Mental Health and Cybersecurity

It turns out that May is?Mental Health Awareness Month?[1]. I think it is very important in the workplace, and for society, that there be a better understanding of the mental health spectrum. It is also more useful, productive, and yes, even compassionate, to focus on the wellness spectrum instead of the “illness” aspect that has historically been the focus. Mental health is not binary. One is not either mentally “sick” or “well”. There is a range of mental health, just like there is in the purely physical arena. When we understand that we are all on the spectrum of mental health, it puts things in a different light and positively affects our interactions and efforts.

I recently ended up taking a very good?Udemy?course on this topic, “Workplace Mental Health: A Manager’s Ultimate Guide” [2]. While it is geared towards managers, I felt that it was very informative and useful for any audience. For example, it is fairly automatic for people at work to adjust things for their colleagues if, let us say, they have a broken leg. There is no stigma attached, other than perhaps some light “ribbing” (should you really have tried that backflip at the team picnic), and really nothing taken away from appreciating the contributions that they bring to the organization. However, when it comes to mental health related issues, it is far from common for people to have the same awareness of the situation, understand what adjustments can help, and continue to recognize the value that the individual still brings to the group. It was quite enlightening to hear testimonials in the Udemy course, from people directly involved in the mental health dynamic at work. They frankly discussed things that did or did not help them, be the most included and productive they could be. Shouldn’t the goal always be to achieve the best levels that we can, for our people, our companies and society, regardless of whether we are talking about knowledge, skills, performance, or each person’s physical, mental, or emotional health???

The course outlined five mental health states along the spectrum. At the top of your game, mental health-wise, is “Excelling”. You are doing so well, mentally, that you are experiencing absolutely no degradation. The next level, just under excelling is “Thriving”. You are doing very well, but there is some room for improvement. The next three represent categories of increased impact due to mental health related conditions. A person’s ability to function in their life, and/or at work, becomes increasingly degraded. These three conditions, range from “Unsettled”, to “Struggling”, and then to the most severe, “In Crisis”. As with other negatively impactful situations, such as physical or substance abuse, it may not be readily obvious to co-workers or managers, that an individual is unsettled or struggling. Unfortunately, it may not be until the individual has gone into crisis, that the situation is identified. Naturally, it would be better for the organization and the person, if identification, understanding, and appropriate adjustments were brought to bear, earlier in the mental health spectrum. Initiatives like mental health awareness month and corporate sponsored programs can help improve the way we think about mental health, and the way this crucially important aspect of life is managed. Properly managing mental health of your personnel will increase the value and performance of your organization. This is similar in nature to the benefits gained through investments such as education, training, ergonomic workspaces, and morale boosting events. The bonus is that one can feel good about holistically supporting and growing the individuals within the organization.

This article is my small way of contributing to the increased awareness surrounding mental health. Now how, you may be asking, does this relate to cybersecurity? You knew the analogy was coming, didn’t you? Many of you have already anticipated the tie in, but I’ll run through it anyway. As I stated in an?earlier article, sometimes it’s good to say the same thing in different ways [3].

The analogy at its simplest is that cybersecurity “health” or posture, just like mental health, has a range of “wellness”, if you will. Also, like people in the mental health spectrum, an enterprise may undergo transitions along the spectrum, multiple times in a given period. At times an organization may be in cybersecurity “crisis” mode, such as dealing with a crippling ransomware attack. Some organizations may be in a well-protected, well-prepared mode. While there is room for improvement, they are doing better than average with regards to their cybersecurity stature. In the case of cybersecurity for organizations, and the volatile state of the industry, I would hazard a guess that many, if not most organizations are usually at the “unsettled” or “struggling” level. The enterprise is concerned with the seemingly never-ending cycle of vulnerabilities, attacks, and sub-optimal security and compliance, which need to be addressed. They just never feel protected, or prepared, enough. Looking at your organization’s cybersecurity state along a spectrum, is merely another way of assessing your current situation, which may be advantageous in the iterative refinement of your situation.?

Accurately assessing your cybersecurity state in a manner that is easy to communicate to others, is a valuable asset in focusing efforts and investments in the areas that need it most. In the enterprise, we are often asked the question by our senior leadership, “are we more or less secure today, than we were yesterday?” or perhaps, “are we more at risk today, than we were yesterday?”. Using a simple range or spectrum of state, can be a good way of answering such questions. Pick a format that will best resonate with your organization. Perhaps you will go with keyword labels like those in the mental health spectrum, or maybe color codes like the original terrorist threat level designation, or even just a simple numeric range (1-5) [4][5][6]. Just like mental health is not binary (sick or healthy), an organization’s cybersecurity posture is not secure or insecure. It is a range of cybersecurity health. Awareness and understanding of this spectrum by your community, will be a positive contributor to how your organization manages cybersecurity and risk.?

In closing, I’ll just say that this has motivated me to want to research and discuss more with my colleagues, both mental health in the workplace and what changes we might make in how we summarily assess and communicate our cybersecurity situation each day.

Disclaimer:

Boring Disclaimer: These thoughts are my own and I am not posting as a representative of any company. Your mileage may vary. Objects in mirrors and binoculars may be scarier than they appear (or they might not). If this had been an actual emergency, you and I would likely be doing something more important, or at a minimum, more interesting.

References:

[1]?NAMI.org,??“Mental Health Awareness Month”

[2]?Udemy?course on this topic, “Workplace Mental Health: A Manager’s Ultimate Guide”.

[3] W. Rippon, LinkedIn article, https://www.dhirubhai.net/pulse/sometimes-good-just-say-same-thing-different-ay-bill-rippon/

[4] U.S. Department of Homeland Security (DHS),?National Terrorism Advisory System

[5]?https://en.wikipedia.org/wiki/Homeland_Security_Advisory_System

[6]Watchguard’s Threat Detection and Response (TDR) “Cybercon” levels (1-5)??