This week, President Biden warned businesses to be wary of potential cyberattacks from Russia, recommending companies increase their cybersecurity defenses. That means more work and higher stakes for the technicians and experts tasked with creating and maintaining those defenses.
There are hundreds of thousands of vacancies in the cybersecurity sector right now, meaning those already working often end up taking on more duties, burning out and ultimately leaving the field.
I talked about this with Lesley Carhart, an incident responder with the industrial cybersecurity company Dragos. The following is an edited transcript of our conversation.
Warning: This interview touches on substance use disorder and suicide.
Lesley Carhart: There is a lot of burnout, especially in the people who respond to cybersecurity incidents because it’s constant crisis management. We don’t necessarily have the tools to cope with being under that constant pressure and stress of dealing with triage and crises. Now we’ve gotten to the point where there might be escalation of geopolitical situations or war, due to cyber events. So there’s this constant level of stress, and that’s just not a sustainable thing for human beings.
Kimberly Adams: How does that manifest? What does burnout look like among cybersecurity professionals?
Carhart: So there’s the mental impacts of burnout, which could be things like depression, loss of interest, loss of focus, inability to sleep and just acting in a different way than you normally act. That’s what stress and adrenaline do to human beings. You definitely see that in the people around you in cybersecurity right now. People are changing their behaviors and getting sick, in some cases.
Adams: What sorts of coping mechanisms are people turning to?
Carhart: Well, there’s healthy coping mechanisms. And there has been, to be fair, a great effort among, especially senior people in cybersecurity, to bring attention to burnout and to stress and coping with it. But at the same time, for a long time in cybersecurity there’s been a heavy reliance in the hacking and cybersecurity communities on things like substance abuse as a coping mechanism. Alcohol is super prevalent in the cybersecurity social landscape, not just social drinking, to have a drink with your colleagues. But this is something that’s kind of endorsed as a means to deal with perpetual stress.
Adams: What are the stakes when it comes to whether or not these issues are addressed?
Carhart: Well, we’re already running with less people than we need in cybersecurity, and there’s a multitude of causes for that. Some of that is pipeline. But when you’re already lacking enough trained professionals to deal with the problem, having them leave the field to seek other careers, or get sick, or even worse; We’ve had problems with suicide in cybersecurity, unfortunately. That’s a big loss to humankind, and also to our field and our ability to do our job as cybersecurity professionals. So, burnout is very concerning, and that’s why people seem to be addressing it more and more in in a professional context, but there’s a long way to go.
Adams: How do you deal with the pressure?
Carhart: I’ve tried to focus on healthy coping tactics myself, I do martial arts and yoga, I spend time with family. And most importantly, I’ve learned coping techniques like understanding when I have to step away. So recognizing when I’m hungry, or lonely, or tired, things like that. And then understanding that I need to ask for help, or I need to take a break.
Adams: I imagine that’s particularly hard because this is an industry where it’s really hard to take a break. The attacks are just constant.
Carhart: Yeah, but I’ve heard this — it really struck me, I’ve heard this from emergency medicine professionals, that even if the patient is potentially going to die, if you’re going to die too, or become so ill that you can no longer function, it’s going to be a worse situation. And that’s a hard thing — I can’t imagine being a doctor and having to get my mind around that in a triage situation. But there’s a point where if you’re going to die or get incredibly sick or no longer be able to perform in a way that’s functional and good, that you’re going to be a burden to what you’re trying to accomplish or a loss to your field and what you’re trying to accomplish. So you have to understand there’s a point where you can’t function anymore in a crisis.
Adams: What needs to happen to improve this in the cybersecurity industry?
Carhart: Senior leadership needs to take cybersecurity and all crisis management and disaster recovery professions burnout seriously. And that means providing mental health resources and encouraging good healthy stress management behaviors, practicing those things themselves and setting a good example. It means making sure that those resources are available to their people. It means recognizing the signs of burnout in their employees and their direct reports. All those things are really crucial right now because, again, we need the talent and more so, we should care about the human beings around us, and their wellness and their ability to keep being part of society.
Related Links: More insight from Kimberly Adams
Earlier this month, my colleague Meghan McCarty Carino reported on understaffing in cybersecurity. She highlights that the need for cybersecurity professionals increased by 30% last year, leaving about “400,000 open cybersecurity jobs in the U.S.”
We’re also linking to a 2019 Nominet Cyber Security report, which looks at how cybersecurity professionals in the U.S. and in the U.K. cope with work-related mental health issues. According to the report, 17% of chief information security officers said they are either using medications or alcohol to cope with stress, while 27% said they turned to reading, podcasts, radio or TV.
If you’re in the cybersecurity field and any of this sounds familiar, the group Mental Health Hackers provides support services. Information security professionals, many of whom have dealt with their own mental health concerns, use the site to try to connect with and help others in this intense business.