Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/16/2019
10:00 AM
Craig Hinkley
Craig Hinkley
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Preventing PTSD and Burnout for Cybersecurity Professionals

The safety of our digital lives is at stake, and we need to all do our part in raising awareness of these issues.

June — Post-Traumatic Stress Disorder (PTSD) Awareness Month — has come and gone, but mental health is a topic that needs to be continuously talked about throughout the year. The condition is often associated by the public with veterans and first responders, but it can afflict someone from any walk of life.

PTSD can occur when someone experiences or witnesses a traumatic event, and its symptoms include acute anxiety, flashbacks, and intrusive thoughts. This condition isn't always understood properly by the medical community or general population, and it is important to raise awareness about the issues that individuals face when struggling with PTSD. Throughout the entire year, we need to help raise awareness about the many different forms of the disorder and help seek treatment options for those affected.

Cybersecurity PTSD and Burnout
While not as serious as PTSD for the likes of veterans recovering from war, cybersecurity professionals can face a different type of PTSD. Many are firsthand witnesses to cyberattacks that leave lasting damage to the organizations they help protect and can carry over into their work in the future as a reminder of the worst that can happen. Panic can set in when security pros see signs that remind them of past incidents. It's's best to deal with these issues and stress before they become lasting problems that keep them from doing their best work.

Cybersecurity burnout and job fatigue are both a reality, and they are a growing, troubling problem that our industry faces on a daily basis. When compounded with the current cybersecurity skills shortage and the constantly growing threat landscape, burnout is amplified.

As the CEO of a major cybersecurity organization myself, it's important for me to face these issues head-on by creating a culture of individual well-being and self-care. It's imperative to have a close relationship with my team members to help evaluate their state of mind and provide them with support. Support must come from many different areas, such as implementing counseling and stress-relief programs.

Organizational leadership starts with the CEO, and it is my goal to consistently show team members that we care about them and empathize with their daily struggles by constantly making an effort to invest in their well-being. This doesn't always need to come in the form of hands-on training and team building; it sometimes can mean simply listening to the team members to make sure they understand that their contribution is valued and that their work has a purpose.

Cybersecurity Mental Health
Possible issues like depression and anxiety aren't new in cybersecurity, and stress is often rampant. Infosec professionals work long hours and are under constant pressure to protect critical networks from the latest in digital threats.          

As the pace of cybercrime continues to grow, demand is outpacing the supply of security professionals who can help combat the ever-increasing threats. Cybersecurity Ventures estimates the total of unfilled security jobs will reach 3.5 million by 2021. With these global staffing shortages, some departments may only have 10 staffers when the number to adequately do their jobs should really be teams of 15 or 20, directly leading to increased stress levels.

The Effect on Us
The skill shortages represent a widespread threat to the security of all of us. Not having enough trained workers for the organizations that we trust to protect our data leaves us all vulnerable in one way or another. Furthermore, the organizations that are adequately equipped with enough cybersecurity professionals tend to still be overworked, highly stressed, and prone to burnout.

Anecdotal evidence also suggests a high prevalence of mental health concerns in the cybersecurity community, perhaps heightened by the hacker subculture attracting people from a variety of backgrounds, some of which may involve pre-existing mental health conditions.

This topic is extremely personal to me as well. As a teenager, my son suffered a horrific event that left him struggling with PTSD for two years. I saw the effects PTSD had not just on my son but his friends and family, including myself. PTSD is very real with the impacts reaching far and wide. With treatment there is hope, and with compassion and understanding we can help someone affected by PTSD get on a path to recovery.

What to Do Next
Burnout in cybersecurity will likely never completely go away, but it's currently causing our industry to lose out on too many hardworking professionals. Thankfully, by becoming more cognizant of the mental health struggles the industry faces, and with a little more attention to detail, we'll fight back against burnout. Please join me in talking to cybersecurity professionals, whether you are a CEO of a leading organization or simply a friend or family member of someone who works in the industry. The safety of our digital lives is at stake, and we all need to do our part in raising awareness of these issues.

If you or someone you know needs help, contact ADAA, a nonprofit national organization committed to the prevention, treatment, and cure of anxiety and mood disorders, including PTSD.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Escaping Email: Unlocking Message Security for SMS, WhatsApp."

Craig Hinkley joined WhiteHat Security as CEO in early 2015, bringing more than 20 years of executive leadership in the technology sector to this role. Craig is driving a customer-centric focus throughout the company and has broadened WhiteHat's global brand and visibility ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WN2QU
50%
50%
WN2QU,
User Rank: Apprentice
10/16/2019 | 9:19:31 AM
Re: PTSD is not correct here
I agree %100 - the author here is akin to using PTSD to sensationalize his article. I have a background in education where I worked in some of the lowest income public schools, trauma & PTSD are much more severe, watching fights end in stabbings, parents OD'ing, not "EHMAGERD MA PUTER".
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/16/2019 | 2:40:16 PM
PTSD is not correct here
Trauma neither - this is standard stress within the computer industry and all careers can have it from a help desk (problem and ticket overload) to server admins (nothing like a failed data center on a Friday) to ransomware across the entire firm.  Stress is common enough in life as it is.  My own qualification for PTSD is that my data center crashed down 103 floors in the south tower on September 11 and I was only 2 floors down from 103 and made it down to the ground and live.  THAT is PTSD my friends.  Plus I saw 3 people fall from the north tower and die.  That is a room I do not go into very often.  I want remain sane.  Every September 11 it hits me hard from 8:46 a.m. to 10:29.  Severe PTSD attack so I have no sympathy for an over-stressed sys admin or security consultant being defined as a PTSD case.  Stress?  Mega-stress?  Fine, been there, done that.  But to use this argument for cyber sec is just wrong and does ill to those of us who have been through a living hell and survived. 

BTW - many of my response posts relate to disaster recovery and business continuity scenarios which do not exist whenever a ransomware attack happens.  I am strong on this subject precisely because of September 11.

Update - I realize that this note seems really mean and nasty to the article which does have good points all over - I am just strong on this subject for obvious reasons so take my commentary with a big grain of salt and a shot of Dewars.  Thanks
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...