The emotional toll of cyber resilience
The aftermath of a cyberattack can be devastating for the victims. Aside from the financial costs and disruption of day-to-day life, their emotional impact can be deep and enduring.
For people who have had their personal data compromised, it’s an uphill battle to clear their names and their banking information, which can severely impact their ability to access credit, housing, employment or medical services.
The fallout can leave victims feeling powerless and vulnerable. Many turn to drugs, alcohol or unhealthy eating habits to cope. Some spiral into depression or anxiety, with a few even experiencing post-traumatic stress disorder.
“The psychological effects of cyber-attacks may even rival those of traditional terrorism.” - Dr Maria Bada, Research Associate, Cambridge Cybercrime Centre, University of Cambridge
But the looming shadow of cyber threats extends far beyond consumers and end-users. Front line cybersecurity professionals, charged with protecting other people’s data, also bear a heavy burden.
The psychological challenges facing cyber workers
In an always-on digital world, they find themselves in a constant state of high alert, incapable of “turning off.” Cybersecurity stress is now an industry-wide epidemic with workers under constant threat of burnout and overwork. Zero tolerance for breaches, a blame culture and relentless pressure to perform puts their productivity, ability to attract and retain talent, as well as their individual well-being, at constant risk.
The result is a high rate of burnout and attrition, with a survey by Nominet reporting that the average tenure of a CISO in the UK lasts just over two years (26 months).
The survey noted:
- In 2019, 48% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%).
- 31% also reported that their stress had impacted their physical health.
- The number of CISOs turning to medication or alcohol has increased from 17% in 2019 to 23% in 2020
But what makes cybersec such a demanding occupation? Let’s take a closer look at the realities of the job:
1. They are always under-resourced
Over half of CISOs surveyed by Nominet believe they don’t have enough resources to address critical vulnerabilities, let alone tackle other external threats. With tight budgets and the crippling shortage of skilled talent, it’s no wonder cybersec leaders feel like they’re always being asked to do the impossible.
2. The workload is overwhelming
Almost all CISOs work beyond their contracted hours, averaging an extra 10 hours per week. 87% of CISOs said that working additional hours was expected by their organisation. Revealingly, almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance.
3. The internal culture wars don’t help
In many organisations, especially those in the midst of transformation, cultural battles are a big pain point. 38% of cyber pros say they’re frustrated with trying to educate end-users to change their habits. Additionally, 18% of CISOs feel board members are indifferent to cybersecurity or see it as an inconvenience. An unsupportive environment rife with conflicting agendas is a recipe for stress, frustration and heartburn.
The good news is, awareness of mental health in the infosec sector is on the rise. Many cyber conferences address the mental well-being of cyber professionals, with many studies revealing that even though cyber resilience is a stressful occupation, job satisfaction is still fairly high. In a survey that spanned the United States, UK, Canada, India, Australia and the Netherlands, 71% cyber pros reported being satisfied with their role, and 78% said they would recommend a career in cybersecurity to others.
How CISOs can lead the change
CISOs are uniquely positioned to cultivate a positive change in the way cybersecurity work is done within organisations. Leading by example is arguably the most powerful thing they can do. By encouraging conversations around mental health, maintaining a reasonable work-life balance and creating a positive and supportive work environment, they can attract and retain the best talent. Having clear internal processes and support in place will also minimise the need for overtime.
The first step to building a good security stress strategy is to carry out an in-depth survey of an organisation’s cyber needs and the resources they’ve allocated to them. Next, getting executive buy-in, establishing realistic expectations and providing training and automation support will mitigate pressure on the team and help them work more effectively.
A cyber resilience team is only as good as its people, and making sure your team has clear, achievable goals and the resources to achieve them can make all the difference to the success of a cyber resilience department.
Learn more about how you can invest in training and surveying your organisation’s set up and requirements here.