Each year, Mental Health Awareness Week offers organisations of all shapes and sizes an opportunity to reflect on the mental health support within their organisation, and do their best to improve upon it. Over the last few decades we’ve seen great strides in this area, with conversations around mental health moving into the mainstream, and most businesses going to some effort to tackle the issue in the workplace.
However, this is one area where the cybersecurity industry lags behind to some degree. From those impacted by the attacks to those working to prevent them, all too often we are still focusing on the technology and overlooking the human cost.
Mental health – the forgotten challenge?
It can be easy to focus on the technical and business aspects of cybersecurity. As Parisa Bazl, Head of User Experience at Commvault, explains: “The business impact of a cyber attack is well-documented and widely discussed. But there is a worrying and often overlooked human element that can have serious personal consequences for those involved, in particular, employees targeted by cybersecurity threat actors and the cybersecurity professionals tasked with mitigating the impact of an attack. Data suggests that nearly two-thirds of cybersecurity incident responders seek out mental health assistance due to the demanding nature of responding to cyber attacks. Whilst another study revealed that one in seven security staff experience trauma symptoms months after an attack, with one in five considering a job change as a result.”
Even aside from the immediate impact of an attack, “burnout is increasingly common in cybersecurity, especially among cybersecurity leaders who are expected to meet the ever expanding demands of their roles,” according to Matt Hillary, CISO at Drata. “When I talk to my peers, mental health is a lofty and growing issue across the board that is frequently ignored until burnout or opt-out seems to be the only way out.”
So what can be done to tackle the situation? Parisa Bazl argues that: “Support should also be extended through internal support mechanisms, where employees are given access to the resources required to support mental health. Rather than blaming individuals for mistakes that anyone could make, from the most junior employee to the CEO, organisations should focus on learning from their experiences collectively. Without this positive cultural system in place, organisations run the very real risk that employees simply won’t report cybersecurity incidents to management, particularly out of fear of the repercussions they may face. In an era where employers are focusing more energy on workplace wellbeing, leaving these issues unaddressed can represent a serious shortfall in care that can lead to devastating personal consequences.”
Additionally, Matt Hillary believes that “CISOs should act as the example and cheerleader for their security team members, who are consistently under immense pressure with excessive expectations for dealing with relentless attacks and never ending identification and fixing of flaws in organisational systems.
“To build security teams that know you care and trust them, I help remind my team members that we are still human, that every organisation is on a security journey, that no organisation is “there” and, as a result, they should go at a diligent speed that is healthy and sustainable – only running as fast as they are able.”
Building a culture of mental health support
As well as addressing the mental health costs of security incidents, and supporting their security teams, organisations must all make sure that mental health support is embedded across their organisation. If a business is not doing the basics when it comes to mental health, any specific support aimed at their security team will be wasted.
This can be extremely simple. Lindsay Gallard, Chief People Officer at Six Degrees, notes “a recent report by Mind Share Partners revealed that 79 per cent of workers would find their jobs easier if their employer showed more concern over their mental well-being.”
Drawing on his own experience, he explains that “at Six Degrees, we have an ongoing commitment, not just to implementing one-time policies, but to continuously strive to better ourselves and our employees. As we often say, there is no ‘one size fits all’ approach and so, for us, flexibility is key. This involves communicating and raising awareness widely, engaging our people on a range of topics, offering a variety of support and resources, and providing space within our initiatives and working arrangements to help every individual strike the right balance. At the heart of all of this, though, is communication: encouraging openness, really listening, and creating ways forward together.”
“With many teams being distributed today, it’s more important than ever to actively and intentionally create spaces for colleagues to talk,” adds Mairead O’Connor, Practice Operations Director at Node4. “We need to make the effort to develop understanding and empathy for each other so that we can provide support during tough times.”
She concludes: “Happiness at work is very aligned to business success. Those that are happy and fulfilled at work are the most productive and it is bonded teams that work the most efficiently together. It is in the interest of every business leader – as an entrepreneur and a human being – to create spaces for colleagues to talk and collaborate. Small steps can do big things for fostering a healthy and supportive workspace and boosting employee wellbeing.”