I immediately decided that I would ignore this as it wasn’t my field of expertise and write something on a mainstream security topic. But, then I thought again and decided that this was all too common a reaction when faced with risks and issues related to mental health.
I started to think about the various roles within the cyber security field and how they related to mental health issues. We’re all aware of the huge shortage of suitably qualified - let alone experienced - practitioners in cyber security. Together with the prevailing narrative that cyber defence is a never-ending battle, against an opponent who holds many of the success cards and that the chances of a strategic breakthrough against the bad actors are relatively slim, we might think that the result would be increased stress levels, the need to work long hours and a work / life imbalance.
There is often a mismatch between the level of understanding that information is the major asset of most organisations and the budget allocated to properly protect it from the threats to its integrity, confidentiality and availability. This manifests itself at the CISO level when trying to ensure that their accountability for protecting the organisation’s information is within their compass.
While researching this thought, I came across a report commissioned by Nominet in 2019 entitled Life Inside the Perimeter: Understanding the Modern CISO. It is based on interviews with 408 CISOs globally. Amongst many other things, over 90% stated that they suffered moderate or high stress levels, a quarter of those interviewed stated that they suffered physical and/or mental health issues due to stress - with nearly 20% admitting to using alcohol or medication to help and over 50% stating that they fail to switch off from work.
What are the reasons underpinning this situation? They are many and various, but this report pinpoints two - the difficulty (perhaps impossibility) of balancing cyber security resource against the inevitability of breach and the continuing lack of understanding at board level of the reality of battling cyber risk, which leads to very high levels of job insecurity amongst CISOs.
This is a gloomy picture and the same factors, perhaps in a lesser form, weigh on all cyber security professionals. I do not know what the solution is - but suggest that it’s imperative that we start to find ways of making the roles of the cyber security professionals - at all levels - less stressful. I commend the report to you.