Skip to Content
Computing

Cybersecurity’s insidious new threat: workforce stress

This week’s Black Hat event will highlight job-related stress and mental health issues in the cyber workforce.
August 7, 2018
Nico Ortega

The thousands of cybersecurity professionals gathering at Black Hat, a massive conference held in the blistering heat of Las Vegas every summer, are encountering a different type of session this year. A new “community” track is offering talks on a range of workplace issues facing defenders battling to protect the world from a hacking onslaught.

With titles like “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” and “Holding on for Tonight: Addiction in Infosec,” several of the sessions will address pressures on security teams and the negative impact these can have on workers’ wellbeing.

“A lot of people in this space feel strongly about wanting to protect their users,” says Jamie Tomasello of Duo Security, who is one of the speakers. “Where this becomes challenging is when people are under sustained high stress. That increases the risk of depression and mental illness.”

The impact on cyber defenders’ lives is deeply concerning, as are the broader implications for security. In spite of a push for greater automation, many tasks in cyber defense are still labor intensive. Workers experiencing mental health issues are more likely to make mistakes and to have performance issues that require colleagues to pick up the slack, increasing the likelihood they will make errors too.

High pressure, high stakes

This matters more than ever as the stakes have risen dramatically in the cybersecurity world. Hackers aren’t just swiping credit card details and digital health records; they’re attacking systems governing power grids, manufacturing facilities, and other sensitive infrastructure.

For sure, workplace stress isn’t unique to cybersecurity. There are plenty of other workers, including first responders, soldiers, and surgeons, who face intense pressure in their jobs. Other IT roles, such as ones involved with keeping key networks and databases up and running, can also be stressful.

But industry insiders say several factors have combined to create a particular problem in cybersecurity. One is the fact that IT systems of all kinds are now pretty much constantly under attack, which means there’s no obvious finish line to the work. “There’s never a downtime. It’s non-stop and every day is a battle,” says Andrea Little Limbago, an executive at cybersecurity firm Endgame who has written about the subject of stress in the cyber workplace.

The speed at which bad guys are innovating also creates unique pressures. “The challenges to keep up are insane,” says Jack Daniel, the co-founder of BSides, another security conference that has highlighted mental health issues.

Labor shortage

To make matters worse, the industry is facing a shortage of skilled workers. According to one estimate, some 300,000 cybersecurity positions in the US alone remain vacant. That means additional work—and pressure—for those covering unfilled roles.

A global survey of 343 cybersecurity executives published in November 2017 by the Enterprise Strategy Group and the Information Systems Security Association found that almost 40 percent of them said that the skills shortage was causing high rates of burnout and staff turnover. “There really is an urgent need for more serious research on this,” says Daniel.

Just getting a baseline from which to measure stress levels in the cyber workforce would be helpful. Two researchers at America’s National Security Agency, Celeste Lyn Paul and Josiah Dykstra, have conducted internal studies at the organization, whose staff often find themselves in stressful situations. They have developed a stress survey that can be used for a one-off study or as an ongoing benchmark. The researchers will be discussing this at Black Hat and say they plan to put it online on August 13 so anyone can access it.

AI to the rescue?

While more empirical evidence would be welcome, companies can already take steps to address stress-related issues by ensuring cyber defenders have regular time off, are encouraged to share any concerns they have over workplace pressure with managers, and are given access to sources of advice and counsel on mental health issues.

Technology could ultimately help improve matters, too. Hordes of cybersecurity software vendors are embracing machine-learning tools as a way to automate more and more tasks. That could eventually take some of the strain off overworked employees, but before that happens at scale many more humans are going to be needed on the cyber front lines.

Deep Dive

Computing

ALEXANDER LUKASHENKO and hacktivists concept illo
ALEXANDER LUKASHENKO and hacktivists concept illo

Hackers are trying to topple Belarus’s dictator, with help from the inside

Opposition from inside the regime of Alexander Lukashenko is helping hackers run what may be the most comprehensive cyberattack on a nation ever.

0day exploit attacks computer
0day exploit attacks computer

2021 has broken the record for zero-day hacking attacks

But the reasons why are complicated—and not all bad news.

Department of Justice building
Department of Justice building

This US company sold iPhone hacking tools to UAE spies

An American cybersecurity company was behind a 2016 iPhone hack sold to a group of mercenaries and used by the United Arab Emirates.

collage of gears
collage of gears

Reimagining our pandemic problems with the mindset of an engineer

Grappling with all the uncertainty, the epidemiologist’s role during the pandemic proved confusingly complex. A more pragmatic, problem-solving mindset might help in making good decisions.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.