Posted in:

When stress goes viral

The Coronavirus pandemic has added pressure to cyber security professionals’ stress loads. Executive colleagues should provide support. By James Hayes.

Even before the Coronavirus pandemic caused their anxiety levels to soar to hazardous new heights, Europe’s senior cyber security practitioners were known to be subject to disproportionately high levels of occupational stress – stress that puts their mental health at risk.

As reported in Cyber Security Europe Autumn 2019 edition, such burnout can cause acute harm at both organisational and individual levels. Directorate heads and chief officers, now closer than ever to cyber governance decision-making, should ensure that executive leaders are apprised of the situation.

Although it’s claimed that some ‘thrive on stress’, for most people chronic mental pressure is an acknowledged performance inhibitor. With respect to cyber security, this is all to the favour of threat actors, because stressed-out CISOs do not lead well and/or do their jobs as effectively as possible – they become more liable to operational slip-ups and defective leadership. Thirty-one percent of chief security officers polled by Nominet’s latest CISO Stress Report said that stress had ‘affected their ability to do their job’.

A stressed IT security work team is unable to watch-out for one of its number who may show signs of inattention. Oversight suffers, and mistakes are made in cyber defence administration that hackers could exploit. Daily concerns related directly or indirectly to Coronavirus compound an already barely tolerable situation.

Coronavirus has, of course, caused disruption across many occupations and disciplines, but has held acute resonances for the cyber security profession. The pandemic – and the concerns that it gives rise to – create perfect conditions for cyber criminals to step-up their activities.

Employees are likely more susceptible to phishing and malware attacks in a climate riddled by Coronavirus concern; and a requirement to work remotely might introduce a delay in human response to hack attacks and other intrusions into an organisation’s IT systems.

Then there is also an insider threat dimension to the situation. Employees who, for any reason, take exception to being furloughed might become more minded to misappropriate data assets.

On top of all this, the likelihood that team strength might be lessened by team members becoming unwell and unable to work, is bound to play on the minds of enterprise security leaders.

Furthermore, the recent increase in opportunistic Coronavirus-related attacks has not meant any lessening of ‘threats-as-usual’ offensive activity.

Indications are that cyber criminals have highly scalable resources when it comes to exploiting unprecedented situations like widespread pandemics and lockdowns. These accumulated pressures can only add to the chances that the mental health of cyber security professionals will suffer as the situations unfolds, particularly as subsequent ‘waves’ of contagion occur (as some health experts warned of) and prolong an already hyper-critical situation.

Scheduled work routine breaks that might help an individual find respite from the predicament –such as vacations or visits to cyber security industry exhibitions and conferences like it-sa – are curtailed until the emergency is deemed past.

AWARENESS OF MENTAL HEALTH ISSUES GROWS

“In a world of that is increasingly focussed on the scourge of mental illness, it seems appropriate to try to understand the exposure of security professionals to the work-related aspects of this condition,” says the Chartered Institute of Information Security (CIISec)’s The Security Profession in 2020 report, based on a survey of its members.

In reply to the question ‘Have you or someone you know left a job due to overwork/burn-out?’, 18% of respondents said that they had left a role’ due to the pressure or risk of burning out’. A further 25% of CIISec members have at least thought about it, the survey found. Only 21% of those polled by CIISec have had ‘no problems of this kind’, the report states.

For many respondents to Nominet’s CISO Stress Report, the effects of stress went beyond an adverse effect on their mental health: 31% also reported that their stress had impacted their physical health. The number of CISOs who have turned to medication or alcohol has increased by from 17% in 2019 to 23% in 2020.

Any assessment of the impact of stress on cyber security practitioners also should take account of the fact that they are essentially technologists – and typically, that’s not a role where they will customarily undergo training to enable them to deal with the pressures of the job in the same way that somebody working in emergency services would be, say.

Awareness of the problem in cyber security circles is being raised in industry fora. The topics of stress and mental health issues caused by cyber security pressures are increasingly being openly discussed at conferences and other industry gatherings. A conference track at Black Hat and DEFCON 2019 also touched on the topic of ‘posttraumatic stress disorder’ as it can affect cyber security practitioners.

‘Mental health in cyber security’ was a headline topic at events in the last 12 months, including the high-profile RSA Conference. At the 2019 event, Dr Ryan K. Louie, a psychiatrist for the Foundation Physicians Medical Group, delivered a keynote presentation entitled ‘Mental Health in Cybersecurity: Preventing Burnout, Building Resilience’. Elsewhere, Dr Louie has explained that organisations should now recognise their frontline cyber security professionals are routinely exposed to unusually-demanding workplace situations.

“What is unique about cyber security is that there are always emerging threats… coming from left field – things that people don’t know about,” he said in a post-conference interview. “There is also an adversary [and] adversaries are intellectual, innovative, and creative, so there’s that constant need to always be prepared for something.”

As this year’s pandemic has proved, cyber security professionals must now deal with the disruptive impacts of viruses of many kinds. The CIISec expects that the Coronavirus threat will eventually recede and become a part of modern history; however, the institute warns, whenever that eventuality does come to pass, cyber threats will still be out there, and they will pose ever-thornier challenges to Europe’s ever-pressured front-line IT security professionals.