Cybersecurity professionals are burning out faster than frontline healthcare professionals¹, signaling a mental health issue in the tech industry. With the constant threat of cyberattacks, Chief Information Security Officers (CISOs) and their teams must be on-call 24/7. To address this, cybersecurity professionals need strong mental resilience, well-tested plans, and effective stress management strategies. Organizations like Cybermindz.org are raising awareness about cybersecurity mental health and providing resources to help professionals recognize burnout signs. Join our experts as they explore potential solutions to improve mental health support for cybersecurity teams, including the potential role of innovative technologies like AI-powered simulations. 1. https://cybermindz.org/
Cybersecurity professionals are burning out faster than frontline healthcare professionals¹, signaling a mental health issue in the tech industry. With the constant threat of cyberattacks, Chief Information Security Officers (CISOs) and their teams must be on-call 24/7.
To address this, cybersecurity professionals need strong mental resilience, well-tested plans, and effective stress management strategies. Organizations like Cybermindz.org are raising awareness about cybersecurity mental health and providing resources to help professionals recognize burnout signs.
Join our experts as they explore potential solutions to improve mental health support for cybersecurity teams, including the potential role of innovative technologies like AI-powered simulations.
1. https://cybermindz.org/
Featured Experts
Sarah B. Nelson 00:01
Hello, and welcome to The Progress Report. I'm your host, Sarah B. Nelson, I'm the Chief Design Officer for Kyndryl Vital, and I'm really excited about our conversation today. We're going to spend some time today discussing what are the realities of being a cybersecurity professional. Cyber incidents are not just a threat to data and systems, but they can also have a profound psychological impact on the human beings that are tasked with defending against those attacks. And we have some fantastic guests with us. We have Peter Coroneos, who is a cybersecurity leader and the Founder of Cybermindz.org, which is an international not-for-profit organization that empowers and restores some of these embattled cyber teams with scalable and evidence-based mental health support. And we have Ollie Pettit, who is the Senior Manager for Cyber Monitoring and Defense at AGL. He's an expert in protective risk management across a number of different disciplines, like cyber security, business continuity, crisis management, and IT disaster recovery. And then we have E-Yang Tang, who is Vice President of Security, Resiliency, and Network at Kyndryl, and he was a police officer in Singapore, and then has been able to translate that commitment to law enforcement into cybersecurity. So welcome Ollie, Peter, and E-Yang.
Peter Coroneos 01:21
Hello.
Oliver Pettit 01:22
Glad to be here.
E-Yang Tang 01:23
Thanks, Sarah, good to be here.
Sarah B. Nelson 01:24
We're gonna dive right in. I'm gonna start with you, Peter. I'm curious about the silent struggle that happens a lot with CISOs and their team. I mean, we think of healthcare frontline professionals as burning out, but cyber security professionals burn out faster. So, if you could talk a little bit about that silent struggle.
Peter Coroneos 01:45
Yeah, it was really interesting. We have been tracking mental health in cybersecurity now for two years as part of a dedicated research program that we're running in Australia, which we're extending out to the US and UK. And one thing that came through quite strongly was, in fact, around one of the three major metrics of burnout. Our numbers are showing that cybersecurity teams are indeed burning out at a faster rate than frontline healthcare workers. We were kind of surprised, but actually kind of not surprised, when we dug into the reasons why burnout was so prevalent and increasing as well, particularly within the leadership, but even in their team.
Sarah B. Nelson 02:28
What are some of the causes you see of high stress levels?
Peter Coroneos 02:33
You know, a lot of professions are burning out. So we're not arguing it's unique to cybersecurity, but having said that, we've identified at least 15 factors. Obviously, the effect of the pandemic raised the risk posture of a lot of organizations because of the remote workforce trying to manage people outside of the traditional corporate perimeter. Obviously the escalation in the attack frequency, tempo and even the sophistication, and the increased geopolitical tensions. And another thing I think we're seeing more governments that are beginning to regulate more, and they're doing it, obviously, to try and get boards to take the cyber threat seriously. But I do think there's a negative, unintended consequence that the more governments regulate, the more that pressure moves downward on the cyber teams and the CISOs. So I think that when all those factors come to bear, and there are others I didn't get to but there will be more. I mean, that's a very, very pernicious environment in which to be operating.
Sarah B. Nelson 03:35
It is quite a list of of all different kinds of factors. Ollie, I'm curious about your personal experience as a security professional.
Oliver Pettit 03:45
Yeah, absolutely. I mean, just touching a couple of points that Peter made. You know, we've had some of the some of the largest breaches in Australia in the recent years, and there's always that ongoing fear that we don't want to be next. What do we need to do? So you're always on standby waiting for that. The last thing any organization wants to do is have their name printed in the media to say they had a cyber breach. So you're always on that protective journey. In addition to that, you know, people forget. People have their BAU jobs as well. So be it projects, the pressures of those projects, the OpEx and CapEx budgets, the normal reporting above and beyond a cyber breach as well. Because things have to tick along. In addition to that, you know, CISOs have to keep their their staff healthy as well as themselves, which is just another thing they need to consider. I think everybody knows there's quite a big churn in the cyber industry as well. So constantly trying to make sure your staff are happy, but when they do leave, you've got to replace them, and then you've got to nurture that new individual into the organization. It's just another thing to add to your pressure.
Sarah B. Nelson 04:49
E-Yang, you bring this background in law enforcement into this too. And I'm curious where some of those overlaps or not overlaps in terms of resilience. Mental resilience that you see and patterns and things.
E-Yang Tang 05:04
Yeah, there's definitely an overlap and a lot of similarities in terms of mental health. It's very similar to the likes of having a physical event, as in, for example, a terrorist attack, or breaking up a smuggling ring. There's always this clear and present danger or something that you're expecting to happen, and it creates the level of anxiety. And it's okay to have anxiety, it's just the human nature and human response, but when it goes chronic like these overwhelming things that are coming through, and you never know when the end is coming, that's where the problem comes in. That's why you see CISOs or security professionals leaving the industry. The pressure is far too much. And there's even talks of mental health that's leading to self harm and as well as even, dare I say, the end of life event, right? So, we don't want that to happen as well. And the industry is rallying around the security professionals. And there are certain initiatives that have kicked off. One of it is, obviously what Garner has predicted, is the CISO is now taken into account of any kind of liabilities. But then again, they are extending the insurance scope of any kind of cyber breach from the board into the CISO, so it kind of gives them a bit of coverage. Still, would that be enough?
Sarah B. Nelson 06:31
Kind of going back to the very first question I had where we talked about the silent struggle. And what occurs to me is that a lot of times when you talk about trauma, there's often an association with a physical battlefield. I mean, I think as a police officer, you're in some kind of clearly high physically dangerous area. But I imagine that cybersecurity professionals, like all of us in tech, we're sitting behind computers. It seems like the trauma might be something that people might not get a social support from in the same way they would if they came back from a battlefield.
Peter Coroneos 07:06
So there are actually sort of two dimensions to the question you've just asked. One is, is there anything unique about cybersecurity in terms of working in a virtual threat environment? And the other is this question of isolation and historical reticence to show vulnerability and the stigma around that. In a virtual threat environment, there is no cue to signal that the danger has passed. So as a result, we end up in limbic system hyper-activation, where the limbic system remains locked on and there is no signal to the neurology and to the brain to say that you are safe. And so it's that pernicious long term effect of systems remaining in hyper activation and high cortisol levels, which start to impact on your memory. They actually start to degrade your brain cells, so you start to see destruction of the hippocampus, which then is a precursor to depression. But I think cyber does have this additional dimension of the attackers are unseen. And I think it's that sort of combination of the virtual dimension of this which really takes us to another place beyond anything that we've seen before.
Oliver Pettit 08:23
Absolutely. I'll just add to that as well. I've had some of my team say to me, "Well, if I make a mistake and we get breached, that's my cyber career over." And then they start saying, "You know, that's going to impact my mortgage, my family, you know, my life. I might not ever work again in the field that I love." So it's that constant pressure as well that just overlays everything else going on.
Sarah B. Nelson 08:48
So we've got the soup now of human experiences. What is the impact long term on new organizations?
E-Yang Tang 08:57
Right now, from the board level, they are seeing that there's a lot of burnout and there's a lot of attention in industry, and cyber being prevalent everywhere. And 10-15 years ago, when I tried to pitch to the board about about cybersecurity, some of them would just just brush me off. But it's a different group of boards now that are sitting on top of organizations. They are acutely aware about the threats and the risks that is coming through into the organizations, and they'll soon recognize that, you know, we need to do something. One of the things that I think they would be doing is probably help with CISO or security professionals to deal with the stress, provide the insurance for the CISO in terms of the obligations of the organization, or in a way that technology, and lean towards technology to help the security professional and the CISO out. So that's what I think will happen. And obviously everyone is understanding about AI now, and maybe potentially using AI to help the CISO and the security professional out.
Sarah B. Nelson 10:01
We're going to get to that in a little bit, so hold on to hold on to that thought. Ollie, anything else that you would add to that about long term effects on the organizations?
Oliver Pettit 10:13
I think the board and CIOs need to acknowledge the pressures that are going on and provide that additional support, be it helping the CISO engage with teams, understanding what the undertaking is there, and potentially using technology as well to sort of build up that muscle memory and strength to deal with strenuous situations. I think they're slowly getting there. I don't think they're fully there yet. You know, if you think about how they know what's going on in an organization, they'll get a nice report presented by the CISO and then it's been pulled together over a couple of weeks, the lay of the land. But those reports never really talk about the health of the team. I've never seen a paper that talks about that.
Peter Coroneos 10:55
I agree with that, Ollie. I mean, it's a big challenge that we're facing. I hate to have to rely on, you know, corporate self interest or board self preservation as the actual driver here, but the truth of the matter is that you do get a lot of lack of empathy from boards around the human factors, because our programs are seen as just another wellness initiative. We really need to start changing the conversation. This isn't just another wellness program. This is about risk reduction. We've worked with teams that have been through major breaches. One case in particular, the CISO lost 6 out of 10 of his cyber team resigned. Their trauma was not supported through the breach, and so as a result, they left the organization. They're probably still carrying that trauma until they can get some help. I think it's really important that we understand that the trauma that is implicit in a breach situation, and ideally, you want to be in there giving them trauma support while the breach is going down, and definitely post-breach to bring them back into restoration, because it's a cost to the organization. You will not replace these people easily. But beyond that, there's a duty of care here. And I think for us, prevention is always going to be a much more preferable route. A happy, effective, efficient cyber team is better for everyone. It's better for the organization. It's better for the customers. And investment in this area is really an investment in all of those different dimensions.
Sarah B. Nelson 12:35
Yeah. I mean, it's interesting, because that's part of what I was thinking about, it is emotional intelligence. As an executive, are you able to have enough awareness of your own experiences? Because, we all work in tech. It's not like this is like emotion central. So, I feel like you're starting probably at a disadvantage, even within the industry to start.
Oliver Pettit 12:59
One thing I've been thinking about is, do people realize that they're on this journey of going down that depression route, or under this huge stress? I feel a lot of the times, people wake up one day and it's just hit them like a truck.
Peter Coroneos 13:14
Sometimes, burnout in particular can hit you very fast. Emotional depletion, if you feel like you're just drained. You've got nothing left to give yourself, even not much less the people around you like your family and your team members. That's a red flag. Another one is you're starting to question the point of any of this. We're fighting a losing battle. We can't see the impacts of our daily efforts, because you just never know when you're winning. A loss of self efficacy, the way that you perceive your own effectiveness in the job. You could call it self doubt. That's a red flag, because that is the one of those three metrics, that's the one that predicts resignation intent. The good news is that all these things are reversible, and I think it's important that we leave people with hope. Yes, be aware of the stresses, but also know that there are ways that we can actually build resilience and even retrofit resilience back into individuals and teams. And I think that's really what we should be focusing on as an industry.
Oliver Pettit 14:19
Providing some sort of framework structure for people to recognize that they're already vulnerable or they're on that path, I think would be hugely beneficial, and it could be through technology to do that as well. I think that's hugely important, because you know, once you wake up that on that morning, you're on a completely different journey. You're now in that recovery aspect,
Sarah B. Nelson 14:41
I'm wondering, was there a role for technology to play in this as well? E-Yang, you mentioned AI.
E-Yang Tang 14:50
What I've researched is how can then any kind of platforms, technology platforms such as AI, help out with anxiety so that the security professionals such as the CISO would be able to weather the storm. Create a bit of resiliency. So I thought about using a virtual reality platform, putting the security professionals through that realism of a breach, albeit as a virtual reality scenario, practicing those decisions that are made, practicing the responses, practicing the efficiency of the responses and the effectiveness of the responses does actually help prepare the security professional going into battle. So the anxiety of feeling impending doom wouldn't be as heightened because you're already prepared for it.
Oliver Pettit 15:45
Yeah, I'll add to that as well. So I think having a sort of a VR environment which puts the CISO or the team in a position where it enables them to do that critical thinking, assess different situations and respond to respond to it, enabling them to eventually make those informed decisions during an incident can absolutely desensitize over time. Using virtual reality so you can have umpteen million different scenarios for them to respond to. And it doesn't just have to be cyber related. It could be completely different topics, but enabling them to build that resilience capability, be it in life or cybersecurity.
E-Yang Tang 16:22
So you basically can imagine, I mean, Oliver is in the energy sector, right? As with AI, obviously, they run through large language models, and then when they gather the data together, they'll be able to find out what are the actual threats that are targeted towards the energy sector. So, Ollie's team can go through that virtual reality simulation, putting his team into a pressure cooker environment as a simulation, and running through practicing different techniques. And this will then sharpen them. When the actual breach comes, it will be second nature.
Peter Coroneos 16:55
As with all technology, there are going to be pros and cons. I think the advantages that it can give you a sense of habituation or exposure therapy, which means that you're gradually reducing the ability, as E-Yang said, to initiate the same anxiety or fear response. The one caution I would would have to say, and this is true of a lot of AI, desensitization, while it might actually reduce the emotional response, doesn't necessarily mean that the individuals develop the capacity to cope with future stressors in a healthy way. And so we've got to be careful that sometimes desensitization can lead to an emotional numbness or avoidance, rather than adaptive form of coping. We need to iterate through the way that we're going to be using this AI to make sure that we are getting the benefits of it, but not actually putting people in a position where they lose the ability to feel.
Sarah B. Nelson 17:53
So thinking about it, how are some ways that we can really give hope to people who are kind of in the middle of this themselves? What kind of advice would you all give to CISOs and people in the teams themselves that are struggling with their mental health?
Oliver Pettit 18:08
For CISOs, they need to be able to have that fairly open relationship with their deputy CISOs to say, "I'm struggling this week. I need your support." And the problem is human nature. None of us want to admit that we're struggling, but in the industry we're in, we have to be able to have that conversation with confidence and know that we've got the support of the people around us. Often CISOs are at the top of the tower, if you like, so they don't feel they can engage with the people below them. I think that needs to change, because they won't go up to the board, for example, to say, "I'm struggling." But they can use their team to support them.
E-Yang Tang 18:45
Yeah, I agree. Transparency is key. I mean, in a stressful environment. And I have been obviously a security professional for quite a long while, and I've noticed that there's different cultures in organizations where security is always an ivory tower, but that is slowly changing, right? It's security through transparency. We're no longer essentially the enforcing power of saying, "You have to do this." But rather, "Where do you need to get to? Let me help you get there in a safe way." So, security is everyone's game. Humans are the weakest link for security. So it's like one of those things is to enable everyone to understand where security is across the organization. So not only to provide the security team or the CISO with some coverage and understanding, but also making all of us understand that we are the weakest link and how we can help the organization be more secure and improve the security posture. The threats are going to be there. Geopolitical turmoil is going to be there. And to be honest, it's not letting up at all. So how do we address it? It's through transparency.
Peter Coroneos 19:56
Yeah, I agree with E-Yang and Ollie on that point. I think in cybersecurity, vulnerability is generally a dirty word. I did a session two days ago with a university CISO and her team, and we spent the first third of the session just whiteboarding all the different stressors that people were feeling. We got it all out there, and she was great, because as the leader, she led with some of our own vulnerabilities, and I think that then gives permission to the team that we really have to start normalizing the conversation, that there is no stigma around showing we're humans first. We're cyber security professionals second. This is what I think true leadership is in the 21st century. It's not the, "Suck it up. Don't show vulnerability. Shut down your emotions. Deny." Emotional intelligence turns out to be one of the key success indicators in leadership these days. Being sensitive and self-aware to your own emotional state and then to be able to communicate that and create a psychologically safe workplace where people can come out and say, "Well, I'm having an off day today. I need some help." Teams that invest in dedicated, peer-informed cybersecurity mental health interventions will reduce their staff turnover due to burnout by 50% by 2027. So this really is good business as well as protecting the organization that actually makes good financial sense. This is about being the most effective you can be, and if you are, you're going to be happier, your family's going to be happier, and you're going to have a safer organization.
Sarah B. Nelson 21:36
Well, we covered a lot of ground today in this episode, and if you're like me, you're probably thinking about going back and listening to this and really digging in a little more deeply to it. So we've compiled some of the resources that we discussed into some show notes, so that you can go back and get those as well. This has been a really powerful conversation with all of you today. I could stay here for hours. There's so much rich information that I think can be used by people immediately, and I really appreciate all of your expertise. Peter, E-Yang, and Ollie, thank you so much.
Peter Coroneos 22:13
Thank you, it's been great talking.
Oliver Pettit 22:15
Absolute pleasure.
Sarah B. Nelson 22:18
Thank you so much for joining us today. And if you enjoyed this episode, please share it with your friends and with your colleagues. They ca