Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/16/2019
10:00 AM
Craig Hinkley
Craig Hinkley
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Preventing PTSD and Burnout for Cybersecurity Professionals

The safety of our digital lives is at stake, and we need to all do our part in raising awareness of these issues.

June — Post-Traumatic Stress Disorder (PTSD) Awareness Month — has come and gone, but mental health is a topic that needs to be continuously talked about throughout the year. The condition is often associated by the public with veterans and first responders, but it can afflict someone from any walk of life.

PTSD can occur when someone experiences or witnesses a traumatic event, and its symptoms include acute anxiety, flashbacks, and intrusive thoughts. This condition isn't always understood properly by the medical community or general population, and it is important to raise awareness about the issues that individuals face when struggling with PTSD. Throughout the entire year, we need to help raise awareness about the many different forms of the disorder and help seek treatment options for those affected.

Cybersecurity PTSD and Burnout
While not as serious as PTSD for the likes of veterans recovering from war, cybersecurity professionals can face a different type of PTSD. Many are firsthand witnesses to cyberattacks that leave lasting damage to the organizations they help protect and can carry over into their work in the future as a reminder of the worst that can happen. Panic can set in when security pros see signs that remind them of past incidents. It's's best to deal with these issues and stress before they become lasting problems that keep them from doing their best work.

Cybersecurity burnout and job fatigue are both a reality, and they are a growing, troubling problem that our industry faces on a daily basis. When compounded with the current cybersecurity skills shortage and the constantly growing threat landscape, burnout is amplified.

As the CEO of a major cybersecurity organization myself, it's important for me to face these issues head-on by creating a culture of individual well-being and self-care. It's imperative to have a close relationship with my team members to help evaluate their state of mind and provide them with support. Support must come from many different areas, such as implementing counseling and stress-relief programs.

Organizational leadership starts with the CEO, and it is my goal to consistently show team members that we care about them and empathize with their daily struggles by constantly making an effort to invest in their well-being. This doesn't always need to come in the form of hands-on training and team building; it sometimes can mean simply listening to the team members to make sure they understand that their contribution is valued and that their work has a purpose.

Cybersecurity Mental Health
Possible issues like depression and anxiety aren't new in cybersecurity, and stress is often rampant. Infosec professionals work long hours and are under constant pressure to protect critical networks from the latest in digital threats.          

As the pace of cybercrime continues to grow, demand is outpacing the supply of security professionals who can help combat the ever-increasing threats. Cybersecurity Ventures estimates the total of unfilled security jobs will reach 3.5 million by 2021. With these global staffing shortages, some departments may only have 10 staffers when the number to adequately do their jobs should really be teams of 15 or 20, directly leading to increased stress levels.

The Effect on Us
The skill shortages represent a widespread threat to the security of all of us. Not having enough trained workers for the organizations that we trust to protect our data leaves us all vulnerable in one way or another. Furthermore, the organizations that are adequately equipped with enough cybersecurity professionals tend to still be overworked, highly stressed, and prone to burnout.

Anecdotal evidence also suggests a high prevalence of mental health concerns in the cybersecurity community, perhaps heightened by the hacker subculture attracting people from a variety of backgrounds, some of which may involve pre-existing mental health conditions.

This topic is extremely personal to me as well. As a teenager, my son suffered a horrific event that left him struggling with PTSD for two years. I saw the effects PTSD had not just on my son but his friends and family, including myself. PTSD is very real with the impacts reaching far and wide. With treatment there is hope, and with compassion and understanding we can help someone affected by PTSD get on a path to recovery.

What to Do Next
Burnout in cybersecurity will likely never completely go away, but it's currently causing our industry to lose out on too many hardworking professionals. Thankfully, by becoming more cognizant of the mental health struggles the industry faces, and with a little more attention to detail, we'll fight back against burnout. Please join me in talking to cybersecurity professionals, whether you are a CEO of a leading organization or simply a friend or family member of someone who works in the industry. The safety of our digital lives is at stake, and we all need to do our part in raising awareness of these issues.

If you or someone you know needs help, contact ADAA, a nonprofit national organization committed to the prevention, treatment, and cure of anxiety and mood disorders, including PTSD.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Escaping Email: Unlocking Message Security for SMS, WhatsApp."

Craig Hinkley joined WhiteHat Security as CEO in early 2015, bringing more than 20 years of executive leadership in the technology sector to this role. Craig is driving a customer-centric focus throughout the company and has broadened WhiteHat's global brand and visibility ... View Full Bio
Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Comments
Newest First  |  Oldest First  |  Threaded View
WN2QU
0%
100%
WN2QU,
User Rank: Guru
10/16/2019 | 9:19:31 AM
Re: PTSD is not correct here
I agree %100 - the author here is akin to using PTSD to sensationalize his article. I have a background in education where I worked in some of the lowest income public schools, trauma & PTSD are much more severe, watching fights end in stabbings, parents OD'ing, not "EHMAGERD MA PUTER".
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/16/2019 | 2:40:16 PM
PTSD is not correct here
Trauma neither - this is standard stress within the computer industry and all careers can have it from a help desk (problem and ticket overload) to server admins (nothing like a failed data center on a Friday) to ransomware across the entire firm.  Stress is common enough in life as it is.  My own qualification for PTSD is that my data center crashed down 103 floors in the south tower on September 11 and I was only 2 floors down from 103 and made it down to the ground and live.  THAT is PTSD my friends.  Plus I saw 3 people fall from the north tower and die.  That is a room I do not go into very often.  I want remain sane.  Every September 11 it hits me hard from 8:46 a.m. to 10:29.  Severe PTSD attack so I have no sympathy for an over-stressed sys admin or security consultant being defined as a PTSD case.  Stress?  Mega-stress?  Fine, been there, done that.  But to use this argument for cyber sec is just wrong and does ill to those of us who have been through a living hell and survived. 

BTW - many of my response posts relate to disaster recovery and business continuity scenarios which do not exist whenever a ransomware attack happens.  I am strong on this subject precisely because of September 11.

Update - I realize that this note seems really mean and nasty to the article which does have good points all over - I am just strong on this subject for obvious reasons so take my commentary with a big grain of salt and a shot of Dewars.  Thanks
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.