19 hours ago
1
ARTICLE AD BOX
The immense pressure placed on frontline cybersecurity professionals inevitably has a toll on these individuals’ mental health – one that, until recently, has largely gone unacknowledged. (Image: Shutterstock)
The life of a cybersecurity first responder is defined by stress, both external and internal. Some of it is predictable: the long hours, for example, or fending off the panicked colleagues asking for updates on when this or that system will be put back online. In the short term, it can be thrilling, says ex-Mandiant incident responder Tyler Oliver. Over time, though, the sleep deprivation and the emotional labour one ends up providing for others take their toll.
“It was only after I stepped away did I realise how much of an impact those years had on me,” says Oliver, comparing his role as a cross between an emergency cybersecurity plumber and a corporate grief counsellor. “Imagine being early in your career, sitting across from the CEO of a company who’s having the worst day of their life, and you have to figure out what to say to them and how to fix things.”
Eventually, the stress of the job led Oliver to quit. He’s not alone. According to one recent poll, some 46% of cybersecurity leaders were considering leaving their roles for the same reason. That pressure on IT professionals is only likely to increase, with 612,000 businesses and 61,000 charities in the UK alone identifying a cyber breach or attack in the past year.
Oliver knew that his was a high-pressure vocation – that was inescapable. But he admits that, as far as he was concerned, he didn’t immediately clock that the stress he witnessed in the leaders and team members in breached businesses would eventually begin to erode his own mental health. Indeed, until very recently, few studies have been published on the deleterious impact the cybersecurity industry can have on its first responders. “I would have loved to take a university course on trauma awareness,” he says, adding that it would doubtless help others avoid the same troubles he got into.
Cybersecurity’s mental health crisis
Rob Anderson has similar stories to tell. An incident responder at WithSecure, Anderson is often the first person a CIO will meet with after their business has been breached. He recalls one such call with a firm whose servers had been encrypted and marketing materials erased.
“Having previously been in the police, one of the most unpleasant jobs is delivering an agony message saying someone has died,” says Anderson. “But as I sat on that call, and we realised the extent of the loss, it was a similar feeling. It was just awful.”
Some recognition of the immense pressures cybersecurity professionals are placed under is in evidence among leaders in the public and private sectors. In April this year, the UK government launched a new Code of Practice outlining strategies for UK businesses to improve their cyber resilience, including creating incident response plans and improving workforces’ cyber literacy.
Corporate initiatives, too, have increased in number, with many companies rolling out measures such as support groups, webinars and mental health days for workers. Anderson stresses the importance of these tools in bolstering teams’ mental health, with peer support perhaps the most crucial.
“In the police, we had trauma risk incident management,” Anderson says. “It’s essentially a post-incident debrief where people can get what happened off their chest, not in the sense of asking what they did wrong and how they could have done better, but how it affected them. It helps to alleviate some of these longer-term impacts.”
Similarly, WithSecure’s CISO Christine Bejerasco says that peer support can be its own form of therapy. “Even just sharing stories can make you feel okay because suddenly you know you’re not alone,” she says. “This camaraderie is important to build a community within a team but also with other companies.”
Projects to make more targeted therapies accessible to teams are also emerging. In May, trauma therapy charity PTSD Resolution partnered with the Chartered Institute of Information Security (CIISec) to provide therapy and trauma awareness training normally reserved for military veterans to its more than 10,000 members.
The new programme includes biannual trauma training, manager workshops to identify signs of distress and access to therapists experienced in treating military PTSD. Amanda Finch, CIISec’s CEO, told Tech Monitor the initiative comes amid widespread recognition within cybersecurity that the industry has become a “pressure cooker” environment.
“Large-scale attacks are often played out publicly, with a media circus and a worrying trend towards lawsuits targeting companies – and even cybersecurity professionals themselves in the US – in the wake of a breach,” she says. “But the impact of a cyberattack is often discussed in terms of the business: costs, operational disruption, declining share prices, and how it impacted customers. The psychological effect of a breach on cybersecurity professionals is swept under the rug.”
Yet those psychological effects can be as stark as those working in the medical or military front lines. PTSD symptoms such as reliving past traumas, a constant on-edge feeling and difficulty sleeping have, Finch said, become “endemic” in the profession.
“The main concern is burnout, which can manifest itself through emotional exhaustion, depression and a reduced sense of accomplishment,” she says. “Once cybersecurity professionals get to that point, it can be very difficult to return. It’s like putting toothpaste back into a tube and has long-term and debilitating impacts.”
Oliver similarly said the comparison to front-line workers, while one he’s uncomfortable with, has proven true in his experience. “The emotions involved in these situations can be incredibly raw. You’re often dealing with people whose entire livelihoods have just disappeared,” he says. “In those instances, it’s not that different from what first responders deal with. I don’t love the comparison – cybersecurity isn’t the same as being a paramedic – but in certain moments, it can get surprisingly close.”
Long hours and high pressure from clients and line management can induce a variety of mental health complications for IT professionals battling to contain breaches. (Image: Shutterstock)A structural change
While access to therapy is finally receiving a well-deserved spotlight, many contend that real benefits require deeper, company-wide changes. Indeed, more could be done structurally across companies to address the causes of cybersecurity-related cases of burnout, argues Bejerasco. Preventative, rather than retrospective, support systems are what’s ultimately needed.
“A lot of stressors are not actually inflicted by cybercriminals or external threats – they come from how a company internally proceeds with its operations without considering security,” she said. “I’ve often seen there’s no interest in cybersecurity until someone has already been compromised.”
To combat this, Bejerasco says educating management teams about the anxiety-inducing reality of managing a cyber incident is essential. Providing teams with playbooks on how to deal with issues as and when they occur, as well as access to specific incident response teams to help IT workers in moments of crisis, is also crucial.
“If we solely rely on retrospective measures, we’re wasting our cybersecurity talent because they’re just eventually going to crash and burn,” she says. “If we spend time and investments on proactive measures and educating the organisation on what they can do as well on the cybersecurity front, we could significantly reduce the stress even before an incident occurs.”
As the cyber threat landscape continues to evolve, particularly with the rise of AI and faster, more scalable attack tools, demands on security teams are unlikely to ease anytime soon. Yet, there is also cautious optimism: the same technologies fueling new threats are also equipping defenders with better tools, greater resilience, and faster recovery options.
“With the evolution of AI we’re certainly going to see more challenges,” Anderson says. “But on the flip side, we have a lot more opportunities to recover and be more resilient, because we have access to more data centres all over the world.”
Added to this is a cultural shift in attitudes toward the need for good mental health among cybersecurity professionals. It’s about time, says Oliver. Discussions with health professionals since leaving his job at Mandiant have led him to recognise how the persistent, low-level anxiety and sleep deprivation that bedevilled him in the role were a direct cause of ailments such as high blood pressure and, for a time, reduced productivity.
“Thankfully, the younger generation is a lot more in tune with their emotions, which is a powerful asset in high-pressure roles like this,” says Oliver. “Who knows—maybe that will change the stats one day.”
