Group of people walking in office showing cybersecurity professionals

Breaking the Cycle of Cybersecurity PTSD

What’s it like to work in cybersecurity these days? In a nutshell, it ain’t easy, and things aren’t exactly trending in the right direction. Indeed, 46% of respondents to a recent survey said their stress level has increased in the past 12 months, and an almost identical percentage – in the same study – indicated they’ve considered quitting the industry because of the stress level. So it shouldn’t surprise anyone that there’s a shortage of cybersecurity professionals, but no shortage of articles about this persistent deficit:

We can certainly be skeptical about the assertions in any of these or myriad other articles about cybersecurity employment, but where there’s smoke, there’s usually fire. We can argue over the degree of the problem, but it’s real.

So why is there such a dearth of professionals willing to pursue a career in cybersecurity, and why are those who’ve done so second-guessing that decision en masse? The answer is both simple and multi-faceted at the same time. But let’s begin with the concept of PTSD in 2023.

PTSD in cybersecurity, really?

Not exactly. PTSD, or Post Traumatic Stress Disorder, is a very serious clinical diagnosis that, untreated, can ruin the lives of trauma survivors. As we’ll discuss in this article, the lives of cybersecurity professionals are stressful, and their daily challenges can be deleterious to their mental health, but equating their challenges with combat veterans, terrorist attack survivors, and others that have endured extraordinarily traumatic experiences is a blatantly unfair comparison.

Certainly, the PTSD term has evolved in everyday language to encompass the reliving of any unpleasant or particularly challenging period in one’s life, and can even reference an accomplishment that elicits a sense of pride. For example, someone watching A Beautiful Mind and viewing scenes with complex math equations may joke that the images give them “PTSD” from their college Calculus days. To level-set for our cybersecurity discussion, any reference to PTSD falls somewhere in the middle, not necessarily a clinical diagnosis, but not a flippant reference either.

High stress in the cybersecurity community

When we discuss exceptionally high stress or “PTSD” in the cybersecurity community, unfortunately, it can have multiple “use cases” (in the language of the industry), as the emotional and mental challenges among cybersecurity professionals mount alongside the increasingly expanding threat landscape.

To be sure, a cyber security incident is all-consuming for those in the field. The long hours accumulate rapidly, and the pressure to contain the damage, restore operations, and understand the scope of the compromise is suffocating. But even day-to-day cyber operations can take a toll on the professionals manning the ramparts. Attacks are constant, come from just about anywhere, and the pressure is ceaseless. The good guys have to be perfect; bad actors only have to be right once. Limited budgets, a dearth of experienced cyber security professionals, and the need to be expert in all things IT AND security combine to create an environment characterized by constant pressure and intensity, not exactly a recipe for quality mental health.

Why is cybersecurity different?

A sales professional at the end of a quarter, an accountant in the middle of tax season, or a software engineer squeezing in THE feature at the end of a sprint on which a multi-million-dollar account depends may read this and say, yeah, so what? Pressure and stress are part of life in the corporate world, so why is cybersecurity special?

It’s a good question, and the answer is multi-dimensional. First, cybersecurity professionals need to know cybersecurity, a reality that, in and of itself, shouldn’t surprise anyone. But to secure enterprise IT systems and, more importantly, the data they house, the cybersecurity pro needs to know not only cybersecurity, but the systems they’re protecting. So, in a very real sense, all cybersecurity practitioners are IT systems pros first. Much like all neuro-surgeons, brain surgeons, or vascular surgeons have to be proficient in general surgery before specializing, cybersecurity team members have to understand IT systems first, whether they actually started in IT or learn as they go.

Second, cybersecurity is a 24/7/365 mission. There are no vacations or slow periods when it comes to cyber attacks. Indeed, the bad guys tend to exploit holidays and otherwise quiet periods for precisely that reason: it’s difficult not to let one’s guard down when everyone is enjoying Thanksgiving dinner or watching the Super Bowl. Every cybersecurity professional isn’t working 24/7/365, but the mission never takes a break. The accountants we mentioned previously will work around the clock in April, but there will be slow periods of rest and recovery during the year as well. The end of the quarter will always mean long, stressful hours for sales pros, but the stress lessens substantially early in the new quarter. The cyber criminal community, however, doesn’t have any shared holidays, so the job of the cybersecurity team is never completed, never over, and there are never any victory parades.

Finally, if you’re a cybersecurity practitioner, you can’t win. You can only lose. Our marketing guy recently wrote a blog about this reality, analogizing the role of a cybersecurity practitioner to a closer in baseball. We all work because we need to pay the bills, but we strive to be successful at work not only for financial rewards, but also for our own personal satisfaction. As humans, it’s important that our peers see us as valuable, competent, and successful. Mazlov called this one of the “higher” needs, esteem. It’s human nature to need a pat on the back now and then, to feel like you’ve accomplished something of significance that’s valued…to be appreciated. Yet in the world of cybersecurity, those in the trenches are recognized only when something goes wrong, the one out of 10,000 times the bad guys are right and the good guys wrong. That kind of all-risk-no-reward position can take its toll on those who’ve chosen it, especially over time, and it takes a special kind of mental toughness to operate in that environment for years without suffering, at a minimum, burn-out, and in the extreme, some form of PTSD or stress-related affliction.

What can be done?

Unfortunately, this isn’t a problem that can be fixed with weekly yoga classes, ping pong tournaments, or even allowing dogs in the office. It starts with senior leadership and their perception of cybersecurity as only a necessary-evil cost center. Who gets fired after a serious breach? The CEO and BoD for not properly funding and staffing cybersecurity or for infusing the organization with a holistic appreciation for its importance? Perhaps, but not often. A rare example is Amy Pascal of Sony, who was fired after the infamous Sony breach, but less for lack of attention to cyber security and more for racist comments made public from compromised personal emails. She may have been fired in the aftermath of the breach, but certainly not because it happened on her watch.

Much more commonly, it’s the CISO and senior cybersecurity professionals that serve as the CEO’s scapegoat in the event of a major breach. Yet, it’s voluntary resignations that are primarily responsible for CISOs holding the lowest average tenure figure among C-suite executives, lasting just 26 months compared to 5.3 years for their C-level counterparts. In professional sports, the best-run and perennially successful franchises are nearly always those with stability in senior management and, most importantly, the coaching staff. It’s mentally draining for athletes to adapt to new coaching (and their new systems and philosophies) year in and year out. Why would it be any different for cybersecurity professionals?

In a perfect world, the cybersecurity team would be viewed by the enterprise much the way the US military is viewed by much of the US population, not as an overhead burden or cost sink, but as a dedicated group of highly skilled professionals working around the clock to defend the enterprise from the many cyber enemies seeking to harm it. The opposite, however, is most often the case. Cybersecurity is a burden. It’s expensive. It doesn’t contribute directly to top-line revenue, but rather is seen as creating obstacles to productivity. Its seemingly arbitrary rules, endless warnings, and incessant procedures remind the rank and file of airport security: gratuitous theater.

So, to “end the cycle of cybersecurity PTSD,” this perception of cybersecurity and its reputation has to change, and there’s only one way that happens: executive leadership has to change the culture, and a good place to start is with, well…executive leadership.

This is not to suggest it’s easy to do. As we’ve discussed here, the cybersecurity team is under constant pressure, but so is senior leadership, especially in this new era of belt-tightening and difficult market conditions in most industries. But, this is precisely the time to do so. What kind of message would it send about the importance of cybersecurity if, amid staff and budget reductions, the cybersecurity team is either spared or even expanded? How about leading quarterly all-hands meetings with a summary of the security team’s accomplishments, underscored by the CEO’s declaration that no group in the organization can be successful if the entire enterprise isn’t secure? Instead of forcing employees to sit through automated, mind-numbing phishing presentations followed by condescending quizzes every six months, the security team briefs each group in the company on cybersecurity threats and WHY security procedures are important and implemented in the first place.

Put another way: treat cybersecurity professionals and all employees like the adults they are. In the context of billion-dollar corporate budgets, it costs very little. The return on investment in a foundational culture change might be hard to measure in dollars, but will be consequential in the long run.