Managing the emotional toll cybersecurity incidents can take on your team – Source: www.csoonline.com

Cybersecurity professionals face significant mental health challenges from their work, and it’s no surprise why. They are responsible for maintaining the digital security of their organizations by protecting critical operations from intrusions, patching vulnerabilities, detecting threats, stopping adversaries, and remediating incidents, often under intense pressure, tight budgets, and crisis-driven deadlines.

A 2022 study by Tines highlights the toll of these demands: 66% of security team members reported experiencing stress at work, with 22% describing their stress levels as severe. The consequences are clear: Nearly two-thirds (64%) of respondents admitted their mental health affects their job performance, while an equal percentage stated that their work negatively impacts their mental well-being.

Cybersecurity workers face the most intense pressure during a significant cybersecurity incident, particularly when their emotional reserves may already be low from dealing with routine stressors.

“There’s this inherent tension that exists in every organization,” Joe Sullivan, CEO of Joe Sullivan Security and former CSO at Cloudflare, Facebook, and Uber, tells CSO. “The security team feels that everybody else is charging in a direction that’s incurring more risk, and those other people don’t bear the downside of the risk as much as the security organization does. That creates some anxiety and stress right out of the gate before you even get to an incident.”

Experts say the trauma of cyber incidents can reduce financial performance through decreased morale and increased attrition. They advise CISOs to advocate for deeper employee assistance programs targeted at cyber workers, which requires selling reluctant HR departments on these initiatives.

They also recommend preparing workers for crises in advance of their occurrence. Finally, experts say it’s vital for CISOs to share concerns for their workers’ emotional welfare across their organizations.

The emotional impact of cyber incidents

The chaos and pressure of dealing with a ransomware attack or other major cybersecurity incident can create psychological trauma for cybersecurity workers and even spread stressful emotions across the entire organization.

Peter Coroneos, former CISO and founder of Cybermindz, a nonprofit that aims to improve cybersecurity worker mental health, tells CSO: “Cyber teams are very committed, and so they will go above and beyond to try and get the breach under control, but in the process, they are potentially being traumatized.”

“We do see trauma,” he says. “We definitely see impacts on sleep and even the home life. You see issues with imposter syndrome and self-efficacy questions surrounding that. And often after a major breach, we see resignations because they never want to encounter a situation like that again.”

The mission-driven nature of cybersecurity compounds the trauma. “Cyber teams are acutely aware of the consequences of failure, and they are also acutely sensitive to this overriding mission they carry and have a very strong ethos around being a protector and a defender,” Coroneos says.

The physical and psychological toll comes from the response apparatus in the brain’s limbic system, which has evolved to deal with flight-or-fight responses. Under the right conditions, this built-in protective mechanism can allow workers to stay stuck in trauma long after cyber incidents end.

“You get the immediate hypervigilance and the fear and the emotional responses to the situation, which raises your heart rate,” Coroneos says. “Cortisol levels go up. Everything’s switched on. But unfortunately, and particularly in a breach situation, if you don’t know that you’re winning, if you can’t necessarily see visible signs of having got the attacker out of the system, or if you’re fearful that they may still be there despite what everything you’ve done, then it’s quite natural for this neurological system to remain locked on.”

This ongoing state of vigilance can create PTSD symptoms that are hard to dislodge, according to Coroneos. “We’ve worked with organizations where [workers] have recurrent nightmares even eighteen months after a breach,” he says.

Mike Hamilton, CISO and founder of Critical Insight and former CISO of Seattle, thinks that SOC workers bear the brunt of the damage “because those are the ones that are supposed to catch the thing before it gets out of control,” he tells CSO. “That’s their whole job. They’re very mission-focused people. In a mission-focused role like that, you take it very personally when there’s a miss.”

CISOs face singular pressures

The fallout from a cyber incident might affect the welfare of the CISO most of all, given the singular pressures these security leaders face. The stress involved has even been shown to lead to increased depression and even substance abuse among CISOs. Compounding the issue is the possibility that cybersecurity leaders could face personal liability for their professional actions, a fact that has soured 70% of CISOs on their role, according to one survey.

“Because of the incident that I went through and my general experience, I’ve talked to a lot of security leaders when they’re in crisis situations,” Sullivan says. (Sullivan, a former federal prosecutor, was charged with obstruction of justice for his handling of data breaches at Uber in 2016 and was ultimately sentenced to three years’ probation — considered by many to be a “watershed moment” for CISOs’ liability risks.)

“The thing I always tell them is that your organization, and you, are going to be judged as much on how you handle crises as you will be judged on how you worked on prevention. In fact, maybe even more,” he syas.

CISOs who leave organizations after breaches often experience a deep sense of relief, like a heavy burden has been lifted from them. “And that’s why you see more people stepping out of these roles earlier in their career than I’d like,” Sullivan says. A recent survey found that 24% of CISOs are actively looking at the exit.

Hamilton thinks the blame leveled against CISOs for breaches has diminished over the past several years. “Prior to even the last year or two, the CISO would be afraid of losing his or her job,” Hamilton says, or worse, prosecuted for how they handled situations. But “it’s changing now because the chief of information security is now starting to talk in the language of business, and they’re not a scapegoat or a checkbox anymore.”

Unaddressed mental health issues raise organizational costs

The range of direct and indirect costs to the organization makes the psychological damage of cybersecurity breaches a drag on corporate bottom lines.

“With some of the organizations we’ve worked with, the impacts have been felt organizational-wide, all the way through to call center staff who may even get death threats from disgruntled customers,” Coroneos says. “Then you have the regulator knocking on your door, so you get this massive ripple effect of interacting forces.”

Among the organizational impacts is a loss of morale following cyber incidents. Psychologist Richard Miller, who has developed a protocol for Cybermindz based on a program he designed for the US Army, says that in an attack situation, “if one person goes down, that’s going to decrease the morale amongst all the team members.”

Decreased morale, burnout, and PTSD cause attrition among cybersecurity workers, which can cost organizations dearly when recruiting replacement personnel. “To put it into financial terms, even though that’s not our primary objective, to replace people is expensive,” Coroneos says. “If you fail to support your workers and you end up with a number of them resigning after a breach, it will have a tangible financial cost on the organization.”

And that loss of personnel could become a chronic problem. “It potentially causes a shift in the attractiveness of cybersecurity as a career,” says Coroneos. “We’re concerned that young people are not entering the profession because they see the severity of breaches and the impacts, and it can be a deterrent as well.”

Going beyond mindfulness to build resiliency

Although some organizations try to address overall worker mental health issues through mindfulness and other programs, experts say they need to dig deeper to address the unique issues facing cybersecurity personnel.

“Mindfulness is a wonderful practice,” Miller says. “We’re working at a very deep level with not only how do you not just decrease your stress through mindfulness interventions like breathing, body sensing, stress reduction but also giving skills for dealing with a difficult, challenging emotion or judgment or circumstance and how to build an inner resource of indestructible well-being.”

CISOs must think about building these kinds of emotional resilience reservoirs among their team members well before any actual crises. “There’s an adage from the military that the more you drill, the better you perform in real life,” Sullivan says. “And that clearly is the case in a cybersecurity incident, too. The more repetition we get, the more muscle memory we have and the more coordination we have among all the disparate parties. We need to invest a lot more in preparing for crisis because if we prepare well, we’ll emerge much more successfully.”

Normalize crises to reduce shocks

Normalizing crises could help reduce the emotional shock of a bad cybersecurity incident. “I got this really good advice from the COO of eBay when I was working there,” Sullivan says. “He said, ‘If your job is to respond to crisis situations, you need to build an organization that views it as their job, not as a crisis.’ In short, if your job is to put out fires, build a fire department. Firefighters wake up every day, and they know what their job is. They don’t stress. They go into high-risk situations, but they’re prepared and trained, work in shifts, and have the right equipment. They’re built to respond to fires. We have to build our security organizations to respond to fires.”

Ian Campbell, security operations engineer at DomainTools, spent 10 years as an emergency response dispatcher. He extends the fire department metaphor to underscore the importance of not allowing team members to bottle up their emotions after an incident. Campbell observed that the police department “was very much, ‘this is what happens, get it done, move on to the next.’”

The fire department, on the other hand, “had structures set up ahead of time that were much healthier for people to process incidents,” with many pre- and post-incident discussions on how the firefighters were feeling, Campbell says. “What I realized throughout ten years is that ‘keep it to yourself’ is a harmful attitude. Setting up programs like [the fire department program] ahead of time is crucial.”

The importance of getting HR on board

Although most CISOs readily agree that their organizations would benefit from programs to help their teams deal with the trauma of cybersecurity incidents, funding these initiatives from human resources departments, which typically control the purse strings for employee assistance programs, is often an obstacle.

“We have found that HR doesn’t understand,” Miller says. “They’re thinking that the cyber workers are similar to other workers in their industries, and it‘s just not so.”

Hamilton recommends that CISOs lobby the HR departments for funding by highlighting the turnover costs of stress and burnout. “The burnout rate is astronomical for this job,” he says. “So, that would probably be the value proposition to give to HR. This is about retention.”

Sullivan thinks a helpful maneuver is for CISOs to share their burdens across the organization. “Security leaders take the whole weight of security of their organization on their shoulders when the reality is it’s not the security leader who decides in a vacuum. How big is our security budget as an organization? What is our risk prioritization as an organization? How do we communicate about security incidents as an organization? The security leader doesn’t own any of those things.”

“We’re trending in the right direction, but the progress we’ve made is a reflection on the effort of the security leaders in place right now,” says Sullivan. But, “most CEOs, chief legal officers, heads of communication, business leaders in general, have hundreds of stresses that are giving them anxiety every day. Unless the security leader stands up, raises their hand, and says, here’s a corporate level of anxiety that we all need to address together, the rest of the leaders shouldn’t be expected to jump right in.”