• Garrett O’Hara

    Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Content

In our last episode for Season 7, we speak with Peter Coroneos, Founder of Cybermindz. In this conversation we cover Peter’s incredible bio, including being a globally recognised authority on cyber, we look at how he has informed policy that affects how we use the internet even today. We also discuss a variety of topics, with a focus on Peter’s very important work in supporting the humans that support cyber.

Content

The Get Cyber Resilient Show Episode #111 Transcript

Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara. Today, we are speaking with Peter Coroneos, the founder of Cybermindz. Peter has an incredible bio, which he covers in the opening of our conversation. As a globally recognized authority on cyber, he has informed policy that affects how we use the internet even today. We get to cover a variety of topics as we talk, focused on Peter's very important work on supporting the humans that support cyber.

We go through the problem of stress and burnout and depression in the cyber industry and why our people are particularly impacted, how are industry and broader societies opening up on how frequently people suffer the effects of stress and burnout, the importance of mental health for personal wellbeing and how that rolls up into organizational performance.

And most importantly, Peter talks us through the success of Cybermindz in helping people over the conversation. Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara. Today, I'm joined by Peter Coroneos, who is the founder of Cybermindz. Welcome to the podcast, Peter.

Peter Coroneos: Hi Garrett. Good to be here.

Garrett O'Hara: Absolutely fantastic to have you along. This is one I've been looking forward to. We were saying off mic I've, I've been kind of stalking you on LinkedIn and wa-, and watching the commentary and the, and the work that you're doing. And this is certainly something that is close to my heart and I think to, to many people's heart. So very much appreciate you taking the time out today to, to talk to us.

Peter, the, the first question we generally ask is, how did you kind of get to where you are today? Obviously you're doing what I would consider some very important work with Cybermindz, but just for the audience so they know like, how did you, how did you arrive to this work and, and what was your journey to get there?

Peter Coroneos: It is a little bit of a long journey, but-

Garrett O'Hara: [laughs]

Peter Coroneos: ... I started when I was 10 years old, my uncle, my mother's brother, who was then, and is still actually a practicing neuroscientist, invited me into his laboratory in Perth, where he was doing re- research into well, a pathology of, of pa- patients that had died with neuro-related disorders.

And I remember he was slicing sections of the human brain into these very tiny slivers called, using a microtone, which is sort of a, a scientific version of a, a ham slicer that you might see at the local-

Garrett O'Hara: [laughs]

Peter Coroneos: ... [inaudible 00:02:27]. And so for anyone that's done biology they'll know this technique, is you make very fine slices. Remember this is before the days of MRI where you could do it digitally. then he would stain them. He would stain the sections and, and then he would, um, and it would, depending on the stain, it would highlight certain cell structures and you could go in and, you know, make assessments of the pathology.

And I, I, I mean, I found that was quite fascinating, but while he wasn't looking, I remember wandering around his laboratory, looking at all these human brains in buckets, and they're all preserved in formaldehyde. And I remember poking them with my finger when he wasn't looking and just remarking to myself how it was that this ugly sort of 1.3, 1.5 kilogram structure could be the repository and the, the, the source as it were, or the interface, at least between our sense of self and, and our entire world.

And so this fascination, you know, really with the neurology, and the brain became, or wa- was it a be- began at quite an early age, but I then went on to study science at uni and, and actually studied some neuroscience, neuroanatomy and went on to teach a little bit.

So I've always had this abiding interest in the brain. I just think it's, well they say it's the most complex structure in the known universe and, and the, and I think really this... Well, last century was sort of dubbed the century of information, technology. The 21st century is really the century of biology where we certainly were using IT in, in that exploration of course. But the fast, the, th-...

Brain research is one of the fastest growing areas of scientific inquiry in the world and for good reason, because, or for the reasons that we've mentioned. I mean, the whole human experience is accessed through the, the organs of the brain and, and the sensory systems that connect to that. So then I sort of...

At the same time I was at uni, I was, I actually was exposed to meditation. I lived in a house with some guys that were practicing TM and at the time it was the big thing 'cause the Beatles were into it and, and I know that at that same time, Steve Jobs was wandering around India looking for enlightenment and I was sort of not that far behind him.

I probably missed him by a couple of years, but you know, it was just a fascinating time that we were seeing the questioning of, you know, norms and Vietnam War was a big part of the narrative as well. And so there was a lot of, sort of... It was quite a revolutionary time, the '70s. They say that if you remember that '70s, you weren't there, but that's another story. [ The, the exploration really from the inter-human consciousness was really, has been a major sort of thread running through my life and my own self exploration as well. Cut a long story short, I sort of, we went through, I went through a couple of careers and ended up in tw- 20, in '97 as the first Chief Executive of the Internet Industry Association having studied law in the meantime and had a teaching career and a stint in marketing as well.

So here we had a new industry, the internet that was just reaching Australia. I think at the time I started, we had about 22% of the population online. We were using dial-up, you know, it was the old modem tone connection times.

Garrett O'Hara: The good old days.

Peter Coroneos: We remember, and, and of course all the dropouts that went with that. So it was a very sort of very interesting time to be involved in the, in the tech sector, as what was initially the preserve of academics and to some degree the military was becoming mainstream. And so it was like we had a, had a front row seat.

In fact, I guess through the work we did as the Internet Industry Association, we did shape a li- a lot of the legal and regulatory environment that, through which the internet could flourish in Australia and we were very, you know aware, I guess, of the responsibility that came with that, those roles.

But early on in the piece, we identified cyber security as a major potential impediment to, or cyber risk as an impediment to growth and trust. And so we did a, a, a lot of thinking around empowerment programs and, and education and, and also legal and legislative instruments that could be used to create an environment where trust would, would proliferate throughout the internet using public.

We did also a lot of work around broadband lobbying for what ultimately became the NBN. A lot of work in child protection, copyright the streaming debates around keeping streaming.

In fact, had we lost that battle in 2001-2, we probably wouldn't be having this conversation now in the sense that the, the government of the day under the pressure from the television networks was seeking to at least examine the prospect of requiring anyone doing video or audio streaming to hold a broadcasting license. And of course the, the, the government policy of the day was that there were not gonna be any more broadcasting licenses issued. So it was a little bit of a-

Garrett O'Hara: Yeah.

Peter Coroneos: ... um, A scary time. Anyway moving forward, so through that whole cybersecurity sort of piece, we managed to develop some really interesting best practice work around botnet mitigation and we wrote this thing called the iCode, which was a, an industry scheme, a voluntary scheme that allowed for the iden- identification and notification to end users of a potential compromise with their computers, their machines which could be used, you know, by criminal organizations to send spam or attack other computers.

So the iCode ultimately was taken by the Five Eye or into the Five Eyes Community by the Australian government. They were quite pleased with what we'd managed to achieve. I think we reached 92% of the coverage of the internet based in Australia within about three or four months. So it was a pretty powerful example of industry leadership with a good idea.

And as you'll see, I'll soon segue into Cybermindz. And in a way I feel like we're on a bit of a parallel track, but this time we're looking at the mental health dimension of cybersecurity. But just to backtrack, so the iCode was then... I was invited to the White House a couple of times to brief [inaudible 00:09:22] Schmidt, and the second time with a bunch of telcos and ISPs in America.

And ultimately the ou- outcome of that was that they had, they developed a parallel scheme based on our work, which race re- re- reached about 276 million Americans. It was about 90% of the broad or the internet base. So it was... For me, it demonstrated really the power of a good idea, the power of timing, the power of u- using networks and, and, and being able to advocate a narrative that made sense, that people could understand.

And, and so in the intervening years, I sort of... Leaving the internet industry. I sort of refocused on applying or at least teaching some of the practices that I'd used in my own career just to maintain my own equilibrium and, and, you know, sense of calm that I could return to a state every day that was very restorative for me and allowed me to focus and step ou- step out of the, what you can imagine was a pretty chaotic period in, in our history of the internet. So it was just really great to, to have that, those tools and then to think about ways that we could share that.

So I started a company called Serenityworks and was running corporate programs here and overseas. We were mentoring CEOs and just getting everyone a little more, you know, attuned to a more let's say, constant state or ground state of being from, which is a platform from which all creativity flows, all insight originates, all sense of, you know, deeper sense of being or security or, or psychological safety. All those things reside within, within a space within us that we can access.

But of course, part of the problem is there's still a lot of overhang around the '70s era and the hippy era and the, you know, there was a, a, a bit of cynicism even then. But I, I re-... I discovered then a program called iRest, which was based on similar techniques to what I'd been exposed to had it, in fact, been introduced to in my early 20s.

And the iRest protocol was actually developed by a clinical psychologist in America called Dr. Richard Miller in California and he had taken some of these ancient techniques and packaged them into a 10-step sequence that was highly effective in switching off hypervigilance, hyperactivation. And the kind of always on state that we find ourselves in. Particularly, I think the pandemic exacerbated all of this.

So we, so we really know that there is thorough mental health issues now. It's... You know, really it's a, it's a population level decline in mental health as observed by Australia's Mental Health Think Tank.

So, but particularly in cybersecurity, we see the pointy end of that phenomenon. And, and so I suppose what Cybermindz, just to, to move to the present sort of topic, is a, is a coalescence for me or adjoining of those two major streams in my life, the commitment to cyber security, but also the, this sort of personal development piece. And, and, and I, and, and so I, I had kept those two parts of my life separate, but last year I was talking to Nick Len, and actually, the CEO of Mime-, or the Country Manager of, you know, of Mimecast.

And we started to have long discussions around this issue of personal we- wellness and wellbeing, and, and the criticality of that to, particularly to people working within cybersecurity around their own capacity to focus and remain engaged and, and even passionate about the things that they're doing that are so fundamental to the health and safety, I suppose, of our society, a- at least those parts that are hanging off the digital phenomenon, which is pretty much everything.

So that's, that's really... So the, the iRest protocol I approached Dr. Miller, Richard Miller and said, "Look, we'd like to apply this in the cybersecurity realm." Now, what I didn't mention was that he'd introduced it to the US Military in 2006 to the Walter Reed Army Hospital, and they were using the protocol for returning veterans from Iraq and Afghanistan, particularly those that had PTSD, which is obviously a pro- a byproduct of unmanaged chronic stress or, or trauma.

And and so there were... He had done these studies there, now about 25 scientific studies that support the efficacy of the protocol across, not just the military populations, the veterans groups, but also sort of more general domains in palliative care substance abuse clinics, victims of domestic violence.

So different domains a- and frontline health care, care workers as well. And the studies again and again show that the immersion into this, this protocol, which is actually very easy and pleasant to practice, a- and it's a guided practice. So you, you're not having to sort of exercise any particular discipline other than to lie down or sit down with headphones and just listen to the recordings or to the live facilitator.

So the result of that is it actually reconfigures the brain by taking you out of the flight-or-fight mode. It actually... We, we actually move people down through the 10-stage sequence and what happens is the brainwave activity starts to slow down and you're moving down out of the high beta, which is the state of anxiety and fear and, you know, thi- this hypervigilance into sort of slower states where you start to get a little bit more clarity, a little bit more physiological relaxation.

The brain starts to release different hormones and neuromodulators like serotonin, which is a mood-enhancing hormone and, and deeper into the dopamine as well and endorphins in, deep into the delta states. So you're getting a lot of, what could you call it?

A- actually, there's restorations occurring at the cellular level. So human growth hormones released down in these deep states. So you're getting a lot of anti-aging effects, which someone the other day said for them was the, the most significant [laughs] attractive sort of aspect of this as well.

"You mean I can look like, younger for longer." I said, "Yeah." Well, seems to be some support for that. Anyway, so that really is... So, so Cybermindz is really relying, we are applying the iRest protocol for the first time in, in the world, into the cyber security sector.

Garrett O'Hara: Yeah. Which is... Yeah. It, it leads me to the question around the, the problem that you're kind of addressing here, which, you know, I think people in our industry are well aware of, you know. CISO burnout is, is kind of much talked about. I'd love to get your thoughts.

Is there something specific going on for CISOs? And do you see... Is there any analogies with other roles? And here I'm thinking maybe frontline healthcare workers firefighters. I mean, you men- mentioned military already.

You know, it compares CISOs to other like peers within an organization, you know, senior executives that are maybe looking after finance or HR, and it feels like there's a, a qualitative difference to how it feels to be a CISO and, and how they go about their day. So I'd love to get your thoughts on what you see as the specifics for why we see so much stress and burnout in, in the security sphere.

Peter Coroneos: Yeah. I think that's a great question. Look, the short answer is yes. I think there are quantitative differences within tho- those roles, the CISO roles and cyber teams generally. A- and I say that having spoken to Richard Miller about the work he'd done with the veterans and also with the frontline healthcare workers. And in fact, I've written an induction course.

So just to cap off the piece around the sidelines, whe- when we deliver the protocol, we, you, you have to be an accredited facilitator and there are about 400 of those in Australia of who-, from whom we will draw, but we're putting them through the induction training around cyber security so that it's a, becomes a peer-informed process so that we're using the language of cyber when we're talking to cyber people and at that...

Well, we've already done a pilot program with Allianz Insurance. And I think it was a profound sort of validation of that approach, that when they feel that you understand what their daily, what their day looks like, you get a lot more permission to engage in the protocol because they know that you are one of them essentially. So the, the...

So talking to Richard Miller, and then he actually did the induction program that I wrote because he was curious to see what spin we were putting on this around, you know, putting it in the language of cyber. And he recognized, having done that program that we'd written, that there were definitely uniqueness around cyber security.

And in a nutshell, what they are is that... If you talk about a frontline healthcare worker, for example, and I'm not in any way understating the pressure that they've been under, particularly during COVID, at all.

They needed as much help, you know, as anyone, but there is still off time when you're not there on the job, treating patients or emergencies or whatever, or if you're a frontline, you know, a firefighter or whoever, there is gonna be, there are critical times within the, within the active workday. But then there is this off time.

Now, if you've been traumatized during that on-time, that's another whole story and I'd say that's where the protocol, you know, is necessary. But for cyber security, there's really no downtime because of this constant attack environment-

Garrett O'Hara: Yap.

Peter Coroneos: ... and the overall... So, so if we were to distill it down to three or four points, and by the way, there's very little research on this. [inaudible 00:19:59] did a study in 2020, so the prior year, so this is pre-pandemic. And even there, they found high levels of stress within the CISO populations of the US and UK that they surveyed stress and teams having a detrimental impact on their own mental health and their relationships with their partners or children. And, and some of them would turn into medication or alcohol for relief.

So there is definitely an underlying issue here. But the top three or four reasons why I think cyber teams are particularly at risk of burnout are because, first and foremost, as I say, the te- tech environment is relentless. You, you know, it's the only... Someone said, it's the only career in IT where someone i-, someone somewhere is actively trying to ruin your day in 24/7. So I think there is that uniqueness about the roles.

Secondly, there's the, the sense of responsibility that you bear when your job entails protecting an organization and ultimately, potentially downstream customers. And if it's critical infrastructure that you're trying to protect, then it's large segments of society are all relying on you not, you know, failing to properly manage an attack. The other flip side of that is that the visibility of success is hard to see. No one can tell when you're doing a good job-

Garrett O'Hara: Yep. Yeah.

Peter Coroneos: ... Whereas the consequences of failure are highly visible. And then the fourth dimension is that still a lot of CISOs don't believe that they, their situation is adequately understood by the C-suite and nor do they necessarily feel that they have the resources and they have to continually go to seek more resources for a problem that hasn't yet occurred.

You see, this is the issue, is that it's a, it's almost like a grudge spend because if you can't demonstrate that an attack... I mean, you can't, can't prove a negative, can you? So you can't, you, you can't show how many attacks didn't occur because of whatever spend had been made.

And you might be able to have behavioral analytics that show attempted attacks that have been prevented, but unless they've culminated in an actual attack, the-, you know, there, there is a real disconnect between the, the role of CISOs and the wellbeing of the organization. So I think that... So the, the, the consequence of that is they often feel underappreciated, underrecognized. And so all those things combine now over time.

Also, you've got these critical skills crises that are affecting many professions, but I think within cyber security it's well known. And, and so when someone leaves because of burnout, then that just puts more pressure on the people that remain and so you end up with, right? Quite stressed team dynamics.

So yeah. So I, I mean, we could probably... We, we will actually be doing Australian-based research into this area because we've got a research capability through one of our directors, Andrew Reeves, who's a global expert in cyber risk behavior. So we'll be shortly actually pushing out... And for people on the call, please keep your eye out.

We're doing Australia's first rigorous baseline analysis of stress across three domains burnout, sleep quality, and general quality of life and we're gonna create a bell curve. We'll see what the natural distri- where the distribution is within cyber versus the general population.

Garrett O'Hara: Interesting.

Peter Coroneos: And that becomes a baseline metric that we can use then to measure progress through our programs and also within organizations, we can repeat the analysis and see where your organization sits in relation to the general population and also the rest of the industry. So, yeah, fascinating area. [laughs]

Garrett O'Hara: I- i- it really is. As you're talking, there is a couple of things that kinda load up in, in my mind. It feels like there's a general embracing of the conversation around mental health as a nation, but i- it feels globally, and that's probably reflecting the increase in stress and depression, you know, all the, all the things that I think we talk about as a society.

But we see sports stars and celebrities more openly talk about, you know, their struggles and the things that they're going through. So kind of a two-part question, like I'm, I'm wondering, does that help us in, in terms of CISO given how, or just security people in, in general, just given how specific that the area that we work in is. So like that, that national conversation is hopefully helping. Let's get your thoughts on that.

And then secondly, as you talked there about the, you know, maybe lack of understanding of what a security person is going through based on, you know, relationships with their colleagues, because you know, a person who works in finance goes home and, you know, nothing happens to the books overnight. Nothing happens to HR overnight, but it does in security world.

Is there ways or things that you've seen work well for somebody who's maybe going through something now to help their colleagues understand their world and what they're going through in a more meaningful way. 'Cause I think that feels like it would be useful, [laughs] you know. First step is at least this empathy from colleagues. Have you seen anything work there or any thoughts on that?

Peter Coroneos: To be honest, we haven't really delved into the cultural side too much at the moment, but we do recognize that culture is a big driver of stress and burnout. And to some of the points I'd made previously about what's unique about cyber. I think there is this cultural divide as it were within organizations where there is a lack of empathy and at least understanding.

And so I think there is definitely work to be done in that area. How we approach that, hard to say. One thing that we are doing and can do well. Leadership briefings, where we can take the narrative into the C-suite and talk to the organization as a whole-

Garrett O'Hara: Yeah.

Peter Coroneos: ... about what these dynamics are and... A- and the other... So th- that was a sort of many dimensional question, but to the increasing awareness around mental health, particularly over the last, let's say 10 years, I think that is helpful.

Garrett O'Hara: Yep.

Peter Coroneos: It was previously something that we didn't really talk about and people suffered in silence and, and I think, you know, it really reached a tipping point where this is a problem that is too big to be not addressed or, or admitted to anymore. Having said that, within specific teams and within cultures, sometimes it can be very difficult to admit weakness-

Garrett O'Hara: Yep. Yeah.

Peter Coroneos: ... to admit that you're suffering and, and so that's, that's something that really needs to be addressed and that... Part of what we are doing is trying to normalize the discussion, the conversation around mental health as being, you know, as important as physical health and something that, you know, if you had to go to the doctor because you broke your foot, no one's gonna think less of you.

But if you have to go to seek help because you are not managing stress or there's relationship problems, you know, even outside of the workplace that are impacting on your ability to do your job, then we have to recognize that, you know, we are, after all, all human and, you know, it's this...

I think part of what we've learned through the military work that Richard Miller has done is this con- you start to develop a conversation. Particularly what he found was that when he started delivering the protocol into military units, they started to develop a common language around aspects of the protocol that they could use even offline to support each other, to remind each other to step back or to see perspective or to apply, you know, various dimensions of the protocol, even micro practices that you can do, you know, in an opportunistic way during the day just to get you centered and grounded.

So there is definitely a morale building, team building dimension to this work that would, naturally emerges when people, teams have done the programs. how you get, how you elevate that outside of the cyber team and get, lift this general level of understanding and awareness into the organization generally, I think that is a very big challenge.

There is work being done, I know, by a new group called Cyber Shift that we would hope to be, be partnering with at some point, where they're looking at toxic workplace cultures and so the whole conversation around that. Fortunately, Andrew Reeves, who is, as I say, our Director of Organizational Behavioral Research is pretty much across this issue.

And I think part of what we want to be able to do is a two-part thing where we can provide the protocol into teams and also build this community support network around the program. But you, you have to understand that this is not like a hit and run thing where you come and do a workshop or a eight-week training course and then you're on your own.

Garrett O'Hara: Yeah.

Peter Coroneos: This, this has to be built in to organizations as a sustainable support thing that... Because it takes time for the brain to actually change. I mean, this neurological change that we talk about that the science shows occurs after eight to 11 weeks of doing this regular immersion in through the protocol. It does take those eight to 11 weeks.

And so the people that make the best progress are the ones that are regularly, you know, encountering this shift out of the hypervigilance into these deeper states. And over time, what happens is the brain starts to, through neuroplasticity, it starts to recognize that it's operating in a different environment.

And so the cellular structures begin to change and you get reductions in parts of the brain that are correlated with high stress and increases in brain structures that are associated with emotional regulation and wellbeing and seeing things in perspective and having more calmness and clarity that become the new default.

But in order for that to really cut in, it's like going to the gym, you know, Garrett, you, you, you can, someone can take you to a, to a gym on a tour, show you the equipment and give you the theoretical reason why if you went to the gym, it would be beneficial or you can join the gym. By having joined the gym, you then have to obviously go regularly to get the benefit. This is exactly the same thing.

So I think a large part of what we're focusing in on now is the community building. So we've touched on the cultural aspects that need to be examined and discussed and, and addressed but also then the sustainabi- sustainability of the, the protocol and, and, and re- recognition and application of mental health tools utility for the cyber teams and, and beyond.

Garrett O'Hara: And, and as you're talking through that, I suspect there's a couple of positive feedback loops that would happen there. Like at a personal level, I'm guessing as people adopt the protocol and work with you and, and your organization, they're gonna, they're gonna feel the difference, right? They'll, they'll feel, you know, materially better, perform better, et cetera.

And then as you scale it up into an organization, presumably then there's, there's actual real world business benefits here, which would be probably reduced churn of, of staff, you know, people staying longer, performing higher. So not to sound like a, you know, [laughs] a, a mercenary capitalist here, but, you know, there's, there's a win-win situation where, you know, the individuals are gonna have a better life, but actually organizationally there's huge, I, I would imagine, huge benefits to this kind of approach.

Peter Coroneos: Yeah. And I think that is sort of the conversation that we wanna have at the C-suite level because, but again I don't know what the metrics are and this is why we, we'll be measuring as we go and doing these baseline studies that we can start to demonstrate working with HR teams as well as cyber teams. Reductions in absenteeism increased levels of engagement.

One of the things... A- and so ultimately, these translate into a higher performance of the individual, a higher performance of the team a renewed passion for the job, improvements in team morale. All of these things should translate into a more effective or a better cybersecurity posture than teams that are burning out, that are in hypervigilance, that are being flicked out of their analytical brain, into their heuristic brain, because that's what fight-or-flight does.

It gets you out of the rational brain, which is kind of where we want our people to be, right? We want them to be you know, on the ball and sharp and clear and calm and doing their jobs really well, you know. There's a thing called flow states even, you can get to with gamma frequencies that are pr-, that, that spike during the protocol.

Over time, you start to sense this feeling of flow state, where it becomes effortless and you're, you're performing at a very high level. And there's really interesting work that was done in the field of positive psychology in the '80s around flow states and it's been applied across so many domains into sport and business and creative arts and everything.

So I guess if we can bring flow into cyber teams, that would be, [laughing] that would be unreal because, you know, that's where, you know, the teams, everything clicks again and, and everyone's performing well. But at the organizational level, so how that translates is, would high productivity lower absenteeism, but also decrease churn?

And, and when you're looking at a skills crisis, which we currently have, or a skill shortage, at least, even if we can keep people happy and in the same jobs for an extra year or two, I mean, that translates into, hopefully we'll do much better than that, but, but, you know, the cost of replacing a CISO is non-trivial, assuming you can even find one. You've got recruitment costs and all those onboarding costs, so you lose the corporate memory of the person that left.

There's so much cost to the organization that is implicit in losing key people. And so I just think it makes, as you say to your materialistic capitalist, you know, view on this uh, and that isn't really our primary view, but it is certainly an aspect. It really just makes good commercial sense to do these things as well.

Garrett O'Hara: Yeah. Yeah, that definitely makes sense to me. So look, there, there'll be people listening today um, and I, I think it's fair to say as human beings, we, I, I feel like we, we have this, maybe it's a protection mechanism or, or something where quite often we think we're fine, but actually we're probably not and there's...

It is like a lag time before we really sort of fall apart and realize, "Oh, I actually haven't been okay for quite some, [laughs] some time." And, you know, and then if we're lucky, we're, we have access to counselors or, you know the people who can potentially help us. So, you know, kinda people notice a little bit too late sometimes.

I'd love to go ahead and get your thoughts on that. Like is... W- w- why does that happen, first of all? Like, why is it that we often don't look in the mirror and see, you know, that, you know, not to be frivolous here, but like that we, we look old when actually we're not, and, you know, [laughing] we, we're carrying an extra five or 10 years you know, with creases and stress on our faces. Is there something there like around self-protection? Like, why, why do we, why does that happen, do you think?

Peter Coroneos: I mean, that's a really big question and to answer it properly is probably a three-hour discourse on evolutionary biology.

Garrett O'Hara: [laughing] Okay. Yeah. Yeah.

Peter Coroneos: But I think from an evolutionary standpoint, males in particular are hardwired not to show weakness. And you can imagine, you know, that I, I have this presentation, which I think I've used with Mimecast as well, where we've got and some of your clients, we've got a, a picture of a painting of some cavemen fighting off a bear with spears, clad in animal skins.

And the flight-or-fight mechanism was designed for that kind of situation. And, and if... A- and so any sign of weakness could actually be an invitation to both the attacking animal. I mean, you know how they say that when lions hunt, they look for the weak one in the pack?

Garrett O'Hara: Yeah.

Peter Coroneos: There's that sort of dynamic that occurs in nature anyway. But also, you know, within societies the hierarchical nature of societies is always that you didn't show weakness. I mean, it's attune with natural selection and all sorts of deep, deep stuff that is deep in our, embedded in our sociobiology.

So I think translating that into the modern society and guys in particular who have always been conditioned from childhood, and I'm not saying women are not finding difficult and different and difficult challenges in the workplace, but for guys in particular we tend to keep problems to ourselves. We tend not to share. We don't show vulnerability typically as a, as a, as a gender.

Women do have a propensity to share more. I'm speaking very generally here, but they do get together and have coffee and complain about their partners or whatever women talk about. I, I, I'm sure that there's a lot of constructive discussion. I'm not usually privy to these things. So it's kind of like secret women's business.

Garrett O'Hara: [laughs]

Peter Coroneos: I don't know what happens in these, in these conversations, but I do know, I am told by the women I know that they always feel better afterwards. And so I think one of the things we'd like to do is create a safe space for guys, as well as women, that we can have these kind of conversations around, and normalize the conversations around mental health, admit that we may be struggling a little bit.

And, and you know, the, the other thing I think humans are, we do have a, we do have some hard wiring for care and compassion despite the competitive nature of society. And I think one of the things we find with the protocol, a- and this is a pretty key point, so listen up. When you are emotionally depleted, you've got nothing to give even yourself, much less the people around you that may be suffering.

If we can rebuild the emotional resources within the individual and make them feel better and stronger about themselves, and they obviously have more to give to those around them. And so this is the power of, you know, building resilience, psychological resilience in teams and wellbeing.

Richard Miller talks about it in terms of building an un- unbreakable wellbeing, he calls it, by showing you where the foundation is within yourself that you can always return to, that is unbreakable. It gives you a platform that is separate from the chaos that you're contending with. So you can step back, take a breath, know that you're actually safe.

Now, the point I didn't quite finish making with the flight-or-fight response, and you're fighting off the bear, in that situation, once the conflict is over, the whole system is designed to return to equilibrium. That's how the limbic system was designed, that the cortisol levels come down and the heart rate slows, and you start to return to the rest and digest state.

But in a work modern 21st century workplace environment where the, the s- the threat is a perceived threat, it's not a visible, not proximate in space or time. It's not in front of you, but it's more of an imagined threat around what could happen. And again, we map this back to cybersecurity, specifically teams, this...

There is always a part, this vigilant part, vigilance part of the brain that is, can't allow itself to switch off because of what might happen and so, as a result, the limbic systems stays switched on, or the stress hormones remain high. In turn, you start to get actually degeneration of the parts of the brain that you, you really wanna be sharpening, like the hippocampus, which stores memory and learning.

You know, pe- one of the first casualties of stress is people start to feel a bit forgetful, short term memory in particular. You walk into a room and you forget why you went there for what it was. And, and so what we wanna try and do is, by helping people learn how to switch off this hypervigilance, a few things happen.

Firstly, their sleep improves, which is a big thing when people aren't sort of always on. not that sometimes they can't sleep easily when they go into bed at night. Often it's by, from exhaustion, but then they'll wake up at 3:00 in the morning and the mind will be racing and they can't get back to sleep and that's a very common thing. So the protocol really helps you to...

I mean, we've even got particular protocols that you can use at 3:00 AM that'll stop you getting drawn into that. Mind streams, worrying about not being able to go back to sleep because you'll be tired the next day. So sleep tends to improve. You... What people observe is you just generally start to look and behave a lot calmer, you, you've got a lot more...

You, you know, when you're in a reactive mode and, and some situation occurs, you can sort of snap, you can, you can really be on your tentacles. This is a classic case of where there's no separation between your perception of self and the chaos that you are having to contend with, that you get drawn in. And, and when there's no separation, it's like, you know, you, you, the, the reactivity is almost a reflexive thing and that's quite destructive.

Garrett O'Hara: Yeah.

Peter Coroneos: The capacity to be able to step out of that situation at will, and it's a skill that we can build, gives you the ability to then choose what things you want to sort of get involved in and what things you're gonna just let through to the keeper. So sometimes you don't, you don't have to actually engage in everyone else's conflict all the time.

But, but again, this hyper-reactivity is a consequence of this, this stress dynamic. And over time, you know, you start to, you know, it will culminate in burnout. In fact, there was a nice quote from uh, CISO in the US called Morey Haber that said something like, if every day is a firefight, you will burn out. No amount of money, cigars or vacation time will stop it.

And so that's effectively what we're saying, is that, you know, the reward system itself, the, the tangible external reward system, won't be enough to compensate for just the sense of being under constant attack. And that's why we need these kind of interventions that can come in.

And, and, and another thing I was gonna say, Garrett, is we're doing some work now with new entrants into cybersecurity as well, because we know that this is such a potentially a high stress occupation. Whether you're a pen tester or working in a SOC or doing, you know, analytics or whatever it is, even in GRC where you're carrying the can for a major breach scenarios, we want...

So we know it's a high stress sort of profession. What can we do to equip new entrants that are coming in with the skills so that we have preventative strategies [inaudible 00:44:30] mean that they never have to get to the EAP stage or have to leave because they're, it's too much?

So I think that's a, an ethical and a moral obligation that we carry as cybersecurity leaders that we've gotta, firstly recognize the nature of the environment that we're putting people into. And this is not a matter of canon fodder, you know?

Garrett O'Hara: Yeah.

Peter Coroneos: Just burning 'em out and getting through. This is much more about... And I know the CISOs that I talk to, they really care about their teams.

Garrett O'Hara: Yeah.

Peter Coroneos: They're so protective and it hurts them when they see members of their team suffering. And if they feel powerless or under-resourced to do something with it, you know, that, that, that's something they take home. So I think, you know, the time is right now for this, so I think, you know, we're really lucky that we've got...

You know, the pandemic in a way gave a lot of permission for us to... Because mental health decline became such a societal phenomenon, we've had to address this as a society anyway and I guess Cybermindz is really just the way that we are doing that for our community, using a protocol that we know works, can be delivered remotely or in-person and, and, you know, we will measure the results and we- we'll be able to see quickly, you know, what the metrics say.

But, but even without that, the pilot programs are already showing subjectively people reporting what I said, you know. Feeling calmer, sleeping better, feeling less reactive, feeling a li- a little bit sharper. So that's sort of... So that's, so that's the big why of what we're doing this as to the how we're looking for partners.

Obviously we've got Mental Health Awareness month coming up in October. So we're looking to run out programs. We've got a masterclass that we'd like to run for people that are interested as a way in, or we can do executive briefings as well. If you feel that the time's right to start this conversation within the team or within the leadership. Whatever we can do to help you to help yourselves, that's we're here for.

Garrett O'Hara: And we will definitely include all of that in the show notes. As, as you're talking through that, Peter, it would be good. There's gonna be people listening to this and, you know, kind of referred to the fact that people maybe don't notice until it's too late or, or later than maybe is ideal. What would, what should people be looking out for as they maybe are experiencing stress?

And then there's that transition into burnout, and then, you know, there's, there's probably stages after that. It'd be great if you could just maybe talk us through what, what are the things that people should be paying attention to so that they know it's time to, you know, engage with uh, Cybermindz uh, to, to kind of help with their situation.

Peter Coroneos: Sure. I actually realize I didn't properly answer that question when you said, what are the, what are the what are the early stages. Well, the tendency is to sublimate initially. If you are in a situation where you don't have the emotional resources available at the time to deal with an overload type situation on your emotions, the normal thing to do is to sublimate that, and we push it beneath the surface and it actually goes down into the subconscious mind.

And that's why you're having sleep problems because in sleep, whatever's lurking around in the subconscious will start to reactivate as you're trying to... You're really... What you're doing, particularly in the dream state is your processing stuff. It's emotional processing of things that happen in the day.

If you're not sleeping well and if you're not going into the deep REM sleep where the dream processes can play out properly, and people with PTSD, apparently, according to Richard Miller don't dream as much. And so they're not able to actually do the internal processing.

So a lot of this sublimated stuff is not being dealt with and over time it, it creeps, you know, it snowballs into problems that eventually surface, but some of the things that you would look out for, obviously if you're finding sleep problematic or if you're waking up exhausted, the quality of the sleep is not so good.

Or if you are just feeling generally agitated or very, feeling a little more reactive than you should. Things are triggering you or if, if you find that your memory's not as sharp as it was, it could be because, you know, we're on our devices all the time and so we're losing capacity for holding attention. Again, this is something the protocol definitely can help with.

So those are the sort of early signs of a decline in cognitive resource easily distracted, so over time, if that's not managed or just, just generally feeling stressed, you know, even some of the external signs, heart rate elevated all that kind of classic flight-or-flight stuff.

But over time, what happens is that you get to a point of emotional, physical and mental exhaustion, and that's when the excessive and prolonged stress hasn't been managed. So we can deal with a certain amount of stress. And they say a certain amount of stress is necessary to keep us motivated, right? So we're not saying we are gonna create a zero-stress environment. There is this optimal level of stress, but beyond that, there is a suboptimal level of stress and that's where we wanna sort of get you out of.

Then you start to get feelings of being overwhelmed, emotionally drained, or unable to meet constant demands. And as the stress begins, it continues. You start to lose interest and motivation. And I'm drawing here from a definition of burnout from helpguide.org, where they say, you know, that you start to question the, the, the value that you bring to the organization.

If you don't feel that you're making a difference anymore, this is just a, a treadmill you're on and it's pointless. So, you know, that, that's an indicator that you're probably on the road to burnout. It reduces your productivity, saps your energy, and then again, to quote from HelpGuide, it leaves you increasingly helpless, hopeless, cynical, and resentful and eventually you feel like you've got nothing more to give.

So that's really, those are the things to... I mean, if you're sensing there are aspects of that description that could apply to you, then it's possibly a good time to sort of check in and ask yourself, "How much care am I giving to myself even if my workplace isn't providing that for me yet?" Hopefully they will.

But until that point, what are you doing for yourself that can pull you back out of that mess and stop you on this downward slide? Now, I mean, I, I don't wanna leave people feeling too depressed here. There is actually a, a positive end to this story. And that is that, that these brain changes that we talked about-

Garrett O'Hara: Mm-hmm.

Peter Coroneos: ... that result from this prolonged unmanaged stress, they're reversible. You can actually learn how to switch off. You find a flight mechanism at will. It's like a muscle that we have to build and exercise and show you how to do it. You can actually improve the quality of your sleep. You can actually regain your joy for life.

All of those things are, are, are recoverable. And I think that's the key to this, is that this is not just preventative, but it is... So the iRest protocol, iRest stands for Integrative Restoration. So the idea is that you're integrating all aspects. So you're recognizing and acknowledging that you are, you are an emotional being, you're a thinking being, you're a feeling being, you know, you're a physical being. We've got all these in a way where we're layers. We're not just a, a monolith.

And so the integration is learning how to bring those things into balance and to properly recognize the role of each of them and to feed, to nurture, to nourish each aspect of our being is super important. We don't... We're not doing anything around diet or exercise, but those are also critical aspects of looking after yourself.

So I think those are the sort of interventions that you need to start looking into if you feel that those things are occurring. But as I say, with a little bit of effort, and it's not as hard as it seems uh, you, you can actually start to rebuild your entire neurology.

And in the end, we want you to be there as these, you know, redis- rediscovering your passion for life, your job, your ability to properly care for the people around you and, and to become a pillar of strength so that, you know, even family members... When we do the protocol and we deliver it remotely, say over, over Zoom or Teams or whatever, if you are working from home, we invite you to bring in other members of the family that are there for free.

Garrett O'Hara: Yeah. Yeah.

Peter Coroneos: I mean, there's no charge. We just want everyone in 'cause we recognize that people are working in, you know, new dynamics with telework. And so the idea is, you know, this is something we wanna share beyond just the immediate community into those that they, you care and love and, and, and need also to be well. So that's sort of the, that's sort the approach.

Garrett O'Hara: That's excellent. We, we have hit time here, unfortunately, but I'm correct in, in saying that you guys do, like if people go to Cybermindz to your website I believe there's a 15-minute consultation that people can do to kinda understand like a way forward with Cybermindz. Is that, is that correct?

Peter Coroneos: Yeah. You can book a call. It's Cybermindz with a Z or if you're American, with a z.org. I'll be going to America soon.

Garrett O'Hara: Okay.

Peter Coroneos: I have to... We, we're actually taking Cybermindz to the US.

Garrett O'Hara: Mm-hmm. Remember which one it is.

Peter Coroneos: Yeah. We're going to the US. So the idea is we're scaling this throughout the Five Eyes initially, so we got a lot of interest already in the States from this, because pretty much this is the same situation everywhere within cyber security, we think. And so because the IRS community around 7,000 facilitators worldwide, we know that and we can customize it for cyber. We know we can deliver this.

So in the meantime, if you're in Australia, you can go to Cybermindz.org, check it out. And again, sincere thanks to Mimecast as... You are a founding partner of Cybermindz. Nick Lennon and the team, you know, understood the value of what we were doing immediately and, and I think it's also the New South Wales government is coming in, CyberCX's founding partners as well.

So we're super excited about the support we're getting, but really we are here for the industry. We're here for the people. This is driven out of compassion. Ultimately this... We're not for profit, so this is about... We're a social enterprise. We're here to support the people that are supporting society.

Garrett O'Hara: Incredibly, incredibly important work. And yeah, Nick is, is a very switched on guy. I've certainly had the conversations around that stuff and, and he's a, he's a guy who definitely gets it.

Peter, thank you so, so much for joining us today, we will include all the details in the show notes for today's episode so people can also hopefully just click on the link and go directly to, to Cybermindz, the website, with a Z or a Z, depending on laughing] I don't know which country you're in, but thank you so much, Peter.

Peter Coroneos: Thank you, Garrett. It's been a pleasure.

Garrett O'Hara: Thanks so much to Peter for joining us to talk through such an incredibly important topic and as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe and please do leave us a review. We are taking a two-week break before we get stuck into Season 8, with some cracking interviews already lined up. I look forward to you joining us when we get back on the 4th of October. For now, stay safe and I look forward to catching you on that next episode.

 

Tags
Chief Field Technologist APAC, Mimecast

Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara