Black Hat & DEFCON: Mental health in the cybersecurity industry
At the recent Black Hat conference in Las Vegas, there was one discussion that stood out from the rest. Amid technical talks, hackathons and demonstrations of potential voter fraud, the event also highlighted the mental health ramifications of life on the cybersecurity frontline.
There are a wealth of reasons why cybersecurity professionals may be struggling with their mental health. For many, the job involves long hours. It also almost inevitably involves stress, high stakes and pressure.
The conference track also discussed the topic of post-traumatic stress disorder, something that is particularly relevant given the number of ex-military workers in the industry. What’s clear is that working in cyber and information security brings with it a quite particular set of concerns for its workers.
This is bad not only for the workers involved but also the organisations they’re meant to be protecting. One session at the conference cited research by the National Security Agency, which investigated the connection between operator fatigue, frustration, and the performance of an operation.
A point of little contention is that cyber attacks are on the up, and come with increasingly severe consequences. Depending on which source you read, the global impact of cyber attacks on business is doubling or even tripling. Last year saw the ever-increasing rise of ransomware and attacks like WannaCry making headlines around the world.
With data breaches now creating seriously bad publicity for organisations, attacks putting national infrastructure at risk, and the emerging IoT ecosystem dramatically increasing the attack surface, cybersecurity workers carry the weight of pressure from the board down.
Cyber attacks have been climbing the list of business risks for the past few years, with some reports now listing information and cybersecurity issues as the number one risk to an organisation. That means internal and external pressure is mounting each day.
The effect of mental health on work
Workplace stress and mental health have a huge impact on productivity and the wider economy. According to the UK’s health and safety executive, 526,000 workers suffered from work-related stress, depression or anxiety (new or long-standing) in 2016/17, and 12.5 million working days were lost due to work-related stress, depression or anxiety in the same period.
This combination of a job that is often misunderstood due to the technical barriers to entry; that is integral to the running of the business; and that inherently involves pressure and long hours, means that the issue of mental health was always likely to come to the surface.
One person from the industry spoke to Redcat Digital about the issue and highlighted the fact that those on the frontline often get squeezed from all directions.
“Guys in the middle come under a lot of stress when there’s lack of buy in, business strategy or understanding from senior management,” he said.
“Especially in situations where they don’t feel listened to and they know what can happen and the risk element is being ignored.”
Another issue that undoubtedly will have came up time and again at Black Hat is the cybersecurity skills shortage. A recent study found a 25% gap between supply and demand in the UK, in terms of the necessary cybersecurity skills that businesses require.
That report attributed some of that skills gap down to Brexit. Others have made arguments for many years now about the lack of scientific and technical training in schools and colleges, while others still have spoken about a lack of diversity in the industry putting potential candidates off. Many would argue that a combination of those factors are responsible.
The skills gap and mental health
But what if there is another consideration: what if the job is simply too stressful? Perhaps people are starting to recognise the importance and weight of expectation of the job and are hesitant to apply. Perhaps they start working but find their mental health suffering and choose a different vocation.
If that is the case, the effect would be twofold. Not only would the skills gap increase, but the work would become harder and more stressful for those that remain due to increased workload. A Catch-22 situation develops, and the one thing we are left knowing for sure is that the industry should have paid much more attention to the mental health of the workers that keep us safe and secure.