Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

01:00 PM
Sara Peters
Sara Peters
Edge Features
Connect Directly

Beyond Burnout: What Is Cybersecurity Doing to Us?

Infosec professionals may feel not only fatigued, but isolated, unwell, and unsafe. And the problem may hurt both them and the businesses they aim to protect.

(page 3 of 4)

'I Began to Question Everything That I Believed to Be True About Myself'
"A CISO's leader rarely has an understanding of the role of a CISO and the security program, let alone the value they bring to the organization or the support that they will need to bring this value effectively," says Simpson, CISO of Armis. "An interesting by-product of this, at least for me personally, is that I've been held to a higher standard than peers or the next level in the organization for most of my career. I've had to accomplish more, take on more, and achieve greater success at all turns with a higher level of professionalism than my peers and higher-ups in order to get the roles that I deserved.

"When no one really understands what you do, why you do it, etc., you need to be 'better.' I experienced so many situations of this nature that I began to question everything that I believed to be true about myself.” 

As Stuart Reed, VP of cybersecurity for Nominet, explains, while other executives might work late to meet a deadline and get a report out the door, a CISO's responsibilities are more dire than their C-suite counterparts.

"The chances are that actually they're putting the extra hours in because there's been a breach or there's been a vulnerability – something that's been exposed that they need to work hard to close down and mitigate," he says. "And you think about that level of stress – that understandably is going to be much broader and more different than simply meeting a report deadline."

CISOs told Nominet that being responsible for securing the business/network was the greatest source of stress – ahead of long hours and keeping up with unending threat intelligence reports.

Yet for many security professionals, being responsible does not mean all – or even most – of the decisions about security are left to them. The board room may have a large cyber-risk appetite, for example, or end users may flout policies.

"I suppose one of the reasons that CISOs particularly may be feeling under pressure is arguably because their role has quite blended," Reed says. "It's not just being the technical expert or the subject matter expert to make technology decisions within the organization. But there is also acting as that kind of conduit to the C-suite, advising them on best practices for risk mitigation. … So I think they're kind of being pulled in lots of different directions right now."

Exploiting the Exhaustion of the Security Pro: 'Psychiatric Engineering'
Kujawa of Malwarebytes Labs admits he does from time to time have the itch to throw in the towel and leave security.

Reliaquest's Carey says he considered leaving security to become a pastor – a different way to help people, he says.

NSA's Paul, with former NSA researcher Dr. Josiah Dykstra, studied the effects of fatigue, frustration, and cognitive stress on tactical cyber operations and developed the "Cybersecurity Operations Stress Survey," a quick way to address these factors in real-time tactical situations. In that work, Paul and Dykstra cited a number of related projects, including a 2014 study by Sawyer, Finomore, Funke, et.al., that found the required vigilance for cyber events was considerably high and consistent with results from air traffic control, industrial process control, and medical monitoring.   

"In cybersecurity, stress has a lot of mental and physical effects. It can affect your emotional well-being. It can also affect your physical presence or even short-term cognitive abilities," Paul says. "And so managing it does have immediate and long-term effects."

"No doubt there are aspects to cybersecurity that we all find really fun, exciting, and interesting, like the excitement of an event happening and having those all-night hack sessions and camping out in the lab. It's when those things happen all the time and you don't get time to physically and mentally recover from them that it stops being fun and turns into a grind."

Psychiatrist Louie suggests the possibility that security professionals' own mental health (fatigue or burnout) could be exploited by cyberattackers in something he calls "psychiatric engineering."

"That attacker might utilize knowledge about mental health and vulnerabilities of that individual to worsen symptoms," Louie says, "maybe make that depression worse, make them more anxious, make the paranoia worse."

"That’s happening now,” says Carey, adding he has received harassment from a gray-hat hacker. And he has been told by white-hat colleagues that they've been taunted by black-hat hackers who threaten them and their families with doxing attacks. "That's real," he says.

(Continued on next page: What to Do?)


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

3 of 4

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
All Links Are Safe ... Right?

Source: Mimecast

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Sign of the Tides
Flash Poll