Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Craig Hinkley
Craig Hinkley
Connect Directly
E-Mail vvv

Preventing PTSD and Burnout for Cybersecurity Professionals

The safety of our digital lives is at stake, and we need to all do our part in raising awareness of these issues.

June — Post-Traumatic Stress Disorder (PTSD) Awareness Month — has come and gone, but mental health is a topic that needs to be continuously talked about throughout the year. The condition is often associated by the public with veterans and first responders, but it can afflict someone from any walk of life.

PTSD can occur when someone experiences or witnesses a traumatic event, and its symptoms include acute anxiety, flashbacks, and intrusive thoughts. This condition isn't always understood properly by the medical community or general population, and it is important to raise awareness about the issues that individuals face when struggling with PTSD. Throughout the entire year, we need to help raise awareness about the many different forms of the disorder and help seek treatment options for those affected.

Cybersecurity PTSD and Burnout
While not as serious as PTSD for the likes of veterans recovering from war, cybersecurity professionals can face a different type of PTSD. Many are firsthand witnesses to cyberattacks that leave lasting damage to the organizations they help protect and can carry over into their work in the future as a reminder of the worst that can happen. Panic can set in when security pros see signs that remind them of past incidents. It's's best to deal with these issues and stress before they become lasting problems that keep them from doing their best work.

Cybersecurity burnout and job fatigue are both a reality, and they are a growing, troubling problem that our industry faces on a daily basis. When compounded with the current cybersecurity skills shortage and the constantly growing threat landscape, burnout is amplified.

As the CEO of a major cybersecurity organization myself, it's important for me to face these issues head-on by creating a culture of individual well-being and self-care. It's imperative to have a close relationship with my team members to help evaluate their state of mind and provide them with support. Support must come from many different areas, such as implementing counseling and stress-relief programs.

Organizational leadership starts with the CEO, and it is my goal to consistently show team members that we care about them and empathize with their daily struggles by constantly making an effort to invest in their well-being. This doesn't always need to come in the form of hands-on training and team building; it sometimes can mean simply listening to the team members to make sure they understand that their contribution is valued and that their work has a purpose.

Cybersecurity Mental Health
Possible issues like depression and anxiety aren't new in cybersecurity, and stress is often rampant. Infosec professionals work long hours and are under constant pressure to protect critical networks from the latest in digital threats.          

As the pace of cybercrime continues to grow, demand is outpacing the supply of security professionals who can help combat the ever-increasing threats. Cybersecurity Ventures estimates the total of unfilled security jobs will reach 3.5 million by 2021. With these global staffing shortages, some departments may only have 10 staffers when the number to adequately do their jobs should really be teams of 15 or 20, directly leading to increased stress levels.

The Effect on Us
The skill shortages represent a widespread threat to the security of all of us. Not having enough trained workers for the organizations that we trust to protect our data leaves us all vulnerable in one way or another. Furthermore, the organizations that are adequately equipped with enough cybersecurity professionals tend to still be overworked, highly stressed, and prone to burnout.

Anecdotal evidence also suggests a high prevalence of mental health concerns in the cybersecurity community, perhaps heightened by the hacker subculture attracting people from a variety of backgrounds, some of which may involve pre-existing mental health conditions.

This topic is extremely personal to me as well. As a teenager, my son suffered a horrific event that left him struggling with PTSD for two years. I saw the effects PTSD had not just on my son but his friends and family, including myself. PTSD is very real with the impacts reaching far and wide. With treatment there is hope, and with compassion and understanding we can help someone affected by PTSD get on a path to recovery.

What to Do Next
Burnout in cybersecurity will likely never completely go away, but it's currently causing our industry to lose out on too many hardworking professionals. Thankfully, by becoming more cognizant of the mental health struggles the industry faces, and with a little more attention to detail, we'll fight back against burnout. Please join me in talking to cybersecurity professionals, whether you are a CEO of a leading organization or simply a friend or family member of someone who works in the industry. The safety of our digital lives is at stake, and we all need to do our part in raising awareness of these issues.

If you or someone you know needs help, contact ADAA, a nonprofit national organization committed to the prevention, treatment, and cure of anxiety and mood disorders, including PTSD.

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Escaping Email: Unlocking Message Security for SMS, WhatsApp."

Craig Hinkley joined WhiteHat Security as CEO in early 2015, bringing more than 20 years of executive leadership in the technology sector to this role. Craig is driving a customer-centric focus throughout the company and has broadened WhiteHat's global brand and visibility ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/16/2019 | 2:40:16 PM
PTSD is not correct here
Trauma neither - this is standard stress within the computer industry and all careers can have it from a help desk (problem and ticket overload) to server admins (nothing like a failed data center on a Friday) to ransomware across the entire firm.  Stress is common enough in life as it is.  My own qualification for PTSD is that my data center crashed down 103 floors in the south tower on September 11 and I was only 2 floors down from 103 and made it down to the ground and live.  THAT is PTSD my friends.  Plus I saw 3 people fall from the north tower and die.  That is a room I do not go into very often.  I want remain sane.  Every September 11 it hits me hard from 8:46 a.m. to 10:29.  Severe PTSD attack so I have no sympathy for an over-stressed sys admin or security consultant being defined as a PTSD case.  Stress?  Mega-stress?  Fine, been there, done that.  But to use this argument for cyber sec is just wrong and does ill to those of us who have been through a living hell and survived. 

BTW - many of my response posts relate to disaster recovery and business continuity scenarios which do not exist whenever a ransomware attack happens.  I am strong on this subject precisely because of September 11.

Update - I realize that this note seems really mean and nasty to the article which does have good points all over - I am just strong on this subject for obvious reasons so take my commentary with a big grain of salt and a shot of Dewars.  Thanks
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.