Nico Ortega

Computing / Cybersecurity

Cybersecurity’s insidious new threat: workforce stress

This week’s Black Hat event will highlight job-related stress and mental health issues in the cyber workforce.

Aug 7, 2018

The thousands of cybersecurity professionals gathering at Black Hat, a massive conference held in the blistering heat of Las Vegas every summer, are encountering a different type of session this year. A new “community” track is offering talks on a range of workplace issues facing defenders battling to protect the world from a hacking onslaught.

With titles like “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” and “Holding on for Tonight: Addiction in Infosec,” several of the sessions will address pressures on security teams and the negative impact these can have on workers’ wellbeing.

“A lot of people in this space feel strongly about wanting to protect their users,” says Jamie Tomasello of Duo Security, who is one of the speakers. “Where this becomes challenging is when people are under sustained high stress. That increases the risk of depression and mental illness.”

The impact on cyber defenders’ lives is deeply concerning, as are the broader implications for security. In spite of a push for greater automation, many tasks in cyber defense are still labor intensive. Workers experiencing mental health issues are more likely to make mistakes and to have performance issues that require colleagues to pick up the slack, increasing the likelihood they will make errors too.

High pressure, high stakes

This matters more than ever as the stakes have risen dramatically in the cybersecurity world. Hackers aren’t just swiping credit card details and digital health records; they’re attacking systems governing power grids, manufacturing facilities, and other sensitive infrastructure.

For sure, workplace stress isn’t unique to cybersecurity. There are plenty of other workers, including first responders, soldiers, and surgeons, who face intense pressure in their jobs. Other IT roles, such as ones involved with keeping key networks and databases up and running, can also be stressful.

But industry insiders say several factors have combined to create a particular problem in cybersecurity. One is the fact that IT systems of all kinds are now pretty much constantly under attack, which means there’s no obvious finish line to the work. “There’s never a downtime. It’s non-stop and every day is a battle,” says Andrea Little Limbago, an executive at cybersecurity firm Endgame who has written about the subject of stress in the cyber workplace.

The speed at which bad guys are innovating also creates unique pressures. “The challenges to keep up are insane,” says Jack Daniel, the co-founder of BSides, another security conference that has highlighted mental health issues.

Labor shortage

To make matters worse, the industry is facing a shortage of skilled workers. According to one estimate, some 300,000 cybersecurity positions in the US alone remain vacant. That means additional work—and pressure—for those covering unfilled roles.

A global survey of 343 cybersecurity executives published in November 2017 by the Enterprise Strategy Group and the Information Systems Security Association found that almost 40 percent of them said that the skills shortage was causing high rates of burnout and staff turnover. “There really is an urgent need for more serious research on this,” says Daniel.

Just getting a baseline from which to measure stress levels in the cyber workforce would be helpful. Two researchers at America’s National Security Agency, Celeste Lyn Paul and Josiah Dykstra, have conducted internal studies at the organization, whose staff often find themselves in stressful situations. They have developed a stress survey that can be used for a one-off study or as an ongoing benchmark. The researchers will be discussing this at Black Hat and say they plan to put it online on August 13 so anyone can access it.

AI to the rescue?

While more empirical evidence would be welcome, companies can already take steps to address stress-related issues by ensuring cyber defenders have regular time off, are encouraged to share any concerns they have over workplace pressure with managers, and are given access to sources of advice and counsel on mental health issues.

Technology could ultimately help improve matters, too. Hordes of cybersecurity software vendors are embracing machine-learning tools as a way to automate more and more tasks. That could eventually take some of the strain off overworked employees, but before that happens at scale many more humans are going to be needed on the cyber front lines.