For security professionals, stress comes with the territory.
But it’s hard to deny that the last year-and-a-half has been perhaps the most stressful and challenging period in the history of cybersecurity. COVID-19 threatened lives, livelihoods and companies' security as employees migrated en masse to a work-from-home model. The SolarWinds supply chain attack, escalating ransomware incidents, and the ProxyLogon Microsoft Exchange exploits only further compounded matters.
This nonstop barrage of security crises has made certain infosec leaders and practitioners more aware than ever of the job’s impact on mental health, and the importance to protect against stress, exhaustion and burnout. But how have they been managing? Where can they turn – internally and externally, formally and informally – to share their fears and frustrations, and to find support and advice in trying times?
To answer these questions, SC Media spoke to senior security executives about the resources they use to cope with and communicate about the enormous pressure that often comes with the job.
External peer groups
Benjamin Corll, vice president of cybersecurity and data protection at U.K. thread manufacturer Coats Group, said the only year that rivals 2020-21 in terms of stress was 2001 – when the computer worms Nimda, Blaster and Code Red were wreaking destruction across multiple organizations.
And while family and close friends might be willing to lend a sympathetic ear, they simply “don’t understand anywhere near the world I live in professionally,” explained Corll, a member of CISO membership community Cybersecurity Collaborative. And that’s why it’s so important to be able to communicate with individuals who truly understand an infosec insider’s point of view.
Working out of North Carolina, Corll receives the support and empathy of his peers through two industry collaboration groups – one being the aforementioned Cybersecurity Collaborative, which is owned by SC Media parent company CyberRisk Alliance, and the other ClubCISO, a private member forum located in Europe. “They understand the implications of the things that I'm saying,” he said.
These groups will host on-camera virtual meetings, where collaborators share their war stories over a beer or two. While you may still be stuck in the “same seat that you've been in for the last 12 hours,” at least you know “I'm not alone. I'm not the only one going through this,” said Corll.
Corll said he closely interacts with about 20 other CISOs through the U.S.-based group. “We know each other well enough to say, ‘Yeah, you're saying you're okay, but I see it in your eyes. How are you really doing?’” he said. "And these discussions aren’t always just limited to work problems; they can get deeply personal. Because “I know this is seeping into your family life as well,” he said.
Corll recalled a phone call last summer in which he expressed concern to a fellow security exec that his budget was drying up and he was also struggling to retain contractors. His colleague’s reassuring reply: “We're all in the same boat. We're going to make it through this. If you need to call, call. If you need to vent, vent… If you need me to order a bottle of wine and have it delivered or a case of beer, I'll have it delivered… We’re going to talk through this.”
Meanwhile, the European peer group Corll subscribes to runs large quarterly meetings featuring all VPs and CISOs. “It's a safe environment. A lot of sharing of ideas happen throughout the year,” said Corll. A few months ago, for instance, the group looked at the hardest projects to tackle for the upcoming year, and the biggest hurdles to overcome. Participants would then offer examples of how they previously managed those very same issues.
John Germain, vice president and CISO of property and casualty insurance software company Duck Creek Technologies, is a fellow member of Corll’s Cybersecurity Collaborative, and also subscribes to cybersecurity networking and peer engagement service Evanta, a Gartner company.
But you don’t have to be a member of a formal group. Just the process of networking within your industry can help forge connections with peers who can later lend support in tough times.
Germain said the security community in larger metropolitan areas like the Chicago region, where he operates, is a fairly tight-knit group. “Everybody knows each other. And so they've got different vehicles where you can not only collaborate, but vent – kind of like a bulletin-board type approach where you go online and you just say, ‘Hey, is anybody else dealing with this?’” and get some advice, he explained.
The key, he said, is establishing a level of trust and sharing between members of the community. “If you've got a community that you trust and that you can rely on to be confidential and provide good counsel, that's tremendous,” said Germain. “And my hope is that I'm one of those people for other folks, and my hope is also that I can count on some other people to be there for me.”
Internal support within your company
Having peer groups you can consult with outside of your workplace is important, because sometimes the source of your stress might be your boss or your organization’s policies. And that’s not necessarily something you can freely share internally with office mates or supervisors.
However, it’s still very important that leaders within your own organization can recognize stress and burnout when they happen, and give infosec workers internal channels where they communicate their difficulties without judgment.
“As security professionals, we are used to dealing with crisis, and so maybe that's why we're really good at it. We're expected to be the strong ones,” said Florence Mottay, senior vice president, information security and global CISO at Dutch retail giant Ahold Delhaize, in a recent keynote session at the virtual 2021 RSA Conference. “But the COVID-19 crisis was very different in that it also affected all of us personally. Very quickly I realized that everyone in the team was trying to put on a brave face and act as if they had everything under control... The fact is that we were all struggling.”
Recognizing this, Mottay held an internal town hall event with her team less than two weeks after the 2020 coronavirus lockdown took effect.
“I shared that, for me, it had been hard combining work and helping my daughters with distance learning, that I was worried about my family, about my grandmother,” said Mottay. She also started a concept that she termed the daily “vitamin shot.”
“Each team leader, every morning, held a 30-minute meeting to talk about what people felt… Just our struggles, our fears, or where we needed help,” Mottay continued. And I really encouraged the entire team to share as much as they felt comfortable with,” as well as “what others could do for them,” while building a sense of trust. “And that really helped. It worked out really well.”
Germain, meanwhile, who runs a team of 14 security professionals in a company of roughly 1,500 employees, said that Duck Creek formed a COVID committee with a goal to help the company manage its way through the pandemic and develop a secure remote workforce model.
“The company… has recognized the importance of managing situations that may be out of our control,” said Germain. “We still need to make sure that our employees are taken care of, and they're given the opportunity to take care of themselves.”
A particular area of concern right now is India – home to about 500 of Duck Creek’s employees, where the coronavirus death toll has recently soared. “What's happening there right now, it's terrifying,” said Germain. “So our CEO has put together a program around how can we help our fellow employees in India, whether that be through donations, whether that be through support groups or just making sure that they have every opportunity to get vaccinated.”
The company is also offering programs such as online yoga classes for stress relief, and encouraging employees to take time off if they need it. And Germain is making sure that message extends to his team. “Even if you can't go anywhere, just unplug for a while and get away… to deal with the stress,” he said. “And then, if you have any issues, if there's any urgent challenges with yourself or your family, we understand you may not be able to do your job and so that's okay. Don't feel guilty about it. We'll manage, we'll figure it out. Just take care of yourself.”
Duck Creek also operates various resource groups, including specialized ones for women and African-Americans, to focus on challenges that are specific to certain worker communities. “I joined all of those as not just as a leader but as a participant so that I can give my view of what's happening and support other folks who are struggling.”
Sometimes, security executives may have to stand up for their employees. According to Corll, managers and HR organizations across a wide variety of businesses are likely to reward responses to a major incident that requires hours of overtime, but are less likely to consistently recognize the unique stressors that IT and infosec workers must contend with on a daily basis.
For that reason, Corll goes out of his way to much sure that his team gets needed extra time off after laborious projects that don’t necessarily make big internal headlines.
Following COVID, HR teams are stepping up more, Corll believes. But in general, “we need to make sure that people are staying engaged… and that people have a coping mechanism.”
For example, at Coats, executive team members are now running workshops in which one of the key messages is “It's okay to raise your hand and say, ‘I need a day off.’ It’s okay to say, I’m overstressed, I need a break.’ And it's okay to take your vacation days.”