Posted in:

Cyber stress: in the firing line

Executives with cyber security responsibility must tackle the escalation of occupational stress – before chronic mental strain results in IT security failure and job losses. James Hayes reports.

Surely one of the more disturbing revelations in Sungard AS’s recent The Resilience Imperative report is that, in taking greater responsibility for the cyber governance of the organisations they lead, some c-suite executives are now subjected to blame and abuse when cyber security incidents occur. It’s enough to set the stiffest of upper lips aquiver.

Some 45% of the report’s respondent sample said they’d experienced ‘abuse online, verbally, and in some cases physical threats’, while 20% said that such abuse even ‘extends to their family and friends’. Such personalised attacks are just one of range of stresses being heaped upon technical and non-technical chief officers in addition to the day-to-day duress of persistent and malicious cyber attacks.

The burnout these accumulated stressors bring can cause acute harm at both collective and individual levels. Although it’s often claimed that some people ‘thrive on stress’, for most of us stress is a performance inhibitor. This is all to the favour of cyber attackers, because stressed-out people do not perform well and/or do their jobs as effectively as possible – and become more liable to slip-up. A stressed work team is unable to watch-out for one of its number who may show signs of inattention. Oversight suffers, and mistakes are made in cyber defence administration.

In the wider context, workplace stress and mental health have a major impact on national productivity and economic growth. According to the UK Health and Safety Executive’s Health and Safety at Work summary, 595,000 workers suffered from work-related stress, depression or anxiety (new or long-standing) in 2017/2018, and 15.4m working days were lost due to ‘work-related stress, depression or anxiety’ over the same period. Both statistics are increases on the previous years.

Awareness of the problem in cyber security circles is being raised. The topics of stress and mental health issues caused by cyber security pressures are being openly discussed at conferences and other industry gatherings. Mental health in cyber security were headline topics at events in the US in the last 12 months, including the high-profile RSA Conference. At the 2019 event, Dr Ryan K. Louie, a psychiatrist for the Foundation Physicians Medical Group, delivered a keynote presentation entitled ‘Mental Health in Cybersecurity: Preventing Burnout, Building Resilience’.

Elsewhere, Dr Louie has explained that organisations should now recognise their frontline cyber security professionals are routinely exposed to unusually demanding workplace situations. “What is unique about cyber security is that there are always emerging threats… coming from left field – things that people don’t know about,” he said in a post-conference interview. “There is also an adversary [and] adversaries are intellectual, innovative, and creative, so there’s that constant need to always be prepared for something.”

GDPR impact: regulatory compliance pressures

A conference track at Black Hat and DEFCON 2019 also touched on the topic of ‘post-traumatic stress disorder’ as it can affect cyber security practitioners. The subject is less tenuous than might, at first sight, seem the case, given the number of former military people now employed in the IT security profession.

However, there are indications that employers are starting to recognise the attendant risks of frazzled cyber security officers, it will take time for remedial actions to become routine workplace practice. Additionally, it’s important to take account of the fact that executives with cyber security responsibility have more to worry about than the untender mercies of cyber criminals and nation-state sponsored attackers, not to mention insider threats (see Cyber Security Europe Autumn 2018 issue). The latest Security Pressures Report from Trustwave points out what a stressful time 2018 was for c-suite or governance boards that held responsibility for legislative compliances focused on secure management of data assets; 2018, of course, saw the actuation of the General Data Protection Regulation (GDPR), and kicked-started a stream of high-profile penalties from national data commissioners, such as the ICO in the UK and Data Protection Authority in Belgium (see Cyber Security Europe Summer 2019 issue).

‘Security compliance mandates have become more prescriptive and rigorous over time, even as they typically set forth only baseline protections,’ the Trustwave report authors point out. ‘As a result, they necessitate plentiful skills and resources, of which many organisations are in short supply of.’

This places additional pressures on the people tasked with cyber security operations and governance. Sources of stress for cyber security professionals stem from many factors that are inherently part of working in this field, Trustwave emphasises. For example, it can be difficult to ‘turn work off’ and leave for the day, the confidential nature of the job places constraints on personal connections and outlets, and the enduring talent shortage leaves understaffed teams with an ever-extending list of responsibilities.

“The results of The Resilience Imperative report are concerning, but   clear,” Sungard AS Senior VP Chris Huggett has commented. Cyber disruption has “considerable ramifications” for companies – both as corporate entities and as responsible employers. “In recent years organisations have increasingly focussed on the importance of [their employees’] mental wellbeing. [Our report] findings will cause further scrutiny of any organisation’s ability to be truly resilient,” Huggett adds.

A further area of concern to UK companies is the scale of the challenge business leaders face psychologically and emotionally during times of IT disruption. Around half – 54% – of c-level executives in the UK have suffered from stress related illnesses and/or damage to their mental well-being as the result of a technology crisis, The Resilience Imperative reports.

“Not only does this highlight how linked senior executives are to their company’s resilience, but also suggests the extent to which they feel personal responsibility as part of such fallouts,” Huggett believes. “Research has also revealed the negative personal impact technology crises can have on [an organisation’s] leadership abilities, with 30% of executives finding strategic decisions more difficult to make, and 24% finding it harder to provide clear direction for the business – putting the future of their jobs into question.”

Huggett’s point is augmented by two complementary reports from Nominet – Inside the Perimeter and Trouble at the Top: The Boardroom Battle for Cyber Supremacy (both 2019). These studies review on the impact of cyber stress on the c-suite roles across the table, as well as focusing on the impact on CISOs – who are likely most in the stress firing line in most organisations.

CISOs: Chief Information Stress Officers?

Inside the Perimeter found that a quarter of surveyed CISOs worldwide suffer from physical or mental health issues due to stress, with just under 20% turning to alcohol or medication to help cope, and more than 50% failing to ‘switch off’ from their work. The report found that every CISO it polled experiences stress in their role. More than 90% say that they suffer moderate or high stress, with 60% saying that they ‘rarely disconnect from their job’.

This is hardly surprising given their super-long working hours. Eighty-eight per cent of CISOs quizzed work more than 40 hours a week, while 22% say that they are on-call ‘available 24/7’. All of this is causing a markedly physical response to a very digital problem: 26.5% of respondents say stress impacts their mental or physical health, while 23% say the job is ‘eroding their personal relationships’. Most concerning is the 17% of stress-stricken CISOs who admit they turn to medication or alcohol to deal with job-related frets.

The daily round of cyber attacks agitates further anxieties related to professional competence and hierarchical status. Only 52% of CISOs polled by Nominet feel the executive teams value the security team from a revenue and brand protection standpoint. Couple this with the fact that 32% of those questioned believe that, in the event of a breach, they would either lose their job or receive an official warning that could have adverse effects on their reputation for professionalism, and it adds significant individual pressure.

It’s not clear why, but a greater percentage of European CISOs think they would receive a warning or be fired in the event of a breach, compared to the US. The second Nominet report, Trouble at the Top: The Boardroom Battle for Cyber Supremacy subsequently surveyed more than 400 c-suite executives from enterprises across the UK and US, rather than Europe. It contains some insightful conclusions for European senior executives, however.

It found that the feeling of not being valued is having a damaging effect on the CISO: 27% of those surveyed said the stress of their job is ‘impacting their physical or mental health’. Just as worryingly, 23% admitted that the job had also affected their personal relationships. As more of a professional concern, 28% of CISOs also admit that high stress levels are having an adverse effect on their ability to fulfil their job roles and responsibilities.

So, with the pressures mounting for both cyber security chiefs and their c-suite colleagues, the question of an effective response should be addressed. It must be noted that respondents to some surveys around the topic signal that a key contributory factor is lack of funds for cybersecurity operations. The expectations of cyber security effectiveness as equated to IT security expenditure should certainly be acknowledged by a remedial strategy.

“Cyber security involves the ‘human element.’ People have to feel good about themselves before they can perform at their best,” according to Dr Ryan Louie. “What makes the cyber security workforce different is that they must be in their best mental condition to be in the best position to protect [us]. We must understand the stressors that cyber security work has on people, and how to address it.”