Cyber professionals say industry urgently needs to confront mental health crisis

As the coronavirus pandemic swept the U.S. in early 2020, Pat, a security engineer, had more than just his own health to worry about. He was the lead engineer responsible for protecting vast amounts of data moving between large health care organizations to the Centers for Disease Control and Prevention. The toll of working 80-hour weeks wasn’t new to Pat, who has been in health care security for seven years, but the responsibility of safeguarding Americans’ vital information at such a crucial moment weighed heavily.

“It burned me out,” Pat admitted to CyberScoop. “It was very hard when you feel like the things you’re doing are going to be impacting the availability of health care and prioritization decisions.” With his employer’s approval, Pat eventually took medical leave to cope with the stress.

“You can’t be burning like it’s the end of the world every minute of every day,” said Pat, who asked CyberScoop to use only his first name so he could discuss sensitive mental health issues more freely. “And a lot of times in cybersecurity we are being told that we have to be paying attention all the time, we have to be treating every possible security incident as though it is a major breach or the sign of a major breach. And we deal with it poorly. We do not have good support structures.”

Pat is far from alone. More than a dozen cybersecurity professionals shared with CyberScoop similar stories stemming from the intense work demands of an industry that involves often 24/7 vigilance against a growing tide of cyberthreats. Despite a growing awareness of mental health struggles within the industry, sources said there still aren’t enough resources inside companies or across the broader cybersecurity community for professionals dealing with burnout, stress and the intense anxiety of working in a high-pressure environment.

Cybersecurity workers told CyberScoop they have seen intense job pressure contribute to colleagues leaving the industry, experiencing trouble at home and leading to substance abuse issues. In some of the most extreme cases, sources said, they have known colleagues in cybersecurity struggling with mental health issues who have committed suicide.

“People burn out of these jobs for good reasons and the life cycle there is implicit if not explicit,” said Pat. “The joke is, ‘Oh you’ve been in cybersecurity for five years, what’s your addiction?’”

At industry conferences and online forums high-profile figures within cybersecurity have sought to shine a brighter light on mental health challenges in cybersecurity. Even Jen Easterly, director at the Cybersecurity and Infrastructure Security Agency, has spoken candidly about the subject and her own brother’s death by suicide.

“As I’ve often said, mental health is health, and safeguarding it is foundational for our success, personally and professionally, individually and as a team,” Easterly said in a statement to CyberScoop. “Unfortunately, there is still a stigma attached to acknowledging and getting the help we need to address our mental health challenges. This is true across our society, as well as across our profession, where stress, burnout, and languishing have plagued our cyber defenders for years — and the pandemic only exacerbated it.”

“This continues to be a top priority of mine because no asset is more important to an organization than its people, and it’s critically important that we are able to take care of ourselves and each other,” Easterly said.

By the numbers

The stress reported by cybersecurity professionals isn’t just anecdotal, with research pointing to growing stress and burnout among cyber professionals. A 2022 study by the security platform Tines of more than 1,000 security professionals across the U.S. and Europe found that 66% of respondents had “significant levels of stress at work,” with nearly as many saying their stress impacted their work performance. The same study found nearly 20% of respondents were consuming more than three drinks a day and 51% had been prescribed medication for their mental health. Yet just over half said their workplace prioritized mental health. A February Gartner outlook predicted that nearly half of cybersecurity leaders will change jobs by 2025, 25% for different roles entirely, due to work-related stress.

Stress and burnout within the cybersecurity industry is occurring against the backdrop of growing mental health concerns nationally. In August, the Centers for Disease Control and Prevention reported that an estimated 49,500 people died by suicide in the past year, a record high. The Biden administration has named access to mental health care and research a key policy priority.

People outside of cyber are actually shocked to understand that these invisible workers that are protecting all of society are in such a state of fragility.

Peter Coroneos, founder of Cybermindz

The stress experienced by cybersecurity workers can in some cases exceed the burnout experienced by traditional “frontline” workers. A 2022 study of 119 cybersecurity professionals conducted by the Australian nonprofit Cybermindz and academics at the University of Adelaide in Australia found that burnout rates for cybersecurity professionals in some cases met or exceeded that of frontline health care workers. For women in security consultant roles, emotional exhaustion tended to be even higher. (Figuring out how to quantify worker burnout in cybersecurity roles has also attracted the attention of defense researchers in the United States.)

“People outside of cyber are actually shocked to understand that these invisible workers that are protecting all of society are in such a state of fragility,” said Peter Coroneos, founder of Cybermindz.

The increased frequency of cyberattacks, the expanded attack surface from a global shift to remote work, increased regulatory scrutiny, and the lingering mental health impacts of a global pandemic are all factors that experts say have brought the pressures experienced by cybersecurity professionals to new levels. 

“It’s the nature of the work,” said Robert, an industry veteran of 25 years, who wished to remain anonymous and use a pseudonym to speak freely. “You’re on call pretty much 24 by seven by 365. And at a moment’s notice, your whole life has upended.”

“Just like with firefighting, you can’t tell the fires that they can’t happen today because it’s a holiday,” he added.

Robert, who spent 10 years in incident response, recalled colleagues at his first security job sharing an affinity for the show “M*A*S*H,” the 1970s television show chronicling the lives of Army doctors during the Korean War.

“If you’ve heard the characterization of combat as long, long periods of boredom punctuated by moments of sheer terror, incident response can be a lot like that,” he said. “There’s no accounting for mental well-being in that space. Basically, it’s a meat grinder, they throw bodies in and they get chewed up and spat out and then they go and find more bodies.”

To cope, he said in his early days at a major security vendor there was a bar cart in the company’s “war room.”

“To compensate, many of us adopt what can only be called kind of a ‘macho masochism,’ which is, ‘How much punishment can you take?'” said Robert. “If I had $1 for every time someone said, ‘I’ll sleep when I’m dead,’ for instance.”

One former security operations center analyst who wished to remain anonymous said he was responsible for meeting with 40 clients a week at one point in his career. Like many cyber professionals, the stress of being on call 24/7 to manage a crisis at a moment’s notice started to impact his health, leading him to suffer from depression and anxiety. “Just imagine being on call 24/7,” the former analyst said. “You just never really have off.”

At the height of his stress at a different job working for an aerospace company, he ended up taking off two weeks and started seeing a therapist.

We are taught to keep most of our problems and the issues we’re dealing with at work to ourselves and not build support networks to try to communicate those issues to others who might be able to appreciate it or help us deal with it.

PAT, A SECURITY ENGINEER

“It’s just a lot of pressure, a lot of stakeholder management, long days and nights,” said Kayla Williams, CISO at Devo, a security analytics platform that has issued several annual reports on stress experienced by SOC analysts. “I personally found, and from speaking to others as well, that it certainly takes a toll physically and mentally.”

Research conducted by Devo last year found that 30% of respondents working in security operations centers pointed to increased workload leading to burnout as one of the top challenges to their work.

Making that worse can be feelings of isolation, industry professionals tell CyberScoop. While the community sometimes comes together in the face of a larger crisis, such as Russia’s invasion of Ukraine that gave rise to new cybersecurity concerns, professionals sometimes reported feeling isolated in their work due to its confidential and sometimes competitive nature.

That isolation can take a toll, said Ryan Louie, a psychiatrist in Washington state who has given talks about mental health at conferences including RSA. “A lot of people tell me, ‘Well this is the system. It’s siloed and I have to just go with the flow of things,'” he told CyberScoop. “They feel like they’re somewhat isolated and not supported and like there’s no other resources for them.”

That lack of support can lead to stigma about asking for help, he said.

“We are taught to keep most of our problems and the issues we’re dealing with at work to ourselves and not build support networks to try to communicate those issues to others who might be able to appreciate it or help us deal with it,” said Pat, the security engineer.

To break that stigma, cyber defenders have taken to public spaces like social media and hacker conventions to try to shed light on a problem long shrouded in silence and shame.

Following up a keynote at a different conference about mental health by founder Amanda Berlin, Mental Health Hackers hosted its first village to bring mental health resources to hackers at the DerbyCon cybersecurity conference in 2018. The group, which became a formal nonprofit, has since helped stage villages on mental health at dozens of cybersecurity conferences around the globe. The group provides talks and resources about mental health challenges including burnout, depression and imposter syndrome. During the pandemic, when in-person events stopped, the group sent out care kits.

Megan Roddie, chief financial officer of the group, said one of the biggest concerns they see at the villages is burnout. “It’s a very high-pressure industry. Security is not appreciated until they’re needed, and then not appreciated when under the gun,” said Roddie, who is ADHD and autistic.

“I think this industry just tends to attract people who are really enthusiastic about it and we have to remind ourselves it’s okay to step away.”

Emily austin, security researcher

Roddie is one of several sources that noted the difficulty in getting people to step away from their computers since many cybersecurity professionals are attracted to the field in the first place because of a passion for cybersecurity and technology as a hobby.

“There is definitely a non-zero number of us where this is the kind of stuff that we’d be doing on the weekends and after hours,” said Emily Austin, a security researcher. “I think this industry just tends to attract people who are really enthusiastic about it and we have to remind ourselves it’s okay to step away.”

Austin said she worked on setting boundaries for herself to prevent burnout, something other sources echoed as key to keeping mentally and physically healthy on the job. But sources such as Pat say doing so isn’t easy.

“A lot of us in cybersecurity are fairly high intensity and telling people that it’s okay to take a break or walk away clashes with the mythos of the caffeine-fueled hacker — that it’s the nature of the role that we’re burning the candle from both ends all the time,” said Pat. “It’s hard to challenge norms. We are built on a burnout culture.”

Finding solutions that work

Mental Health Hackers isn’t the only group to find conferences a successful way to reach struggling security professionals. This year’s RSA Conference in San Francisco provided the opportunity for Cybermindz, the Australian nonprofit, to debut in the U.S. The group’s founder, Peter Coroneos, said that the burnout experienced by cybersecurity professionals is a “predictable outcome of putting a brain in an environment it wasn’t developed for.” He said that part of his organization’s mission is to help professionals deal with the stress of information overload that they’re dealing with on a daily basis.

“I don’t talk to a single CISO in Australia and now the U.S. that isn’t concerned about the well-being of their teams,” said Coroneos. Cybermindz promotes a program that uses a version of the “iRest” (Integrative Restoration) protocol, a therapy technique to induce relaxation that has been studied by military researchers.

The group has conducted pilots with 150 workers across seven organizations so far, including the Australian Signals Directorate. Cybermindz says it has already seen success with its results. In as little as eight weeks, it saw a 30% improvement in the average scores of participants’ feelings of nervousness and stress. Cybermindz briefed CISA in May and returned to the U.S. conference circuit at Black Hat in August by partnering on a booth with Devo, which has made an unspecified financial commitment to the group. The group is also working on expanding globally and is launching in the U.K. with a mental health summit in September.

Data security firm Cohesity is another company trying to combat that sense of isolation through measures such as an employee resource group focused on wellness and mental health. The group offers resources including frequent speakers, a company walking program, and self-care-based discussion groups with conversations on often sensitive topics such as substance abuse and the challenges of elder care.

“Giving the opportunity for employees to connect about more sensitive topics, and getting support from one another definitely creates that psychological safety and belonging across the company,” said Ruth Grigsby, head of diversity, equity, inclusion and belonging at Cohesity. “And, at the end of the day, creates a better work environment for employees and a more successful outcome.”

Many sources CyberScoop spoke with cited their own experiences with mental health as the reason they’ve gotten involved in their own workplaces. Even the nation’s top cyber agency has taken steps to increase employee awareness and resources for mental health. Under Easterly’s leadership, the agency launched a mental health initiative in 2022 that included 10 town halls focused on mental health and CISA CARES, a wellness services resource hub for employees.

Roddie from Mental Health Hackers said her organization advocates that professionals, especially managers, get “Mental Health First Aid” training so they can recognize the signs of a mental health crisis and temporarily de-escalate until a professional can take over.

“Sometimes, people don’t realize what’s happening. It’s like, ‘Oh, this person, their work quality has gone down. Why? Like they just don’t care anymore,'” said Roddie. “But it’s not that they are burnt out — they’re barely surviving having this job.”

Cybersecurity professionals told CyberScoop that corporate benefits such as unlimited PTO or free subscriptions to therapy apps aren’t enough. Instead, they said, management should provide adequate medical coverage for employees to seek professional help, mandate time off and make sure employees aren’t working 24/7.

“Companies are giving you free subscriptions to meditation apps. But leadership isn’t saying ‘your health is important,'” said Robert, the 25-year industry veteran. “The leadership isn’t demonstrating that time off is important by taking time off. There’s never any focus on employee health and well-being as part of that management process.”

Leadership on notice

Both industry professionals and experts emphasized a need for leadership on mental health issues to come from the top.

MK Palmore, a director in Google Cloud’s Office of the Chief Information Security Officer, a group that works with private and public sector organizations, said that the CISO role is still maturing and that the industry needs to make sure it focuses on leaders that understand their workforce and not just the technical elements of the job.

“I think that it’s incumbent upon leaders to make sure that they understand that while the work is extremely important, the wellness of your employees is equally as important,” said Palmore. “If you’re not allowing them to balance their lives and responsibilities along with the workload, ultimately, you’re setting yourself up for some kind of potential failure along the chain.” 

Devo’s Williams agreed that managers need to show empathy. “There are too many times people are afraid to ask for help,” said Williams. “I think leaders having empathy and preaching that throughout the organization and standing by it is very important, and it demonstrates to employees that it’s taken seriously.”

Cultural change caused by new generations taking on leadership positions is poised to play a big factor in how the industry handles mental health in the coming years.

Both Pat and Robert, who say that their experiences early in their careers have shaped how they manage and build their own teams, are an example of that. Inspired by both his professional and personal experiences with mental health, including a bipolar diagnosis, Pat said he has spent five of the 10 years of his career engaging in mental health initiatives at different employers.

“My current employer and current team in particular are very big on work-life balance — the idea that we are working on hard challenges, but we need to be able to function,” said Pat. “If we are able to duck out when there’s not much to do, we are prioritizing the care of our family, of ourselves. … We are better off on the challenging days. And our team’s been successful because of that.”

If you or someone you know is in crisis, you can call or text the Suicide & Crisis Lifeline at 988 to chat with trained crisis counselors who are available 24 hours a day. You can find additional resources at: https://speakingofsuicide.com/resources.

Correction Sept. 6, 2023: This story was updated to clarify Ryan Louie’s experience with cyber professionals was not in a clinical setting and that he is currently based in Washington state.