Are cybersecurity professionals OK?
Once the adrenaline wears off after a cyberattack, the feeling that can wash over cybersecurity professionals is best described by Jackson Browne’s 1977 hit “The Load Out.”
A 32-second long earnest piano ballad precedes a crooning Browne, who goes on to sing a tribute to his roadies and fans: “Now the seats are all empty/ Let the roadies take the stage/ Pack it up and tear it down.”
For Allan Liska, threat intelligence analyst at Recorded Future, it's the perfect description for the aftermath of a security incident.
“Suddenly, the incident response teams are gone, the lawyers are gone, the insurance company’s gone, and now you have to put your network back together and rebuild security,” Liska said.
The highs and lows of incident response and recovery manifest a gloomy state of mind for many cybersecurity professionals. Finding an outlet, space and time to unwind is critical.
“You need to have that separation or this job will kill you, literally kill you,” Liska said.
To release tension and break away from the often chaotic work of cybersecurity, defenders have to get creative, and exhibit practice and intention. One of Liska’s outlets of choice — writing comic books — allows him to create characters that get to punish ransomware criminals.
Cybersecurity work is stressful and an extremely nerve-wracking way to make a living. Alerts flagging potentially malicious attacks are constant and they have to be taken seriously because every defender reluctantly knows attacks will happen, it’s just a matter of when.
On top of all of that, consider the insider’s perspective and insight they have into the personal threats criminals will make to extract a ransom payment from their victims. There is no honor among thieves.
Cybersecurity Dive spoke with more than a dozen security experts about the personal tolls of their job and simply asked: Are you OK? Some laughed nervously, others were momentarily taken aback by the question, and a few hinted at burnout, but the first response for each of them was, unequivocally, yes.
“My therapy session starts now,” quipped Stephanie Carruthers, chief people hacker and global head of cyber range at IBM Security X-Force.
Defenders who are doing well at work and in their personal lives have to recognize behaviors and circumstances that can throw them off course. Working all the time without breaks or meaningful distractions from the torrent of malicious activity is a surefire way to burn out, or at least undercut the ability to perform at a high level.
“You need to have that separation or this job will kill you, literally kill you.”
Allan Liska
Threat intelligence analyst at Recorded Future
“If it’s always on my mind, I’m never going to have that fresh thought,” said John Dwyer, director of security research at Binary Defense.
“As much of a science cybersecurity is, a lot of it is an art and usually your best ideas come to you whenever you’re thinking about different things,” Dwyer said. “Being the best that I can be means that I’ve got to take care of myself, too.”
Coping mechanisms
Damage control is a two-way street — on the job and away from work. Many people are attracted to cybersecurity because of its mission, yet the job can be stressful and all-encompassing.
Huntress CEO Kyle Hanslovan said he almost burned out seven years into running the company he co-founded in 2015. Early signs of fatigue, which threatened to hinder the type of difference Hanslovan hoped to make, motivated him to turn things around.
“I don't know much in regards to psychology, but as somebody who regularly does personal therapy, it turns out for all of the negativity that you can focus on, there is just as much ample opportunity for that dopamine hit when you're doing good,” Hanslovan said.
“I’d rather that I see the bad, such that my daughter doesn’t have to."
CJ Moses
Amazon CISO
“Look at me now,” he said during an interview in San Francisco’s Yerba Buena Gardens during the RSA Conference in May. “I’m not wearing a jacket, I’m wearing some Chuck Taylors, I’m out here having a good time and I’m going to hang at this trade show with my friends.”
Some people find meaning and the strength to absorb cyber-fueled tragedies in deeply personal ways.
“I’d rather that I see the bad, such that my daughter doesn’t have to,” Amazon CISO CJ Moses said.
“It’s one of those, take the bad out of the world as much as you can for those that you care about the most,” Moses said.
A career, at a cost
While many people in the security industry acknowledge the stresses of cyberdefense, detriments to wellbeing continue to cause havoc on mental and physical health, Forrester analysts said in an April report.
Burnout is preventing people from entering the industry and causing critical talent to leave for other professions, the report found.
Many CISOs told Forrester everything was a battle, and the human costs were so significant they decided to not just leave the job but leave the field entirely to reclaim some balance in their lives.
“It’s a really tough role and things like meditation apps aren’t really going to help with that,” said Jess Burn, principal analyst at Forrester.
For people on the front lines, fatigue and stress are rampant. More than 4 in 5 cybersecurity professionals are experiencing burnout, pentesting platform provider Hack the Box found in a June report.
“Many cyber pros are considering leaving their position or the industry altogether if their roles are impacting their personal lives too much,” Hack The Box CEO Haris Pylarinos said.
With cybercrime surging, business leaders need to address burnout now before it snowballs into a bigger issue, Pylarinos said.
“The reason we got into this is to do away with all the evil that’s happening out there."
Michael Sikorski
Unit 42 CTO and VP
The job is especially difficult for people fighting a five-alarm fire every day. For incident responders, the calls for help come often and at unseemly times.
“We always joke, Friday you’re going to get a call. And it happens,” said Sam Rubin, global head of operations at Palo Alto Network’s incident response firm Unit 42.
Rubin said he worries about burnout on his team more than himself personally. He tries to structure work, expectations and resources in a way that provides practitioners important downtime. “But, it’s still hard,” Rubin said.
Unit 42 CTO and VP Michael Sikorski takes comfort in surrounding himself with people that are trying to fight the good fight.
“The reason we got into this is to do away with all the evil that’s happening out there,” Sikorski said. “The type of people who tend to gravitate to this, they want to be in the trenches.”
Hardship is relative
The psychologically taxing impact of cyberattacks cuts deep. More than 2 in 3 incident responders have experienced stress or anxiety in their daily lives and sought mental health assistance as a result of responding to cybersecurity incidents, IBM Security found in a 2022 report.
“I often say that my worst day here is better than my brothers and sisters back home."
Karim Toubba
LastPass CEO
Some executives maintain the right balance with a reflective perspective.
“I have a small superpower in that I’m an immigrant,” LastPass CEO Karim Toubba said, who came to the U.S. from Aleppo, Syria when he was nine years old.
“I often say that my worst day here is better than my brothers and sisters back home,” Toubba said.
Toubba said his tendency to take hardships in stride helped him a lot personally last year as LastPass recovered from a cyberattack that exposed a cloud-based backup of the password manager’s entire customer vault database.
“Balance is something that was elusive for years,” Toubba said. “I think I’m much better at it now.”
John Hultquist, like many cybersecurity professionals, has a background in the military that’s served him well as chief analyst at Mandiant Intelligence.
“I remember being in a truck full of cab scouts driving around Baghdad. We expected that we were going to get hit with a [roadside bomb] any day, and the only way you could get through it is you had to laugh it off,” Hultquist said.
“You have to try to not take yourself too seriously.”