The Human Factor: Addressing Mental Health in Cybersecurity

Matthias
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor with KuppingerCole Analysts. And I have said that many times in the recent times that this is a very special episode, but this was very special episode because it really is not an analyst chat. It's an expert chat. We want to cover a topic which is in cybersecurity, but it is a very specific topic. We'd want to talk about about mental health challenges for professionals in cybersecurity. And as KuppingerCole is an analyst company and not really usually dealing with this kind of topic, but it's still interesting in cybersecurity, I have the pleasure to welcome two external guests for this episode. They will join me and provide the expertise that I'm lacking and I hope I can ask good questions and they will provide the good questions. So I want to welcome Sarb Sembhi and Kashyab Thimmaraju. And I would like to have a quick introduction round with the two of them. And Sarb, maybe you can start first to introduce yourself.

Sarb
Thank you very much. And it's a pleasure to be on and thank you for having us, Matthias. It's a real privilege. My name, as you said, is Sarb, Sarb Sembhi. I am the Chief Technology Officer at Virtually Informed. However, the reason I'm on here is because of one of my other roles, which is as the Chairperson of the Mental Health in Cybersecurity Foundation. This was set up a couple of years ago and Kash will tell you himself when he joined, but it is an organization that works around the world promoting much better mental health, stress and wellbeing in cybersecurity professionals. So we're trying to improve the mental health of cybersecurity professionals. Thank you, Matthias.

Matthias
It sounds really good and also Kashyap, quick introduction from your side.

Kashyap
Yeah, thanks, Matthias, for having me. It's like Sarb mentioned, it's an honor and a pleasure to be here. My name is Kashyap Thimmaraju, and I'm the founder of Flow Guard Institute, a research and training company dedicated to the advancement of human performance and mental health in cybersecurity. I'm also a researcher at the TU Berlin in Germany, and I'm also the research group leader at the Mental Health and Cybersecurity Foundation along with Sarb. And I joined the foundation earlier this year and I really align with the values and the purpose of the foundation, which as I've mentioned is to support and promote mental health and cybersecurity as it's a really an important and pressing issue in today's industry.

Matthias
I fully agree, but unfortunately, it's a topic if you talk to cybersecurity professionals, that this really at first sight, that really does not come to their mind immediately. It's often, it's almost every time overlooked. But to start the topic in general, how does the cybersecurity field contribute to mental health challenges for professionals? How does this look like? Where do you see it and where does it really influence people acting in that area negatively?

Sarb
Thank you, Matthias. Basically, when we put together the foundation, it was two years ago. It was as a result of talking about this topic at an event where it was a room full of about 40 CISOs. And we were talking about the fact that we are under pressure as CISOs and the pressure has been increasing on a year by year basis. At the end of the discussion, I suggested that there's a lot of feeling in the room. Would anyone be interested in doing a write up about what we've been discussing? And two hands went up. So the three of us started to put something together. Then we decided maybe we sort of collate a lot of the useful information around the topic. And we looked around, there were lots of surveys. And many of these surveys sort of were considered to be incidental because they weren't academic. The people who answered the surveys were people who were professionals and decided to answer. So it could be accused that only those people that have mental health problems were likely to contribute to such surveys. So really, you can't say it's representative of the whole industry. But the three of us, we collated a report which we released last year and you know, in terms of the question you asked, well, you know, do they think about this? We're in a position where over the last few years, all of these different things have been going on, lots of reports saying that this is happening and it's happening more and more every year to such an extent that there are more research reports and a few more academic type research that have been looking into this because it's become far more serious than it ever did. And that's quite significant, whereas once upon a time, it was felt something was going on. Now we're more certain that it's actually happening.

Matthias
But when we talk about the point in time where you are starting that discussion, maybe to you, Kash, has something changed? Why is this happening right now? Is there a change in the way we do cybersecurity?

Kashyap
Yeah, so I think what's sort of been evolving, if you look at the evolution of technology, in fact, it's not just security, right? But it starts with a lot of industries or a lot of companies are adopting technology and technology has evolved so much. So the supply chains for software and hardware are more complex. And as the supply chains or software and hardware get more complex, it introduces risks and these risks bring in security issues and therefore we need to be able to manage, prevent and defend against these risks. And if you look at some of the surveys that we have, there's a huge skills shortage in the industry. People aren't, they don't have the training or the knowledge or the expertise in security. And so a lot of companies who need to think of security and cybersecurity and implement security measures and mechanisms actually lack the human resources. They might also lack financial resources. And these are some of the reasons why we're also experiencing some mental health concerns. I mean, one of the most common ones seem to be stress and burnout. There's, like Sarb mentioned, you know, there've been a lot of non-academic reports of stress and burnout. There's also fatigue, loneliness and depression and so on, anxiety and even cases of suicide. But there's very little academic research on this topic and we have an idea of what the reasons are for these mental health conditions. But I strongly believe there's definitely room for more research over here to better understand why this is happening. I mean, I actually came across a report earlier this year where they studied incident responders in the security industry and they identified that workload is one of the major issues. So like I mentioned, there's an evolving, the evolution of technology, we're adopting new tech, we have to understand what the dependencies are and so on. That actually has a huge impact because there are few people to handle this workload. The workload's increasing, the workload's changing, priorities are changing. These are some of the major issues actually that introduce a lot of stress and burnout among incident responders in particular. I hope that answers your question.

Sarb
If I can add that, I was going to add to that. I I think if you look over cybersecurity over the last 20, 25 years I've been in it, you know, in the old days, we used to call it information security. It changed from information security to cybersecurity, cybersecurity to cyber resilience. And the name change actually was important because it increased the responsibilities. So we've gone from pure IT related technology when it was called information security. to now, it includes everything that sits on the network, whether it's managed by IT or not. Then on top of that, all the other things that Kash has said about the digital transformation type technologies we've had over the years. And we've seen everything from mobile phones to cloud to IoT. But everything's increased in terms of what we have to do in terms of making things secure. But also what's happened over that period of time is there's been more tax, there's been more regulation, more standards, all of these things slowly add to what a CISO or what cybersecurity people have to do. And all of that is, if you look at the total amount of knowledge you needed to know 20 years ago to be in cybersecurity and what you need to know today, it's phenomenal. All of this has had an impact as well as the fact that in America we've seen over the last couple of years that there's been those fines for CISOs and talk of CISOs being legally liable for things going wrong. And again, that contributes to the stress as well as Kash said, you've got the skill shortage in terms of the people that you want to enable to help you and you're trying to compete for those skills with others. Without that top level skill getting any bigger. And at the same time, when people are being stressed, as again, as Kash said, people leave the industry because they're so stressed. They're looking for jobs that are out there not to do with cyber, that are not going to stress them out. So the most skilled people and the number of skilled people is going down. So it's lots of things. It's not a single thing. And in each organisation it could be a different contribution of each of these different things.

Matthias
Right, and in the end, this really sounds like the opposite of a healthy work-life balance. So really, are always under alert, you're really working, as you said, really, really stressed. And I think that that's really, the more I think about it, the more clear it becomes that actually, this is also the responsibility of the organization, not only of the professional, of an organization to take care of that. Has something happened before you started your research? Do you or can you contribute with your research to lay a foundation for getting better at that?

Kashyap
So let me, I want to start with saying like how I actually maybe entered into this field also, because during my research, I experienced... my research, that's during my PhD research, I had my own experiences with, you know, anxiety and stress and handling changing priorities and huge workloads and so on. And then I had my own sort of journey through this and that journey actually led me to join the foundation in some sense. But I started to look into mental health and cybersecurity about a year, year and a half ago. And it was quite startling to see the number of reports over here. And what I noticed, at least in the research, is that there's a lot of people or there are a lot of reports on the prevalence of, you know, stress and burnout and fatigue, alert fatigue and whatnot. But there's not all that much on what we can do about it. I mean, there is some parts, right? You know, we have people like looking into wellbeing and thriving and so on. And actually it's not a new problem in that sense because, you know, stress and burnout can affect anybody in any industry or profession. And I think the question then becomes why, what is it about cybersecurity that actually leads to this? And we sort of touched upon it. And I think, Matthias, you also just mentioned you are sort of getting to it, which is certain roles in security actually have this always on nature. this, sense of perpetual vigilance, you know, because an attack would happen any time. And as Sarb mentioned, you know, the role of the CISO, the demands of the CISO or the liability of the CISO is so high, the stakes are so high. There's also a sense of job insecurity because if something goes wrong, if there's a breach, they could lose their job. These are all some of the issues. And from an organizational perspective, we need to start, there are different ways of looking at it. And I think Sarb can actually speak a lot more about this. We got to look at it from an individual level, from the team level, at the organizational level, and at the national level. And Sarb, maybe you want to like sort of say something along those lines?

Sarb
Yeah, think what Kash is pointing to is that if you look at, and I like to start from the national level, and the reason is because if you look at the national cyber resilience strategies that governments around the world have got, if you look at their strategies, the strategies will say something along the lines of the cyber resilience of our nation depends on the cyber resilience of our enterprises. And it stops there. Now, there's an implication there, which isn't put into words, which is the cyber resilience of the enterprise depends on the cyber resilience of the cybersecurity staff. So, you you have to look after the staff because if you're not looking after those people who are actually fighting and dealing with your resilience. If they're not themselves resilient, your enterprises can't be resilient. And if your enterprises aren't resilient, then your nation isn't resilient either. So it's quite important that you take that into perspective. And that is a good lead into a key point that Kash was sort of referring to, which is the fact that we separate when we talk about, you know, well-being and mental health, we separate the well-being and mental health of cybersecurity staff and professionals, separately from any wellness programs that an enterprise has. Because the wellness program that many enterprises have are general programs that are for anyone. And if anyone's not well, and they have mental health issues, they have stress and burnout, as bad as that is, it won't affect the resilience of the enterprise. And because we're talking about cyber people, we're talking about the resilience of the enterprise, We're saying that the resilience of cybersecurity teams need to be separate and thought about separately. And they need to be considered from the cyber resilience perspective, not a general HR wellness program perspective, because that needs to be totally separate. So when we are talking about how we and what we suggest and frameworks that we have for the organization, as you were referring to, Matthias, and the foundation is working on a framework which we hope will cover all the levels that we've been talking about, the national level, the industry level, the professional level, the enterprise level, the team level and the individual level. And it is all of those levels that need to deal with it. I'm not going to go into them in detail now, but there are various levels and the organisational level is just one of the many.

Matthias
Right. the reason also why we're talking about this topic today is because we want to cover that topic together with you, Sarb, at our cyberevolution event. And I think this is also a topic that you brought up and I think it's so important and we can really dig deeper into that topic later at that event. So this is just a first glance at this huge topic that we're looking at. To ask the right question to you as the experts, you've mentioned all these individual levels. If we start with the individual as the cybersecurity professional, are there any strategies or tools that we as cyber professionals could apply or are we lost as long as we stay alone?

Kashyap
Yeah, so at the individual level, I mean, there are many things we can do, but what I like to think of is other ways, like is there a tool or a system one can use that not only reduces your chance or reduces stress, but also improves engagement or your ability to thrive and recover and flourish and so on. And so, you know, I mean, Active recovery is huge. Taking breaks. So sleep, think that is something super important. There's research that shows that a lot of people who are experiencing burnout don't prioritize sleep. And so their sleep scores actually go down. That is absolutely important. The next would be something along the lines of, like I mentioned, active recovery. So this is about regulating our nervous system. And this is super important because if we are in this state of perpetual vigilance, which is triggering our sympathetic nervous system, we're in this sort of constant stress response. And we want to get out of that. We want to train our brain to not consider everything around us to be a threat and to calm it. And that means engaging the parasympathetic nervous system. And this would be something like, you know, going out for a walk in nature, exercise, some kind of sports. These are sort of active recovery protocols, you know, like a cold shower and so on. On a different level, when it comes to work, it's really important to have also a sense of autonomy, you know, because we actually conducted a survey among a number of CISOs earlier this year. And what we identified is that many of them actually scored quite low on their sense of autonomy. And if we don't have a sense of autonomy, that sort of brings us down. And if we can sort of reframe our situation or the tasks or activities around us to give us that sense of autonomy, that will also give us this sense of control and be able to sort of work better. Handling workload, I think, is super important. A lot of people in the research also say there's so much workload changing priorities, so there needs to be ways of and communication channels and measures in place to be able to manage that workload. So it's not only from the individual level, but maybe, you know, your manager or supervisor, whoever, and leadership have to have ways to accept that there's only so much an individual can do or a team can take on and be able to push things aside. So that might also be being able to say no and being able to accept a no as well, when things come up that also relates to the changing priorities that a lot of people experience in teams and businesses. What else is there? I think it's also about at an individual level of taking breaks in some sense, finding ways to take breaks and being able to disconnect from work. In fact, I read a quote recently that there's this incident responder who just feels like he's completely working, he or she is completely working and can't actually enjoy time with their family. And that's actually quite sad. I mean, I have a family myself and finding ways to actually be able to spend time with your family, I think, is super, especially if you have a family. I mean, otherwise, finding something else to do apart from work, something that brings you joy and meaning and purpose in life, I think this is super important to be able to sort of recover from all that stress at an individual level, at least. Yeah.

Sarb
Can I add to that if that's okay? Yeah, I mean, think if you look at what you said, Kash, and I think what I've experienced and people within the team we see is that when you are stressed, all the things that you would normally do when you're not stressed stop happening and you stop doing and the stress and as you said, Kash, you stop eating properly, you stop sleeping properly, all of these things, it's a downward spiral. And the difficulty is to identify the fact that you are on the downward spiral and look to see what you can do to come out of it. And there are a range of things that even within teams that you need to have. So although as an individual, you can spot it, if you work in a team where you're not allowed to do anything about it, that's difficult. And what we recommend and we've been saying, and we're putting together a paper with one of the people on our executive steering group, Admiral Insurance. And they've been doing some work on this for quite some time. He's one of the founders of the foundation. And within the teams, what they do again to alleviate stress issues is that they have instead of half hour meetings, 25 minutes. So you've got five minutes break instead of one hour meetings, 50 minute meetings. So you've got 10 minute break. And they started to instigate little things here and there that made a difference. Equally, it's looking at how you can support each other. How you can look out if somebody is looking stressed, if somebody's looking like they're not taking their breaks, if somebody's looking like they haven't eaten properly or they haven't slept, it's actually being cognizant of that sort of thing and starting that conversation and listening and being aware of those things. But when those things get to a point where it's really, really bad, I mean, we've spoken to some CISOs and we've interviewed some. And the danger is that I think most of the people I come across in cybersecurity are often caring people. I've never come across someone that isn't, so far. And I say often because I'm sure there may well be someone out there that I've not heard of, but they are caring people and they have this syndrome. It's almost like a hero syndrome. They want to do good. Because they want to do good, no matter what the stresses are, they don't want to let anyone down. And because they don't want to let anyone down, they're in this perpetual cycle of wanting to not stop. If anything needs to doing, they will carry on doing it. And it's that that actually is bad for them. And CISOs that we've spoken to about this sort of thing, we've had heard examples where someone on the team was late for their wedding by 15 minutes because they were at work in the morning. They were late for their own wedding. They miss their children's plays. They miss this. They miss that. And that's the sort of thing that happens. And other people we've again spoken to who commit suicide where they take that pressure on personally. They think it's their fault that there's been a breach and then they're trying to commit suicide. And these are the sorts of things. And again, it's from that feeling of wanting to do good, not let the business down. And that drives some of that. And what we have to do is step outside, look to our colleagues, look to see if there are people who are experiencing that and how we as a team can respond to that. Sorry, I hope that sort of answers what you were thinking.

Kashyap
I wanted to add to that because it's interesting you meant this sort of hero culture in some sense. That's actually something that I've also come across in the literature and speaking with some people. And in fact, we conducted a survey and one of the questions had to do with this aspect where the question was something along the lines of, do you always try to promote good in all circumstances, even if they are difficult? And many of the CISOs scored very high on this question, rating themselves high. That is, they actually do try to promote good, which I thought is a nice way to sort of correlate what Sarb just mentioned on the hero culture. I also want to mention that this aspect of stress and burnout is also prevalent in other aspects in the software industry. In particular, there's been some research on developers. And they identified, you know, there are various socio-technical factors that actually cause... that affect developer productivity and well-being. And then there was a recent, there's now a recent paradigm in software engineering called the developer experience. Where they identified that there are like three main components to this. So there's flow, which has to do with engagement. There's cognitive load, which is, you can think of it as, know, the RAM in our brain. If we have a lot of things piled up in our brain that sort of stresses us out and we can't focus and so on. And the third one is on feedback loop. So are we actually getting feedback on what we're doing? Is that effective or not? And I think this is something that we can actually apply from an organizational perspective, to not only drive up productivity, but as a result also reduce the stressors and aspects, socio-technical issues that actually reduce the wellbeing of the team, cybersecurity team.

Matthias
Right. And if we briefly touch upon the other end of the levels that you've mentioned, the state level, the legal level, the regulatory level, I think if we look at what you just mentioned that the CISO is held liable for what they are doing, that they are financially responsible, even legally responsible. Yeah, that does not improve the situation at all. That really adds to the pressure that really adds to the situation that maybe CISOs let this responsibility trickle down to the lower ranks within the cybersecurity organization and that instead of helping just deteriorates the situation. Would you agree, Sarb?

Sarb
Yeah, I think that that's happened, ⁓what we were talking about and hinting at is what's happened in the US. And it's happened there and people everywhere else are discussing it. And I think what I've been saying since two years ago when we bought this up and this thing was going on in the US is that the right model, the right approach is actually the approach that was in the GDPR. That basically whoever is the person responsible for data protection within your organization, that approach that they state in the GDPR, which is that that person is an advisor to the organization. They are not responsible because they do not understand the risks about the good and the bad. And if you make them responsible, they could make good and bad decisions in certain circumstances and they may not take risky decisions, which in some businesses are good to take because taking those risks actually are good for the business and in other circumstances, they are bad for the business and it's the board that should be responsible or the data owners within the business. And really what we should be doing is exactly that same model where as CISOs we are advisors and as advisors to the board and to the business we explain what the risks are and they should be taking the decisions. We're there to help, we cannot be held responsible because we don't get our own budgets other than what we've asked for and if we don't get the budget we asked for and yet we're still liable that just doesn't make sense and it's just that's just one of many many issues that I think is a problem with the model whereby the CISO is held responsible.

Kashyap
I think that what Sarb said is it makes a lot of sense. It reminded me also of, I spoke with Janja Viskovic last year about this and she also mentioned something along the lines of actually, she actually stated Saudi Arabia as an example of how they've actually introduced, or rather the fact that it shouldn't be just the see-saw that's held accountable or liable. The risk has to be distributed among the board. It's not just like a single point of failure. I think that's one way of making the system more robust.

Matthias
Great, thank you. I think we really just scratched the surface and I think you agree, this is really just having a first look at this complex picture of the challenges for mental health through cybersecurity or in general through responsibility within an organization. Of course, I want to hint at our event, cyberevolution, but that is, I think, maybe too far away for people who are actually currently suffering where there is a sense of urgency where they want to have more information. I assume the organization that you've created provides some resources. So can you please mention what is available, what people can expect when going to you, to your site, and maybe give the URL of what you are providing?

Kashyap
Yeah, sure. We are an active group on LinkedIn. We have our website, which we can put in the show notes. We also have a active and engaging community of practice. And I would actually encourage all your listeners today to check that out and participate in that if you can. We also have a charter for various organizations to sign up for. And so this is not just for the cybersecurity team, but it's for the different aspects of cybersecurity. So this could be people in HR and other areas or service providers for security that who believe in supporting and promoting mental health. So we have different charters for these different aspects of people in the industry. So I would strongly recommend people sign up for that as well. We also have a research group at the foundation and a framework group, which Sarb mentioned. At the research group, we're looking at various research questions, research areas that are worth answering right now and prioritizing a research agenda not only for us but for other people who are interested in conducting research in this area.

Matthias
Thank you. Anything to add from your side, Sarb, before I close down? Because I could go on for hours, but we want to keep this concise. We really want to follow up on that conversation. What Kash mentioned, so really through the foundation and their individual groups that are active here, but also just by making that discussion more vivid at personal events. Final thoughts from your side, Sarb?

Sarb
Yeah, I'm just going to include one thing and I'm not going into detail because I'm sure I'll go into it in detail at the event later this year. And that one thing is something that Kash mentioned about the different types of organisations that have signed up to the chart and that example is recruiters. We're working with recruiters and they're working with us on the framework. And one of the key things that they are that they're interested in is about transparency. At the moment, we do not have the right environment for CISOs to say openly, do you know what? In this job I'm doing here with you as my employer, I am stressed. You are stressing me. The job is stressful. And what happens is because there's no transparency, when the person is stressed and they decide they want to move because they're so stressed and they want to go somewhere else, they cannot be honest to the recruiter because the recruiter theoretically has to let the other enterprise where they're going to know. And what we'd like to do, and this ties in with not just recruiters who signed up to the charter, but also our framework, which we're talking about where we're trying to increase transparency so that within the industry, if you have got health issues that have been caused by working where you are in your work environment because you're in cybersecurity, you should be able to be honest with everyone and say, I am stressed. I need to take some time off. I am stressed. I'm looking for another job or whatever it might be. And I think that's a key topic. We can talk about this one single aspect, which is transparency for a long time. So I'm not going to talk about in great detail now. I just wanted to mention it as an example of how detailed some of this is for our profession. And it is absolutely critical that we talk about these things openly.

Matthias
Yes, thank you very much. That was really interesting. And at least it convinced me that I need to follow up on your resources. And for everybody in our audience who's interested in learning more, the URLs and the links to LinkedIn will be in the show notes. So just have a look over there. And if you want to learn from the team, if you want to contribute to the work that is executed right now, I think that's really a lot to do still. And of course this message needs to be spread. I'm very thankful to you, Kash and Sarb, that you joined me today for this very special episode of the KuppingerCole Analyst Chat. I'm looking forward to meeting you in person, Sarb, in Frankfurt, and maybe we manage to get Kash there as well and meet them there, and even see you, Sarb. We had some technical issues, but that is fine. The message was important, and that really came across. Again, thank you very much for being my guest today, and looking forward to seeing you in Frankfurt. And if you have any questions to Kash, to Sarb, to me, either go via the channels that have been mentioned or leave a comment below this video on YouTube or send us a mail or just reach out. This is a too important topic to overlook it or to just ignore it. Thank you very much, Kash and Sarb, and looking forward to meeting you again.

Sarb
Thank you.

Matthias
Thank you. See you. Bye bye.

Kashyap
Bye bye.