Mental health: Is it a big issue in cybersecurity?

This article is going to be a little different to my normal style. I really want to do my part in highlighting a problem in the security industry that we all need to consider and discuss openly so we can help each other in tough situations. Stick with me and let us advance this conversation in our circles, it will be a benefit to us all.

I am a security professional / would-be ethical hacker and I feel that the glorified image our society has of my profession is all wrong. Movies and TV shows have depicted us as nerdy types who have little to no social skills gamers (I am personally not much of a gamer) and general techies who wage battle with all sorts of foes to fight injustice in our world. One day we are taking down big evil conglomerates or some mythical bad people that save us all from the impending doom.

What about Abby from CSI who can bypass encryption on suspects systems and have all the answers they need to crack open a case in minutes (it is so not that easy, we wish it were). We then would have dramatic battles in cyberspace to win the fight (if many of you saw how it was really done you would lose interest quickly but Hollywood does this very well). Okay, I admit I am being a little dramatic here in trying to paint a picture of this mythical creature they call a cybersecurity professional (Going all Hollywood on you).

What we really do most of the time is dredge through millions of logs (if we are lucky we have a SIEM which makes that much easier), respond to the flood of alerts from port scans through to a stopped email attachments that may be malicious. Our job is mundane most of the time and really is not so Hollywood dramatic. We have a workload that never ends and in many organisations, it actually seems to be climbing constantly which makes you feel like you are fighting a losing battle. Yes on occasions, we get to do penetration test engagements or red team projects (where we get to pretend to be the bad people) and get to have a bit more fun.

On those rare occasions, being in a security professional or ethical hacker is awesome but most of the time we can be very isolated and have minimal interactions with the rest of the world. We can work 60+ hour weeks and just honestly are pretty stressed out with the avalanche we call our workload. These issues are exasperated by the skills shortage and the seemingly difficult to clear roadblock for people to join our ranks. I am not going to talk about that issue in this article as I have already covered that with my previous articles “you want a career in Cybersecurity, are you crazy?” or “What to look for when hiring Security Talent: Hidden talents”.

So what does that give us? I feel it gives us an industry full of individuals who have a high risk of mental health problems. High stress and minimal downtime certainly cannot be good for anyone even for a short time frame, so it should not surprise us to know that cybersecurity professionals would have a high burn out rate, should it? A CISO is said to only have a 2-year shelf life and would normally burn out after that time, this is a big problem and one that needs to be addressed.

How can we handle this problem? To be honest I do not know but I think we need to really try to help each other out more and help ourselves be a little less stressed. If we see someone that looks to be struggling, ask him or her if they are okay. Just talking to them may be enough to help someone through a tough time, it may not be security related but that does not matter.

I am not a mental health professional and I do not know how best to help someone in this type of situation but I can listen and suggest they should talk to someone who is a professional, it could save their life. Mental health is not something that we should be embarrassed by and push under the rug so to speak. Let’s bring it out in the open and work on this together.

I wanted to write this article to help bring this topic in front of as many people as I could and I was inspired by Simon Harvey who is a strong advocate in this particular space and fellow security professional. I have been lucky enough to see Simon speak on the issue on a few different occasions and even luckier still to have been at our Brisbane AISA branch meeting for his first presentation on the topic which seems like such a long time ago now. He openly talks about his own personal demons from his past and I feel that he should be given kudos for putting himself out there like that to try and help us all be there for each other. I hope you do not mind the mention Simon and keep up the good work.

We need to try to expand the intake of new security professionals and learn to take some downtime for our own sakes. Skills shortage or not there will not be any of us left to defend the networks if we do not do something. I am in a good spot mentally and have a good balance of both work/family life but not everyone does, so let us do our part to make life just that little bit better for us all.

If you need a hand or just want to talk, reach out to someone for help you may be surprised how much people are willing to help, we are not alone in this world so you do not need to feel like you are.

Till next time...