Skip to Content

Cybersecurity’s insidious new threat: workforce stress

This week’s Black Hat event will highlight job-related stress and mental health issues in the cyber workforce.
August 7, 2018
Nico Ortega

The thousands of cybersecurity professionals gathering at Black Hat, a massive conference held in the blistering heat of Las Vegas every summer, are encountering a different type of session this year. A new “community” track is offering talks on a range of workplace issues facing defenders battling to protect the world from a hacking onslaught.

With titles like “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” and “Holding on for Tonight: Addiction in Infosec,” several of the sessions will address pressures on security teams and the negative impact these can have on workers’ wellbeing.

“A lot of people in this space feel strongly about wanting to protect their users,” says Jamie Tomasello of Duo Security, who is one of the speakers. “Where this becomes challenging is when people are under sustained high stress. That increases the risk of depression and mental illness.”

The impact on cyber defenders’ lives is deeply concerning, as are the broader implications for security. In spite of a push for greater automation, many tasks in cyber defense are still labor intensive. Workers experiencing mental health issues are more likely to make mistakes and to have performance issues that require colleagues to pick up the slack, increasing the likelihood they will make errors too.

High pressure, high stakes

This matters more than ever as the stakes have risen dramatically in the cybersecurity world. Hackers aren’t just swiping credit card details and digital health records; they’re attacking systems governing power grids, manufacturing facilities, and other sensitive infrastructure.

For sure, workplace stress isn’t unique to cybersecurity. There are plenty of other workers, including first responders, soldiers, and surgeons, who face intense pressure in their jobs. Other IT roles, such as ones involved with keeping key networks and databases up and running, can also be stressful.

But industry insiders say several factors have combined to create a particular problem in cybersecurity. One is the fact that IT systems of all kinds are now pretty much constantly under attack, which means there’s no obvious finish line to the work. “There’s never a downtime. It’s non-stop and every day is a battle,” says Andrea Little Limbago, an executive at cybersecurity firm Endgame who has written about the subject of stress in the cyber workplace.

The speed at which bad guys are innovating also creates unique pressures. “The challenges to keep up are insane,” says Jack Daniel, the co-founder of BSides, another security conference that has highlighted mental health issues.

Labor shortage

To make matters worse, the industry is facing a shortage of skilled workers. According to one estimate, some 300,000 cybersecurity positions in the US alone remain vacant. That means additional work—and pressure—for those covering unfilled roles.

A global survey of 343 cybersecurity executives published in November 2017 by the Enterprise Strategy Group and the Information Systems Security Association found that almost 40 percent of them said that the skills shortage was causing high rates of burnout and staff turnover. “There really is an urgent need for more serious research on this,” says Daniel.

Just getting a baseline from which to measure stress levels in the cyber workforce would be helpful. Two researchers at America’s National Security Agency, Celeste Lyn Paul and Josiah Dykstra, have conducted internal studies at the organization, whose staff often find themselves in stressful situations. They have developed a stress survey that can be used for a one-off study or as an ongoing benchmark. The researchers will be discussing this at Black Hat and say they plan to put it online on August 13 so anyone can access it.

AI to the rescue?

While more empirical evidence would be welcome, companies can already take steps to address stress-related issues by ensuring cyber defenders have regular time off, are encouraged to share any concerns they have over workplace pressure with managers, and are given access to sources of advice and counsel on mental health issues.

Technology could ultimately help improve matters, too. Hordes of cybersecurity software vendors are embracing machine-learning tools as a way to automate more and more tasks. That could eventually take some of the strain off overworked employees, but before that happens at scale many more humans are going to be needed on the cyber front lines.

Deep Dive


Inside the hunt for new physics at the world’s largest particle collider

The Large Hadron Collider hasn’t seen any new particles since the discovery of the Higgs boson in 2012. Here’s what researchers are trying to do about it.

How ASML took over the chipmaking chessboard

MIT Technology Review sat down with outgoing CTO Martin van den Brink to talk about the company’s rise to dominance and the life and death of Moore’s Law.


How Wi-Fi sensing became usable tech

After a decade of obscurity, the technology is being used to track people’s movements.

Algorithms are everywhere

Three new books warn against turning into the person the algorithm thinks you are.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.