They're 'Also Human'
Rest well, eat well, exercise, time with friends … sure.
"The general consensus is that everyone sort of knows what to do and everyone knows what the options are," Louie says. "But it is extremely hard to actually execute in reality, especially when there is a cyberattack that occurs."
Sleeping under desks and surviving solely on a diet of infrequent pizza deliveries is no way to ensure top performance in stressful situations, but it isn't uncommon during breach response.
So how to improve it?
The NSA's Paul recommends, among other things, mindfulness exercises. She spoke about sensory centering exercises during her RSAC keynote session, and the NSA even gave out "Hack Stress boxes" at its booth to help security pros use the exercise and provide a helpful way to make their own. She says she likes this particularly because it's an exercise that a security pro can walk through with a stressed-out teammate.
Paul also mentions that it's essential for people to feel they are contributing to a larger mission (and aren't so bogged down in meetings and expense reports that they don't have time to do so).
"Hope is a fuzzy idea for us," she says. "But you can think of [hope] as a formal psychological construct which an organization can help instill in its workforce through culture. And it helps people feel like they have control over their destiny because they're contributing to the mission of the organization."
Louie says organizations might want to add a "mental health aspect" to their cyber incident response plan and tabletop exercises. "Include emotional outbursts from users as part of the drills and incident response exercises so that if something happens, it's not the first time they've seen it," he says.
This is already a common practice in the medical field, he notes, where "patient actors" help train physicians on giving diagnoses and improving their bedside manner.
"Specifically for CISOs, I think it's breaking down the barriers still of the notion that security is one person or one function's responsibility,” says Stuart from Nominet, "because the concepts of good cyber hygiene should be that there is this kind of a collective or a culture of a shared responsibility for good cybersecurity. Anyone that's dealing with data, anyone that's dealing with customer information, anyone who's processing data, anyone who's dealing with it, they will have responsibility for it."
Simpson says he had to fight through a lot of stress and self-loathing over the years, but he is much better. (So is his relationship with his daughter.)
"Fighting for every win along the way, having to be the most professional and effective person in the room for much of my career, and achieving the wins that I did in spite of everything working against me along the way has taught me that I can accomplish anything," he says. "This level of confidence is gold and now ripples significantly into my personal life, allowing me to find greater enjoyment in life overall."
And for CISOs who may often lament being outgunned and outnumbered by attackers who are presumably better-staffed and better-funded, Paul offers an idea that might soothe the worried mind: "I think we at the agency have a unique perspective just because we play both sides, and so we can appreciate both sides," she says.
"You know, the adversary is also human,” she says, "and they're stressed out as well. We're stressed out and so are they. They're just the other side of the wire."