'd staff my team with a dozen women and trans-gender hackers in a heartbeat, all colors, all anything, because playing the game has no restrictions.
User Rank: Ninja
7/9/2018 | 7:11:57 AM
Hard job indeed
Cybersecurity is not the easiest job in the world for many reasons.  Attacks on networks are constant and monitoring is a 24-5-365 to the second chore.  And when an attack breaches - ransomware - all tasks are dropped and put into restore mode and this is often NOT EASY because restoration plans do not exist.  With proper preparation, it is FAR easier but companies often do not have plans in place.  IT has to make it up on the spot.  Second, your faith in humanity takes a hit.  Working with staff on internet usage takes one to some pretty bad places and emotional wounding.  It is not fun to address porn issues with your colleagues who can be walked out the door.   And at the end of the day, the cyber sec professional is worried about WHAT will happen tomorrow!!
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fallback_16 function, which can be exploited via a crafted a file.
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file.
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal function, which can be exploited via a crafted a file.
PUBLISHED: 2021-09-16
libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file.