“Sometimes I feel like I’m just yelling into the chasm.”
“I began to question everything that I believed to be true about myself.”
“They see stuff that makes them wish they had bleach for their brains.”
You can hear it gurgling through every conversation at a cybersecurity conference, from the expo floor to the press room to the neighborhood bar – that telltale combination of giddy fascination, wry gallows humor, and weary frustration. The field often attracts clever and creative individuals who want to help people. However, over time, curious minds crackling with ideas for how to fix the world’s cybercrime problems may fizzle out.
The industry is beginning now to talk openly about “burnout” – but beyond leaving infosec professionals feeling frustrated and tired, the job can leave some feeling isolated, unwell, and unsafe.
And that’s a problem not just for the professionals in the industry – it’s an issue that reverberates into their families, their world views, and the cybersecurity of the businesses and systems they aim to protect.
Cybersecurity professionals are trying to save everyone. Does someone need to save them?
The Impact: ‘The Only Ones to Feel Any Pain’
Over 400 CISOs and 400 C-suite executives revealed some sobering truths in a survey recently conducted by Vanson Bourne on behalf of Nominet. The “CISO Stress Report” found:
- 21% of CISOs said they have taken a leave of absence because of job-related stress. Some CISOs took this significant step even though many reported being afraid to take sick days (41%) and neglecting to take all of their allotted time off (35%).
- 48% of CISOs said their work stress has impacted their mental health, and 35% said it has impacted their physical health.
- 40% of CISOs said their work stress has impacted their relationships with their families or children, 32% said it has impacted their relationships with spouses or romantic partners, and 32% said it has impacted their relationships with friends.
- 23% said they are using medication or alcohol to manage stress.
- 94% of American CISOs and 95% of UK CISOs reported working more than their contracted hours – on average, 10 hours per week more. In addition, 83% of American C-suite execs and 73% of UK execs confirmed they do, indeed, expect security teams to work longer hours.
Curtis Simpson, now CISO of Armis says he’s begun to find some balance and even pick up hobbies, but it took him a long time “in the salt mines” before he reached this point.
“I personally spent my daughter’s entire high school graduation ceremony having to quarterback the global response to an attack – an attack that would have been easily prevented if any of the specific guidance we had been sharing with the business was followed,” says Simpson. “None of the guidance was followed, but the security team was, as is common, the only ones to feel any pain.”
Simpson’s experience is not uncommon; 45% of respondents to the Nominet survey stated their work as a CISO had caused them to miss a family milestone or activity.
However, long hours are something that workers in many fields suffer. So what makes infosec people special?
‘Bleach for Their Brain’
Observing the habits of cybercriminals day in and day out can leave its mark – particularly on threat researchers and forensic investigators.
“You do see the darker side of humanity,” says Adam Kujawa, director of Malwarebytes Labs.
He speaks specifically about stalkerware and of ransomware that extorts victims by threatening to dox them with false evidence that they viewed child pornography.
“That kind of stuff just breaks my heart,” he says.
And as Marcus Carey (who has worn many security hats, from Navy cryptographer, to entrepreneur, to his current status as Reliaquest enterprise architect) points out, digital forensics specialists don’t just face the fraudulent threats of child pornography, but the reality of it. Because psychologists have already determined that researchers who investigate child sexual abuse material may have responses similar to post-traumatic stress disorder, and even one individual investigation may deal with terabytes of data, technologists are beginning to search for ways to better automate this process.
In reference to the digital forensic investigators who conduct these cases and many other kinds of cybercrimes, Carey says, “They see stuff that makes them want to bleach their brain.”
‘Always on a Swivel’
“I actually draw several parallels between [the cybersecurity profession] and the homeless population,” says Dr. Ryan Louie, MD, Ph.D. Louie, a San Francisco-based board-certified psychiatrist who has worked with the homeless population and specializes in the mental health impacts of entrepreneurship and technology. He presented a session at the RSA Conference (RSAC) last month.
Louie explains that both infosec pros and homeless individuals are always looking to see who might hurt them. “[The homeless are] out in the open,” he says. They don’t have the shelter at nighttime. They always have to look out if someone’s going to take their belongings, if anyone’s going to harm them, where are they going to get help.”
It’s a constant, 24/7 effort to address threats and an inability to “turn off,” he says, and he has seen it in both groups of people.
Carey says he’s rather amazed at the accuracy of this comparison. “Wow. You just blew my mind,” he says. “My head is always on a swivel. It drives my wife crazy.”
In a recent poll on Dark Reading’s The Edge, 83.1% of respondents indicated that working in infosec had made them a “less trusting person,” 59% said they were grateful for their increased caution, 4.9% said they wished they were more trusting, and 19.2% said that while they valued their caution, sometimes they wished they were more trusting.
When the need for safety or the fear of being harmed again becomes too great, it can become an illness, Louie says.
This matter of safety was also discussed by NSA senior researcher Dr. Celeste Paul in her recent RSAC keynote session about the “fundamental needs of security professionals.” She referenced that a century ago, famed physician and educator Maria Montessori laid out the fundamental needs of humans, one of which was safety.
But cybersecurity professionals have a complicated relationship with safety.
The infosec job is largely to keep people (organizations, systems, individuals) safe. But because so many cyberattacks exploit the end user, infosec pros rarely try to make anyone feel safe – quite the contrary.
(Continued on page 2: ‘Yelling Into the Chasm’)
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio