Mental health is an important part of life in 2022. According to the non-profit Mental Health America, the percentage of adults with a mental illness report unmet need for treatment has increased every year since 2011. This has only escalated with the pandemic. In a career as stressful and stretched as cybersecurity, it can be more daunting. I’m going to focus on my experience with the threat landscape in technology and cybersecurity in technology, the lack of staff in cybersecurity, the number of duties one may need to perform in cybersecurity, and what I do to help prevent having mental breakdowns in cybersecurity.
Many people have an unspoken idea of what hacking is and why cybersecurity is important, but the problem is that attacks NEVER stop. Cyber-attacks don’t take a vacation. It’s easy to see why cybersecurity professionals are stressed out – there is no true “day-off.” There are constant new threats, hacking methods, and information to consider. Being in cybersecurity is like being a doctor who is having to stay up to par on up-to-date procedures, laws, and news. In a cybersecurity attack, human lives can potentially be lost in the process. In a German hospital, there was a death after a hospital received ransomware. The other aspect to consider is the critical infrastructure in America, which controls water, gas, and electricity. Any loss to those services could affect millions of lives. The idea of an attack on critical infrastructure is so important, the United States passed an Omnibus bill recently that required critical infrastructure organizations to report all successful cybersecurity attacks… Is your stress level going up yet?
Now that you understand what a cybersecurity professional deals with daily, let’s look at how their staffing stands against these threats. In a report from ISC2, they state:
There are more opportunities for cybersecurity professionals, but it’s also more stressful due to a shortage of people. People who take jobs in cybersecurity can end up with two or three job roles. Some cybersecurity analysts will be overworked and will end up poorly executing each of their duties. This is not the cybersecurity professional (or management’s) fault but the lack of resources, people, and requirements that are needed for organizations. CNN released an article in May of 2021 talking about the cybersecurity professional shortage.
…Can we skip to the good part?
So, how can we stay mentally healthy in the world of cybersecurity? Well, this is an opportunity where you, not just as a cybersecurity professional, must seriously look at what you are doing to yourself. In the past year I have known cybersecurity professionals who have dealt with anxiety, depression, imposter syndrome, and apathy in work duties. These issues are not the responsibility of management, but it is up to us to make the change that isn’t working for us. I recently put down my cybersecurity books and picked up some self-help, philosophy, and psychology books. I reassessed my values, built healthier boundaries, and focused on meditation and mindfulness. This made a noticeably significant difference.
I have a learning mentality. I value testing ideas, or building test labs for servers, networks, software, etc. I have focused on getting certifications and degrees, and self-learning my own way. I was emotionally and mentally demolished when I got into cybersecurity. What I valued was learning, but I had extraordinarily little time to learn new things while working in cybersecurity. My value of lifelong learning, and growth was not enough to compete in the world of cybersecurity. I also had to add another value, self-care.
When I decide to do something, it usually gets done. When I focused on certifications, I woke up early and stayed up late. I was obsessed with studying, which also meant I was not obsessed with my health. I lacked self-care. Those who work in cybersecurity have a decent head on their shoulders and understand the idea of suffering to a specific degree. We must suffer in life, and so those who choose a path in cybersecurity usually understand how much suffering is involved. This also means that we must be careful when movies and television shows glorify cybersecurity, because cybersecurity is not for everyone. Working in cybersecurity is a difficult and mostly thankless job. So, it is up to us to make sure we have good values of supporting each other and mental health as much as possible. But how do we set up a system like this?
To support each other and bring awareness to self-care, we must set some boundaries. Much like when college students move into a dormitory, setting ground rules (AKA boundaries) is imperative for working relationships, trust, and mental health. With the plethora of meetings, I have asked management to understand that some projects won’t be completed on-time or on-budget, or I ask them to help me prioritize my projects. The next thing is that when I am off the clock, I try to seriously be off the clock. This makes it difficult as I am completing a masters in cybersecurity, which begs the question, “can I really ever be off the clock?” Next, forgive yourself (and management) for not being everything everyone wants. Everyone in cybersecurity is doing their best to handle a difficult transition in most organizations, with accepting cybersecurity as part of the overall culture. Finally, if your organization is not allowing cybersecurity to be part of the overall culture, or if your cybersecurity department isn’t allowing mental health to be part of the culture, then be a part of the cultural change. Sometimes just bringing up the issue can make people aware of the problem. But if the organization (which may be beyond the power of management) is not willing to change the overall culture, then it may be time to consider other opportunities. There is nothing worse than just waiting for employees to have a mental breakdown.
You need to find something outside of work that makes you happy and sane. That can be video games, hiking, biking, building RC cars, jogging/running, drawing/sketching/painting, or anything that can take your mind off work for a little bit.
While cybersecurity is difficult, we can still make our way to learning more about who we are in the process. Only in suffering do we really begin to grow wiser professionally, emotionally, and spiritually. Without suffering and overcoming adversities, we won’t find some happiness. I think working in cybersecurity is daunting, but it is important, just remember to give yourself breaks, forgive yourself, and keep going. You are making a difference in the world, and you add a tremendous amount of value to it. Don’t ever forget that.
Here are some (non-cybersecurity or certification) books I recommend that focus on building a better and healthier lifestyle and organizational culture:
- “The Subtle Art of Not Giving a F*ck” by Mark Manson
- “The Happiness Hypothesis” by Jonathan Haidt
- “Ego is the Enemy” by Ryan Holiday
- “The Wisdom of Insecurity” by Alan Watts
- “Meditations” by Marcus Aurelius
- “Start with Why,”, “Leaders Eat Last”, and “The Infinite Game,” by Simon Sinek
- “Permission to screw up” by Kristen Hadeed
- “The Culture Code” by Daniel Coyle
- “The Five Dysfunction’s of a Team” by Patrick Lencioni
- “How to Win Friends and Influence People” Dale Carnegie
- “Our Iceberg is Melting” and “Leading Change” by John Kotter
- “Emotional Intelligence 2.0” by Travis Bradberry