A combination of factors such as an expanding attack surface, increasing cybersecurity and data regulation, and an ongoing skills shortage are putting unsustainable pressure on the mental health of cyber leaders and professionals.
“The environment is particularly tough. I’m really worried about the leaders in this industry. They’re suffering a lot,” said Jane Frankland, author and founder of KnewStart and IN Security Movement. said. Information security.
“Right now, we are in danger of losing leaders in this industry because of the environment and the quality of the jobs being created,” she added.
Many studies support this opinion. In 2022, a study by Vectra AI found that half of UK cybersecurity leaders are feeling burnout and considering resigning due to extreme pressure.
This scenario cannot take hold, especially given the huge skills shortage in the industry.
Against this background, a paper titled as follows was published. Mental health in cybersecurity Published in May. Authored by his three leading security experts, this document reviews the current state of research and industry practice in this area and presents various recommended actions.
talk to Information security, Sarb Sembhi, CTO of Virtually Informed Limited, explained, “Basically, the paper is a discussion document and we would like further discussion.” He hopes that this will eventually lead to joint action among industry players to begin mitigating this emerging crisis in the cybersecurity industry.
The changes described in this document revolve around five stakeholders: research institutes, academia, governments, professional and certification bodies, businesses, and cybersecurity professionals.
Sembhi’s fellow authors include Peter Olivier, Head of Security Delivery at Admiral Group, and Paul Simms, Director of Cybersecurity and Compliance at Lumanity.
Promotion of thorough research
The paper cites a number of studies that highlight worrying issues regarding mental health in cybersecurity.This includes Nominet reports Living Within Boundaries – Understanding the Modern CISOThe survey found that 91% of CISOs have moderate or high levels of stress, and 17% use medication or alcohol to cope with work stress.
While such research is important, Sembi and his co-authors recognized that this type of research has not received enough attention from industry groups and governments. “We found that many of these studies could be interpreted as anecdotal or not rigorous enough, as all of these studies are conducted by people who want to voice their opinions.” he pointed out.
The discussion paper therefore emphasized the urgent need to conduct independent research into mental health conditions and their impact in cybersecurity, along with practical recommendations for improvement.
Actions by Governments and Industry Groups
Sembi says insights like this are driving industry bodies to put more emphasis on mental health in cybersecurity, and, in turn, government agencies like the UK’s National Cyber Security Center (NCSC) to focus on the issue. I think it will.
“The aim is to get industry bodies to work on this, because if they act collectively, governments are more likely to listen,” he outlined.
Sembi pointed out that national cybersecurity strategies by governments in countries such as the UK and the US rely on the cyber resilience of companies, which in turn depends on the competence of cybersecurity teams and experts.
Encouragingly, Sembhi has already been working with industry bodies on the issue since its publication, and is using events such as Infosecurity Europe 2023 to further spotlight the topic.
It is hoped that this will lead to the development of best practice guidance for organizations and security leaders to manage the mental health of cyber professionals. This can range from the soft skills and support an organization needs, to how security teams and departments are staffed.
Professional bodies and certification bodies should incorporate this information into their knowledge areas, certifications, standards, frameworks and best practices.
Frankland, who peer-reviewed the paper, said she hoped the government’s awareness campaign would focus more generally on mental health because “many people are unaware of the signs of burnout.” .
Cyber and business leadership
The report also highlighted the responsibility of organizational and cybersecurity leaders to manage the mental health of their teams.
For organizations and business leaders, mental health considerations should be incorporated into strategic plans with measurable outcomes set to define success, while the paper states that security leaders “speak up about stress, We need to raise awareness and identify the signs and symptoms of stress ourselves.” and her colleagues, and explore ways to support the team in addressing the root cause. ”
Frankland said the key was establishing a sustainable team and leadership culture in the security department, which she called a “high challenge and high support” environment, meaning “individuals provide equal amounts of challenge and support.” We call it the “accept” environment.
A lack of either or both of these elements can lead to burnout, says Frankland. Therefore, security her leaders should regularly talk to their teams, understand them, and respond quickly to signs of burnout and stress. This also requires additional input from HR, as CISOs often lack the ability to manage such large teams.
Frankland also highlighted the unique mental health challenges faced by women working in the cybersecurity field, despite generally being better at coping with stress than men. However, I am often told by other women that I must try harder to prove my worth.
“All that happens is you reach unsustainable situations and get really cynical or depressed or sick and sick,” she noted.
To prevent this, it is important for women cyber professionals to be more self-motivated and confident to speak out against unsustainable labor practices, Frankland said. “We have to improve on this,” she commented.
Sign up for the Women in Cybersecurity event at Infosecurity Europe here.
Mental Health Charter in Cybersecurity
To kick off the long journey towards addressing mental health in cybersecurity, the paper also produced a five-point charter designed to be adopted by any organization to recognize the issue. .
Sembi explained: “We say to organizations, ‘This is an issue that needs to be looked at and we believe we need to provide support. It’s basically what’s written in this document.’ I am asking for an adjustment.”
Mr. Sembi will discuss this topic further with a panel of cyber leaders during Infosecurity Europe 2023, which will take place at Excel in London from 20-22 June 2023. The session “Panel: Mental Health and Insider Risk as the Next Big Threat to Cybersecurity” will take place on Thursday, June 22 from 13:25 to 13:55 on the Keynote Stage.
Register for Information Security Europe | 20-22 June 2023
