Just how mentally destructive could the cybersecurity industry get?

Below is an edited transcript from a podcast I did recently for identity management firm Daltrey. You can listen to the full podcast here.

________________________________________________________________

Peter Coroneos, founder and executive chair of?Cybermindz, returns to the podcast to explain how we need to protect the mental health of cybersecurity professionals in today’s high-threat environment. In this interview he speaks with Blair Crawford, CEO of Daltrey.

Blair Crawford: What type of work are you doing at Cybermindz?

Peter Coroneos: We are working directly to protect and restore the mental health of cyber teams.

We’re using a protocol that was initially employed in the US military called the?iRest protocol. It was developed by Dr Richard Miller who has spent 40 years as a clinical psychologist and researcher in this area. Richard developed this specific 10-step sequence that enables people to get into a very deep state of rest, but also process a lot of emotional material that may be sublimated. This is material that’s been pushed down into their subconscious, but it’s still driving a lot of their responses to life.

In the context of cyber, there are always going to be triggers. So our initiative is around bringing the iRest protocol into cybersecurity for the first time. We have the full support of Richard Miller and his Institute. We’ve been given permission to customise the scripts he’s developed so they speak directly to the language and culture of cybersecurity.

In that way, we’re coming into cyber teams and giving them access to the things they need – things that will help them switch out of this always-on, flight-or-fight mode that we tend to get stuck in, particularly in the current threat environment.

We’re fortunate in having a ready-made mental health protective tool which we can customise for our own sector based on our own experience as cyber professionals. This is a powerful enabler. And because we can deliver online and also have access to a global network of iRest trained facilitators, we are able to scale quickly in time and space. We’ve also got an amazing research capability where we can measure as we go.

Blair Crawford: PTSD is not necessarily something that is directly spoken about within the context of cybersecurity. So what are you seeing in terms of issues related to mental health?

Peter Coroneos: In terms of its military application, the protocol definitely found a lot of success with PTSD and was approved by the US Surgeon General in 2010 as a complementary therapy. They’ve been using it in the military for various conditions, ranging from stress and anxiety to depression, trauma, post-trauma, pain management and insomnia. There’s a whole spectrum of mental conditions that it applies to.

It’s also been used outside of the military, especially in homeless shelters, palliative-care settings and with frontline emergency healthcare workers. It has very broad applications across a range of domains and for a range of conditions.

To your question about cybersecurity, the big thing that we’re looking at now is the skills crisis. It’s not only that we can’t recruit the people we need to meet the demand we’re facing, but it’s also about answering an important question: how do we protect the people who are already working in cyber so they don’t leave due to burnout? That’s effectively what the research is indicating. A recent Mimecast study showed that about a third of senior cyber professionals are thinking about resigning within the next two years. So we’ve got a real issue on our hands.

At Cybermindz we’re trying to measure the situation in Australia. We’re very fortunate to have a top behavioural psych in our team, Dr Andrew Reeves. I said to Andrew, “Do we have any baseline data on mental health in Australia, specifically on the burnout question?” He said, “I’m not aware of that, but we do have the tools to measure it.”

We also have existing population-norm data so that once we do the research, we can compare our cohorts against the general population. Then, even deeper in, we can actually tag organisations – the individual user data is anonymous but and we can show the organisation where their teams sit in relation to the general population, other professional groups, and also their organisational peers.

Blair Crawford: What are you seeing in regard to the more strategic and psychological nature of warfare in cybersecurity?

Peter Coroneos: Well, it is exactly that. It’s psychological warfare. It’s spy versus spy, and everyone is trying to figure out how to get around the other. It’s not exactly new. In cyber, that’s pretty much always been the game.

It turns out that creativity and insight are the first two casualties of stress. The neuroscience is very clear on this. The brain has a finite amount of cognitive reserve, and it’s going to allocate it to wherever the need is greatest at the time.

If you’re in fight-or-flight mode, it’s designed to actually sequester all of the available resources in that moment – because your survival, at least historically when we were cave-people, depended on being able to short-circuit the slower-acting, but more-accurate prefrontal cortex.

That’s the thinking, analytical part of the brain. Instead, you move into the heuristic brain, which is the fast, best-efforts type of thing. That’s usually enough to get you out of a physical-threat situation.

But the fight-or-flight system was never designed to be locked on after that physical-threat environment was resolved. Everything is designed to go back to equilibrium, to what we call the 'rest-and-digest' phase.

So you’re moving into different circuits of the brain and then you can start to reallocate resources back into the thinking, analytical, problem-solving and creative parts of the brain.

As professionals, these are the highest-value parts of our neural infrastructure; our analytical processing and rational decision making capability is in that prefrontal cortex. So the attackers are winning on both fronts.

By keeping us locked into our fight-or-flight mechanism, not only are they burning us out, but they’re also stopping us from being effective in doing the very things we need to do to see through what they’re trying to do and to try and counter them.

Now think logically about where this ultimately leads us. We allow ourselves to get into a downward spiral where people are burning out and leaving. There’s no-one to replace them, so the people who do remain are under more pressure.

The attackers are moving in, they’re exploiting and the stakes are getting higher. It’s visible, so the public starts to call for political action, which results in regulation, which results in more pressure on boards, which then of course filters back down to the cyber teams.

So you end up on this terrible downward spiral of accelerating burnout. And it’s just got to stop. We have to break that circuit. Are we going to be able to change it overnight? Probably not.

From my prior role in internet policy leadership I've personally been involved in helping create laws in Australia to tackle spam for exam, or child protection or privacy. However, I know first-hand that some sometimes regulation can be symbolic or aspirational. Or carry innocent, unintended consequences that no one thought of at the time when they thought they were simply advancing a policy position.

Governments might aim to modify corporate behaviour, and in cyber there's no doubt boards are paying more attention to cyber risk, particularly after the recent high profile attacks we've seen.

But if regulation is a knee-jerk reaction to public sentiment and the desire that government be seen to be acting, that's both understandable – but also can result in some of those unintended consequences. One of those regrettably, might be accelerated burnout in cyber teams.

And with the skills crisis, we’re not going to be able to manufacture skills overnight to replace those leaving because of burnout.

But when you really put the microscope over this problem, the one thing we could do right away is at least preserve the people who are working at the coalface right now. That’s the obvious logical next step.

Putting aside the technological and legal solutions, I think the human factor is the big sleeper. I mean we've know that for a long time as far as employee risk behaviour is concerned. But I'm talking about another kind of human factor. The one where our own defenders can no longer defend us because they have nothing left to give. That vulnerability is going to remain for as long as there are humans in the loop. So we’ve got to work on the human problem.

That is our contribution to the people — our cyber peers and ultimately, the society we seek to protect through our work.

Cybermindz can be reached via their site at cybermindz.org