"Sometimes I feel like I'm just yelling into the chasm."
"I began to question everything that I believed to be true about myself."
"They see stuff that makes them wish they had bleach for their brains."
You can hear it gurgling through every conversation at a cybersecurity conference, from the expo floor to the press room to the neighborhood bar – that telltale combination of giddy fascination, wry gallows humor, and weary frustration. The field often attracts clever and creative individuals who want to help people. However, over time, curious minds crackling with ideas for how to fix the world's cybercrime problems may fizzle out.
The industry is beginning now to talk openly about "burnout" – but beyond leaving infosec professionals feeling frustrated and tired, the job can leave some feeling isolated, unwell, and unsafe.
And that's a problem not just for the professionals in the industry – it's an issue that reverberates into their families, their world views, and the cybersecurity of the businesses and systems they aim to protect.
Cybersecurity professionals are trying to save everyone. Does someone need to save them?
The Impact: 'The Only Ones to Feel Any Pain'
Over 400 CISOs and 400 C-suite executives revealed some sobering truths in a survey recently conducted by Vanson Bourne on behalf of Nominet. The "CISO Stress Report" found:
Curtis Simpson, now CISO of Armis says he's begun to find some balance and even pick up hobbies, but it took him a long time "in the salt mines" before he reached this point.
"I personally spent my daughter's entire high school graduation ceremony having to quarterback the global response to an attack – an attack that would have been easily prevented if any of the specific guidance we had been sharing with the business was followed," says Simpson. "None of the guidance was followed, but the security team was, as is common, the only ones to feel any pain."
Simpson's experience is not uncommon; 45% of respondents to the Nominet survey stated their work as a CISO had caused them to miss a family milestone or activity.
However, long hours are something that workers in many fields suffer. So what makes infosec people special?
'Bleach for Their Brain'
Observing the habits of cybercriminals day in and day out can leave its mark – particularly on threat researchers and forensic investigators.
"You do see the darker side of humanity," says Adam Kujawa, director of Malwarebytes Labs.
He speaks specifically about stalkerware and of ransomware that extorts victims by threatening to dox them with false evidence that they viewed child pornography.
"That kind of stuff just breaks my heart," he says.
And as Marcus Carey (who has worn many security hats, from Navy cryptographer, to entrepreneur, to his current status as Reliaquest enterprise architect) points out, digital forensics specialists don’t just face the fraudulent threats of child pornography, but the reality of it. Because psychologists have already determined that researchers who investigate child sexual abuse material may have responses similar to post-traumatic stress disorder, and even one individual investigation may deal with terabytes of data, technologists are beginning to search for ways to better automate this process.
In reference to the digital forensic investigators who conduct these cases and many other kinds of cybercrimes, Carey says, "They see stuff that makes them want to bleach their brain."
'Always on a Swivel'
"I actually draw several parallels between [the cybersecurity profession] and the homeless population," says Dr. Ryan Louie, MD, Ph.D. Louie, a San Francisco-based board-certified psychiatrist who has worked with the homeless population and specializes in the mental health impacts of entrepreneurship and technology. He presented a session at the RSA Conference (RSAC) last month.
Louie explains that both infosec pros and homeless individuals are always looking to see who might hurt them. "[The homeless are] out in the open," he says. They don't have the shelter at nighttime. They always have to look out if someone's going to take their belongings, if anyone's going to harm them, where are they going to get help.”
It's a constant, 24/7 effort to address threats and an inability to "turn off," he says, and he has seen it in both groups of people.
Carey says he's rather amazed at the accuracy of this comparison. "Wow. You just blew my mind," he says. "My head is always on a swivel. It drives my wife crazy."
In a recent poll on Dark Reading's The Edge, 83.1% of respondents indicated that working in infosec had made them a "less trusting person," 59% said they were grateful for their increased caution, 4.9% said they wished they were more trusting, and 19.2% said that while they valued their caution, sometimes they wished they were more trusting.
When the need for safety or the fear of being harmed again becomes too great, it can become an illness, Louie says.
This matter of safety was also discussed by NSA senior researcher Dr. Celeste Paul in her recent RSAC keynote session about the "fundamental needs of security professionals." She referenced that a century ago, famed physician and educator Maria Montessori laid out the fundamental needs of humans, one of which was safety.
But cybersecurity professionals have a complicated relationship with safety.
The infosec job is largely to keep people (organizations, systems, individuals) safe. But because so many cyberattacks exploit the end user, infosec pros rarely try to make anyone feel safe – quite the contrary.
(Continued on page 2: 'Yelling Into the Chasm')
(page 2 of 4)
'Yelling Into the Chasm'
When the worst happens – a breach or a DDoS – CISOs must be the superheroes (or, perhaps, the anti-heroes). Not only do they fix the problem, they also take care of everyone who's feeling the pain and quite possibly serve as the sacrificial lamb after all the hard work is done.
And yet many CISOs and security managers spend more time playing bogeyman than superman – or at least that's how their end users would see it, terrifying them with horror stories, warning them about the costs of violating privacy laws, and pleading with them to be wary of every email, every caller, every text, every website, every link. Testing them with phishing simulations. Even threatening them with loss of their jobs.
However, focusing on fear, uncertainty, and doubt in end-user security awareness messages can actually make those messages less effective, as Dr. Jessica Barker, co-CEO and co-founder of Cygenta, explained in a recent keynote session at RSAC.
"If you just go heavy on the threat, and you don't tell people what to do about it, or people don't feel confident in what they can do about it, they just engage with the emotion," Barker tells Dark Reading. "They engage with the fear, not the actual danger."
Compounding the problem is users will then worry that if they make a mistake – fall for a business email compromise, click on a phishing message – they'll face dire consequences. (Thirty-one percent of the C-suite executives who responded to Nominet's report stated that if a significant security breach occurred, the "accountable employee" would have their employment terminated.)
In these kinds of situations, end users "don't feel that kind of psychological safety to make a mistake," Barker says. "So I always find that kind of culture in an organization of course just drives incidents underground. It doesn't stop people clicking on links or whatever it might be. It just makes them less likely to report [attacks].
"The more you promote what someone can do about the scary thing, the more you empower them with that [information], the more you give them the tools to actually respond to [a threat], and of course the more likely they are to actually act on the message."
Barker gives the example of how providing users with easier identity management or a password management solution makes it easier for them to respond to your warnings about password misuse.
But, of course, security professionals don't always have the budget to implement the tools they know end users need. And security researchers can't force anyone to take their good advice.
Being ignored or unsupported may lead to feelings of frustration and even isolation, experts say.
"Sometimes I feel like I'm just yelling into the chasm," Malwarebytes Labs' Kujawa says. Regardless of what he and his fellow researchers are seeing threat actors do, many security habits and enterprise defenses don't necessarily change. The "hubris," he says, exhausts him the most.
This sort of frustration, Barker adds, "contributes to this narrative that we've seen of 'people are the weakest link,' which just creates more and more divides and makes it much harder, I think, for us to have positive conversations with our colleagues."
"Fear and uncertainty and doubt are known core tenants for anxiety, which is a source and type of stress," says the NSA’s Paul, "and that fear can come from anything. It doesn't have to be a bad something on the other side of the wire; it can be a fear of failure.
"That fear of failure is certainly something that we [at the Agency] manage with, because we're in a high risk, high reward environment," she says. "Our operators are very aware of what the cost of failure is. And, you know, we always balance risk, but when you're so committed to the mission, sometimes you personally take on more than what you're actually asked, just because you want to see success and you don't want to fail no matter what."
Carey of Reliaquest says he is a low-stress guy. Coming from a military background, he understands that protecting data is less stressful than protecting lives – however, he says, for infosec professionals in healthcare or critical infrastructure, protecting IT systems and protecting lives may be one and the same.
(Continued on next page: 'I Began to Question Everything')
(page 3 of 4)
'I Began to Question Everything That I Believed to Be True About Myself'
"A CISO's leader rarely has an understanding of the role of a CISO and the security program, let alone the value they bring to the organization or the support that they will need to bring this value effectively," says Simpson, CISO of Armis. "An interesting by-product of this, at least for me personally, is that I've been held to a higher standard than peers or the next level in the organization for most of my career. I've had to accomplish more, take on more, and achieve greater success at all turns with a higher level of professionalism than my peers and higher-ups in order to get the roles that I deserved.
"When no one really understands what you do, why you do it, etc., you need to be 'better.' I experienced so many situations of this nature that I began to question everything that I believed to be true about myself.”
As Stuart Reed, VP of cybersecurity for Nominet, explains, while other executives might work late to meet a deadline and get a report out the door, a CISO's responsibilities are more dire than their C-suite counterparts.
"The chances are that actually they're putting the extra hours in because there's been a breach or there's been a vulnerability – something that's been exposed that they need to work hard to close down and mitigate," he says. "And you think about that level of stress – that understandably is going to be much broader and more different than simply meeting a report deadline."
CISOs told Nominet that being responsible for securing the business/network was the greatest source of stress – ahead of long hours and keeping up with unending threat intelligence reports.
Yet for many security professionals, being responsible does not mean all – or even most – of the decisions about security are left to them. The board room may have a large cyber-risk appetite, for example, or end users may flout policies.
"I suppose one of the reasons that CISOs particularly may be feeling under pressure is arguably because their role has quite blended," Reed says. "It's not just being the technical expert or the subject matter expert to make technology decisions within the organization. But there is also acting as that kind of conduit to the C-suite, advising them on best practices for risk mitigation. … So I think they're kind of being pulled in lots of different directions right now."
Exploiting the Exhaustion of the Security Pro: 'Psychiatric Engineering'
Kujawa of Malwarebytes Labs admits he does from time to time have the itch to throw in the towel and leave security.
Reliaquest's Carey says he considered leaving security to become a pastor – a different way to help people, he says.
NSA's Paul, with former NSA researcher Dr. Josiah Dykstra, studied the effects of fatigue, frustration, and cognitive stress on tactical cyber operations and developed the "Cybersecurity Operations Stress Survey," a quick way to address these factors in real-time tactical situations. In that work, Paul and Dykstra cited a number of related projects, including a 2014 study by Sawyer, Finomore, Funke, et.al., that found the required vigilance for cyber events was considerably high and consistent with results from air traffic control, industrial process control, and medical monitoring.
"In cybersecurity, stress has a lot of mental and physical effects. It can affect your emotional well-being. It can also affect your physical presence or even short-term cognitive abilities," Paul says. "And so managing it does have immediate and long-term effects."
"No doubt there are aspects to cybersecurity that we all find really fun, exciting, and interesting, like the excitement of an event happening and having those all-night hack sessions and camping out in the lab. It's when those things happen all the time and you don't get time to physically and mentally recover from them that it stops being fun and turns into a grind."
Psychiatrist Louie suggests the possibility that security professionals' own mental health (fatigue or burnout) could be exploited by cyberattackers in something he calls "psychiatric engineering."
"That attacker might utilize knowledge about mental health and vulnerabilities of that individual to worsen symptoms," Louie says, "maybe make that depression worse, make them more anxious, make the paranoia worse."
"That’s happening now,” says Carey, adding he has received harassment from a gray-hat hacker. And he has been told by white-hat colleagues that they've been taunted by black-hat hackers who threaten them and their families with doxing attacks. "That's real," he says.
(Continued on next page: What to Do?)
They're 'Also Human'
Rest well, eat well, exercise, time with friends … sure.
"The general consensus is that everyone sort of knows what to do and everyone knows what the options are," Louie says. "But it is extremely hard to actually execute in reality, especially when there is a cyberattack that occurs."
Sleeping under desks and surviving solely on a diet of infrequent pizza deliveries is no way to ensure top performance in stressful situations, but it isn't uncommon during breach response.
So how to improve it?
The NSA's Paul recommends, among other things, mindfulness exercises. She spoke about sensory centering exercises during her RSAC keynote session, and the NSA even gave out "Hack Stress boxes" at its booth to help security pros use the exercise and provide a helpful way to make their own. She says she likes this particularly because it's an exercise that a security pro can walk through with a stressed-out teammate.
Paul also mentions that it's essential for people to feel they are contributing to a larger mission (and aren't so bogged down in meetings and expense reports that they don't have time to do so).
"Hope is a fuzzy idea for us," she says. "But you can think of [hope] as a formal psychological construct which an organization can help instill in its workforce through culture. And it helps people feel like they have control over their destiny because they're contributing to the mission of the organization."
Louie says organizations might want to add a "mental health aspect" to their cyber incident response plan and tabletop exercises. "Include emotional outbursts from users as part of the drills and incident response exercises so that if something happens, it's not the first time they've seen it," he says.
This is already a common practice in the medical field, he notes, where "patient actors" help train physicians on giving diagnoses and improving their bedside manner.
"Specifically for CISOs, I think it's breaking down the barriers still of the notion that security is one person or one function's responsibility,” says Stuart from Nominet, "because the concepts of good cyber hygiene should be that there is this kind of a collective or a culture of a shared responsibility for good cybersecurity. Anyone that's dealing with data, anyone that's dealing with customer information, anyone who's processing data, anyone who's dealing with it, they will have responsibility for it."
Simpson says he had to fight through a lot of stress and self-loathing over the years, but he is much better. (So is his relationship with his daughter.)
"Fighting for every win along the way, having to be the most professional and effective person in the room for much of my career, and achieving the wins that I did in spite of everything working against me along the way has taught me that I can accomplish anything," he says. "This level of confidence is gold and now ripples significantly into my personal life, allowing me to find greater enjoyment in life overall."
And for CISOs who may often lament being outgunned and outnumbered by attackers who are presumably better-staffed and better-funded, Paul offers an idea that might soothe the worried mind: "I think we at the agency have a unique perspective just because we play both sides, and so we can appreciate both sides," she says.
"You know, the adversary is also human,” she says, "and they're stressed out as well. We're stressed out and so are they. They're just the other side of the wire."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio