Prioritizing Mental Health in Cybersecurity

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Jason Lewkowicz of Optiv celebrates the importance of mental health in cybersecurity, offering best practice tips to improve employee morale.

With another Mental Health Awareness Month in the rear window, we should celebrate the fact that mental health is finally getting the attention it deserves– and that the stigma associated with it is retreating. With these gains aside, however, we still have a lot of work to do when it comes to managing mental health in the cybersecurity industry– especially during a cyber incident, when, all too often, the focus can be on response and remediation rather than on employee well-being.

Mental Health in Cybersecurity

Rising Mental Health Challenges

Today, there is a confluence of factors forcing cybersecurity professionals at all levels to work beyond their normal capacity on any given day, which is leading to emotional stress and burnout. These include, but are not limited to:

• The ongoing cybersecurity talent shortage, which puts pressure on existing workers to pick up the work of unfilled positions. To paint a picture of just how wide this gap is, according to CyberSeek, there are currently 755,743 cybersecurity job openings in the U.S.
• Reductions in force due to tightening budgets amidst an uncertain economy – again forcing employees to do more with less.
• An unprecedented threat landscape. While cybersecurity teams may be stagnant or dwindling, threats are on the rise – Check Point Research reported a 38 percent increase in global cyber-attacks in 2022.

Given this reality, a normal day for an employee in cybersecurity can be a challenge. But, add a cyber incident to the mix, and stress levels can elevate significantly.

The Onus is on Employers

While organizations can compensate and incentivize employees to work extra hours, these rewards won’t disguise the fact that being overworked can still lead to burnout and poor mental health. In fact, a recent survey on mental health in cybersecurity from Tines found that 64 percent of respondents say their mental health affects their ability to get their work done, yet only 54 percent say their workplace prioritizes mental health. This latter number should be much higher.

The first step to prioritizing mental health is having a discussion about it, and we’re making progress on this front. However, many employers get stuck when it comes to implementing strategies for managing it in the workplace. Because mental health is a fairly emerging topic in cybersecurity, they just don’t know where to start.

One of the most effective ways to keep mental health front and center – especially during a cyber event is to define processes that safeguard employee well-being and incorporate them into company policies and incident response (IR) playbooks. From an IR perspective, these processes should be specific to the incident management team and the length of time which will be required to solve the problem, but there are a few best practices to consider across the board:

• Designate a place for employees to rest and refresh. If employees are on the road dealing with a cyber issue that will take hours or days, you may need to book hotel rooms, so they have somewhere they can go quickly to rest, shower and exercise. If they’re sticking local, consider allocating certain rooms within the office for rest purposes. Commuting home just to have to turn around and go back into the office wastes valuable time.
• Have a plan for nourishment. If employees will be tied up in a war room for hours on end, consider ordering in and make sure there is something for everyone, so take note of dietary restrictions. Otherwise, ensure employees have the opportunity to get food and drinks at defined intervals.
• Build in breaks. Nobody should be working straight for hours upon hours – that’s when focus and attention to detail start to dwindle. Have predefined break times so personnel can disengage for a bit and recharge. Ideally, breaks should be taken every four-to-six hours.
• Set a maximum number of hours employees can work. When people work more than 12 hours, even if breaks are built in, productivity starts to diminish and mistakes occur. Let them go home or to the hotel room for a good night’s sleep.
• Involve leadership. Ensure leadership checks in with security practitioners to make sure they have what they need to manage a cyber incident. This includes making sure cyber leaders are aware of common signs that an employee is struggling (irritability, loss of productivity, etc.) and trained on how to help that person get things back on track.
• Say thank you. Don’t forget to praise your team and extend gratitude. While cybersecurity is often a thankless job, humans are programmed to look for validation, so communicating your appreciation goes a very long way.

It’s important to note that, while the goal of these best practices is to help prevent stress and burnout, they aren’t meant to replace professional mental health counselors for more serious cases. Organizations need to be prepared to provide employees with the external resources they need if the symptoms they’re experiencing go beyond stress and fatigue.

Better Mental Health, Better Outcome

Cybersecurity professionals know that long hours – especially during a cyber incident – are part of the job, but nobody should be expected to sacrifice their mental health. This will only lead to resignations and poor performance as well as mistakes and subpar results from a business perspective. By prioritizing these best practices – and implementing more that are unique to your organization – cybersecurity staff will have a fighting chance to keep their mental health in check and achieve a better outcome for themselves, their company and their clients.