Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

6 Drivers of Mental and Emotional Stress in Infosec
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/18/2018 | 12:19:56 AM
The Personal Cost of CyberWarfare

Thank for headlining your daily digest with the oh-so-unsexy topic of the personal struggles InfoSec & IT Pros face.


In an age where we are constantly expected to do more with less [to nothing], and the Damocles' Sword of failing our customers and shareholders continuously looms overhead – should we ever fail to protect invaluable business data from determined criminals – it's refreshing to see community members start discussions about truly important matters, especially ones many people don't like talking [or hearing] about.

I believe it's imperative we drag these hard truths into the light of public discourse.  I don't know how many customers and managers thoughtfully consider the impact undue stress creates in the lives of their IT/InfoSec professionals – although we certainly hear their dissatisfaction ad-nauseam.  

Corporate political pressures and budgetary constraints aside, we are fighting a seemingly endless and unwinnable war on two fronts, expending the best part of our lives protecting someone else's data – both from well-financed, hardened criminal enterprises and well-meaning-yet-gullible, careless, security-adverse employees.  Battles are often waged at considerable personal expense, with the fallout normally contaminating personal relationships – one thing that can truly help us endure our incessant skirmishes. 


To some extent (though probably not enough), our soldiers and emergency service workers receive public recognition for their honourable sacrifice – made for the betterment of society and complete strangers.  We write stories praising their heroic efforts and reward them with hansom salaries, paid by members of the communities they serve. 

What we do is not that different, except we serve and protect cold, lifeless data – or at least that's what it seems.  Few people recognise the daily work [and cost] required to protect their exponentially-growing wealth of personal information.  There is no praise or glory in success – it's expected.  Only when the aforementioned parties (criminals and careless employees) succeed in damaging economy and society – using our data – are we noticed, and only then for 'our' failure.  (Incidentally, 'excuses' like precipitating budget cuts never seem to make public discussion.)

We are at war, fighting the same enemies with the same goals, fighting for the same causes, and often with the same costs (loss-of-life aside, excluding suicide).  It's time we start examining the outcomes – stress-induced mental health crises, rampant addiction to harmful substances and behaviours (many prescribed by our physicians), damaged and broken personal relationships, etc. – through the same lens as our fellow brothers-and-sisters-in-arms.  To some extent (though again, not nearly enough), Veterans and First-Responders have programs dedicated to helping them address, understand, and work through these life-altering issues.  For the most part, we have unsympathetic bosses telling us to 'leave our personal problems at home' – as if said problems weren't exacerbated by work-related stresses – and HR departments with pink slips. 


We're long overdue for a shift in mindset – it's time we carefully study and candidly discuss the personal impact fighting the Information & CyberSecurity War has on our lives – and look for ways to support and help each other survive with sanity and families intact.


Matthew Arnold   ::   linkedin/in/MatthewPaulArnold


P.S.  This is not intended to be a rant, nor am I trying to raise problems without solutions.  I do know that some companies work hard to create environments that enable their technology professionals to thrive, despite the pressure.  However, industry-wide, these are few and far between.  I have spent almost 20a working in IT-related positions, the last five at HR & Employment Services organisations, interacting with job seekers and hiring managers – many of my own experiences have been confirmed by others in similar situations.  There are disturbing trends occurring in industries determined to stockpile as much personal information as possible, while simultaneously using the smallest possible budget to secure it.  Long-term, there can be no winners in this environment.

User Rank: Ninja
7/9/2018 | 2:00:13 PM
Re: Psych Eval Addition to the Hiring Process Or...
Quick note about faith in humanity.  That was poorly written - what really bugs one about this subject on the cyber sec side is just how plain DUMB people can be.  Walking somebody out with many years of experience over just stupid download of data is damning indeed.  One has to really wonder if people are, AND THEY ARE, that freaking stupid.  I don't care about home computers - whatever floats your boat.  And I have seen a ton of it.  But WORK?  
User Rank: Ninja
7/9/2018 | 9:55:10 AM
Psych Eval Addition to the Hiring Process Or...
Here's the problem you're looking at, plain and simple. I mean this with the greatest respect for folks who are burning out, because I had my bout with it and ended up in the ER more than once for overwork stress. I've been using tech since I was a teen (born in the 70s) and you've either got the tech bug or you don't. No sleep, no food, no friends - often part of the gig. Too many friends, too much to drink, too much to food - can also be part of the gig. It all depends on the job at hand and the goal. But the difference between the average InfoSec professional and the opposition is psychology. You will almost never, and I mean never, have the same way of thinking about your job that they do theirs; because to them it isn't a job, it's the air they breathe. Sorry, that's just how it is.

I've hammered on this in the past. You can't train someone to do InfoSec in a straight-laced Dockers environment who doesn't already have the same mental state as the adversary and expect them to do a stellar job. Or, maybe they do a great job for a while, but then begin to burn out because of what they see (REISEN1955 alludes to fallen faith in humanity when seeing co-workers' porn habits at work). You can't care about that and expect to do well in InfoSec. Honest opinion. In fact, the best InfoSec resource is going to understand the adversary, think like them to some extent, and be just fine with all the bad stuff they see. You can't be affected by it and expect to maintain your effectiveness as an InfoSec professional.

This goes further, of course. Pen-testing is a good example. It's one area I still see in InfoSec that can never, and I mean never, go fully automated. You need a bulldog, a killer, a sadistic and driven-by-the-domination kind of mind that will not stop until they find the last hole in your system. And this is not work that can be done in a 9-5x5 work week. No way. If you can't hack that, you really shouldn't be in the game. Er, industry.

So, yeah, tech can really come down hard on some people. It's a shame, for sure. But it's the gig. I didn't break all those keyboards doing week-long all-nighters by design. That's what you sign up for - you come in knowing what it takes and you do the work. And, honestly, it's kind of the point that human nature takes dark turns that you're in the InfoSec industry, so it should come as no surprise what your co-workers get up to. Maybe take it with a sense of humor, to lighten the load.

If you want solid InfoSec performers, you may want to add a psych-eval to your hiring process, to see where they come from and if they can take the load. Or you could hire some black hatters from the battlefields who are ready to turn. Most of them aren't going to be whining about the hours, about the sad state of humanity or complaining about their work environment. But I get it. It's like war - we don't want to believe we're animals on the battlefield and we want honor in the battle. But at some point you have to face the fact that to do your job well, to beat "them" at their own game, you have to put blood into the battle, and you have to want to be the one coming home, not them.

So the short of it is, this influx of stress-related topics may want to be looked at in more than one way. Who are the people getting stressed and are they right for the industry, and if they are, are their bosses right for the industry - who is defining their work strategy and load. And on the off-chance you have a real talent who is getting crushed, better look at the battle they're fighting because the adversary might be doing something new, something effective, that needs to be studied and white-papered.

But of the human factors noted in the topics being submitted for consideration, I have no tolerance for sexual harassment or gender inequality issues. If our community of digital revolutionaries can get anything right, it's got to be inclusion. We stood for the outsider back in the day, and we can't be seen as being "like the man" today. I'd staff my team with a dozen women and trans-gender hackers in a heartbeat, all colors, all anything, because playing the game has no restrictions.
User Rank: Ninja
7/9/2018 | 7:11:57 AM
Hard job indeed
Cybersecurity is not the easiest job in the world for many reasons.  Attacks on networks are constant and monitoring is a 24-5-365 to the second chore.  And when an attack breaches - ransomware - all tasks are dropped and put into restore mode and this is often NOT EASY because restoration plans do not exist.  With proper preparation, it is FAR easier but companies often do not have plans in place.  IT has to make it up on the spot.  Second, your faith in humanity takes a hit.  Working with staff on internet usage takes one to some pretty bad places and emotional wounding.  It is not fun to address porn issues with your colleagues who can be walked out the door.   And at the end of the day, the cyber sec professional is worried about WHAT will happen tomorrow!!

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-26
A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.12.4 for Windows. An application may be able to delete files for which it does not have permission.
PUBLISHED: 2022-05-26
A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.12.4 for Windows. A local attacker may be able to elevate their privileges.
PUBLISHED: 2022-05-26
An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2022-004 Catalina, macOS Monterey 12.4. An attacker may be able to cause unexpected application termination or arbitrary code execution.
PUBLISHED: 2022-05-26
This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. An attacker may be able to cause unexpected application termination or arbitrary code execution.
PUBLISHED: 2022-05-26
An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file.