“While most security professionals are passionate about what they do and thrive well under bouts of pressure, it is important to recognise when this healthy and positive stress becomes unhealthy and detrimental to performance and wellbeing, and where people are working remotely, as many are, it can be really difficult to spot because of a lack of support and communication,” says Ian Glover, president of CREST. “The problem can sometimes be compounded by the rise in complex attacks, long hours spent under a constant ‘state of alert’, the shortage of skills and pressure from senior management and regulators. Reported breaches are a frequent reminder of the business and reputational consequences if mistakes are made or malicious activity is missed.”
Author of the report, David Slade, aPsychotherapist, points to the main stress warning signs to look out for, which include anxiety, lack of confidence, making erratic decisions, irritability, a reduction in concentration, poor time keeping and generally feeling overwhelmed. These factors can lead to bouts of insomnia, a decline in performance, increasing use of drugs or alcohol, over or under eating, taking more sick days, withdrawal, a loss of motivation and actual physical and mental exhaustion.
“As in many high-pressure professions, it is very rare for people in cyber security to seek professional help when feeling stressed or overwhelmed,” says David Slade. “We need to instil a culture of better communication and peer-to peer support as well as encouraging practical measures such as taking regular breaks, exercise and holidays as well as introducing relaxation techniquessuch as mindfulness and having time set aside to discuss individual worries and concerns.”
The CREST report urges businesses and organisations to accept responsibility to ease staff stress levels by creating an organisational culture of openness at all levels and building a flexible environment in which individuals get encouragement, advice and support. This includes access to sources of advice on mental health issues, training tools and workshops, along with stress and burnout self-help videos.With the increasingly acute skills shortage in cyber security, CREST also believes that more automation can play a part in taking the strain off overworked staff, while the use of DevSecOps can help to move from a reactiveapproach to cyber security to a ‘security by design’ model.
“Management’s urgent task is to ensure that the organisation flourishes in a way that serves both the people outside and the people inside with a way of assessing how well the psychological needs of both groups are taken into account,” says Slade. “This would ensure that any change of structure or practice does not impinge on these needs.”
The CREST report was borne out of research conducted among its members and an open Access to Cyber Day that included stress and burnout workshops.“The level of interest and engagement in putting the report together was a clear demonstration of both the growing concern around stress and burnout in the industry, and the willingness to do something about it” adds Ian Glover. “If we want to retain the skills and experience we already have while also encouraging the best new talent into the cyber security industry, we need to recognise the problems and face up to the challenges to create exciting and stimulating careers while providing the right environment and support.”