Stretched and stressed: Best practices for protecting security workers' mental health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. Here's how savvy security leaders can best support their teams today — wherever they're working.

Security researcher Amanda Berlin’s anxiety started when she was a teenager, but it went undiagnosed and untreated for a long time, as it took her many years to realize she needed help. One night, when she was 25 and married with two kids, she had a breakdown. “I remember getting out of the shower… and I just started bawling, sitting on the floor of the bathroom,” she told the audience at Northeastern Ohio Information Security Forum in 2017.

“The inside of me was all static. It physically hurt me when I tried to speak,” she said. “I realized at that point that I probably should try to figure out what was wrong with me.”

After she got better, Berlin started talking about her experience of managing depression and anxiety while working from home and caring for two small children. Her tweets got a lot of attention from infosec professionals facing the same struggle, and soon she founded Mental Health Hackers, an organization that aims to educate security professionals about “the unique mental health risks faced by those in our field.”

Berlin, who is also a senior incident detection engineer at Blumira, believes that the recent shift toward working from home has put even more pressure on infosec professionals. During the first months of the COVID-19 outbreak, remote workers were 30% more likely than others to say their mental health had declined, according to a survey carried out by SAP, Qualtrics and Mind Share Partners in March and April 2020.

“While many cybersecurity professionals already had experience with partial telework, most of us were unprepared to suddenly work from home 100% of the time,” says Dr. Celeste Paul, cybersecurity researcher at the National Security Agency (NSA), which has done a number of studies on the human aspects of working in infosec. “For a community who has such a strong self-identity tied to work, the inability to get work done only further contributes to the stress we carry.”

Fatigue, frustration, and loneliness are felt across the spectrum, from entry-level jobs to CISOs, both in the public and private sectors. “We have seen employees break down with mental and physical exhaustion and frustration because of the remote work situation,” says Bob Kedrosky, senior HR director for the Americas at Trend Micro.

Supporting these employees is not only a humane way to run a business, but also a cost-effective one. According to the World Health Organization, for every $1 put into treating common mental health problems, there is a return of $4 in improved health and productivity. This year, most companies that employ security teams have looked for ways to better support their remote employees, and to assist those who are just starting to turn their living room into an office.

“Sensitive and liberal” security leadership

Tim Callahan, CISO of insurance provider Aflac, likes to keep his virtual meetings casual. His background is often a beach, a forest or a Simpsons poster. He wants to be the kind of leader his employees find it easy to talk to, and when his team transitioned to remote work in response to COVID-19, he quickly realized that people’s wellbeing was just as important as the work they did. “As leaders, we’re here to serve our teams and enable them to do their job,” he says.

Callahan is in fact a strong supporter of the “servant leadership” philosophy. Such managers reach out to employees and say things like: Are you struggling with something I can help you with? Is there something that I can do to help you achieve your goals?

These questions always help an on-premises team achieve its goals, but they are even more relevant for a distributed one, he says. When his employees started to work from home for the first time, and juggled family life with a full-time job, Callahan tried to be “sensitive and liberal,” allowing them to have flexible schedules and work late in the night if that suited them best.

Trend Micro's Kedrosky also sees value in this approach, and he even suggests adopting loose deadlines. “No stress with kids, no stress with ‘previous’ deadlines, and do your best in your situation,” he says.

To help remote teams stay motivated and in good mental health, Kedrosky recommends that leaders display empathy, transparency, and even vulnerability. “Ensure your employees know they can be open with you without penalty,” he says. 

Maintain good communication among security team members

Good communication is a key ingredient for successful remote teams, says NSA's Paul, who has spent countless hours at the beginning of her career trying to learn how security researchers work, what they need to achieve their goals, but also how much pressure they put on themselves. “Part of the fun was hearing their war stories, and I started to notice how much of the mission they carried with them outside of the workplace,” she says. “I wanted to understand what caused stress in cybersecurity and what I could do to help operators better manage it.”

Paul says collaboration is a strong part of the culture of any infosec team, and that’s why managers need to help employees maintain that sense of community even when working from home. “Many people still felt incredibly isolated,” she says. “Video teleconferencing helps fill that gap but has its own cognitive costs in the same way that hands-free talking on a cell phone is more difficult than talking to a person next to you in a car.”

To strengthen teams, she recommends that managers schedule virtual meetings for small group tasks that might otherwise be accomplished via email or chat. This also gives employees a chance to engage in digital watercooler conversations and solidify bonds.

Such casual online meetings and one-on-ones are also what Aflac’s CISO Tim Callahan is implementing to keep his online team engaged and to check on everyone’s wellbeing. “I've actually had, in some cases, more meaningful conversations with folks, getting to know some of the team better because we're sitting relaxed, at home,” he says. “We’re not in a sterile office environment.”

The year 2020 has made Callahan a better manager, he says, one that puts on-site employees with remote workers on the same page. “The pandemic has leveled the playing field,” he says. “When we were having meetings with people that were in the conference room versus the people that were calling in, there was always the feeling that the people calling in were not really part of the meeting.” Now, with everyone working remotely and everyone’s voice being equally heard, “I think we get better ideas, better discussions.”

Help remote security workers optimize their home office

Like most security researchers, Marco Figueroa loved to go to his office and travel to conferences, but all that changed at the beginning of 2020 when he started working from home. He quickly felt the drawbacks of being alone, and he knew he needed better strategies to get his job done. Yet he also realized that he wasn’t alone in this.

Figueroa started to do video interviews with security professionals from across the world, asking them about the challenges of working from home and the things they do to stay motivated and maintain a good mental health. He took much of their advice. “One of my strategies that I've started incorporating — and I think everyone should — is a routine,” he says. “That allows you to set a goal and springboard your morning or your afternoon to achieve that goal.”

Figueroa also set up his living room into different areas. There’s a main working space where he does his job, but also a few relaxation spots for meditation and listening to music. He says companies should support employees with whatever they need to be comfortable when working from home, to help relieve potential stress and frustration. “If you give people an allowance of $500 to $600 for an ergonomic chair or a standing desk, people will buy it,” he says. “Get them the best keyboard because they’re typing all day. Get them the best mouse, so their wrist doesn’t hurt.”

At Trend Micro, employees also have the option of purchasing an extra monitor, a printer, a scanner, or whatever they need to make their home office more suitable, Kedrosky says. “We also asked all employees to take whatever they required from the office to make their home office more comfortable,” he adds.

Encourage remote security workers to take personal time

Security researchers often love what they are doing, so it’s not uncommon for them to put in 14 or 15 hours a day for several days in a row. Add the fact that many infosec jobs are highly stressful and it’s easy to see how this could lead to burnout and other mental health issues.

Noticing if an employee is overworked can be difficult in a typical office environment, and it’s even more challenging if that person is at home. This is why team leaders should not only encourage security researchers to work, but also to stop working, says Paul. “I recommend to keep office hours so workers can feel comfortable disconnecting from email in the evening,” she says, adding that ground rules are necessary so that at the end of the day, the home office can turn back into a home.

Taking breaks is an effective long-term strategy to keep mental health in check. In fact, the more time we spend on job-associated tasks, the more we need to recharge ourselves, write bestselling authors Jim Loehr and Tony Schwartz. Small breaks are recommended during the working day (which is why psychologists advise against eating in front of the computer), but employees should also take at least one day off every quarter for self-care. “If possible, take two or more consecutive days off rather than a single day here and there,” Paul says.

Many security companies provide remote researchers with relaxation activities that can relieve stress, and help team members bond, says Kedrosky. Trend Micro offers, for instance, virtual escape rooms, online movie nights, trivia competitions, cooking classes, and virtual happy hours.

Becoming a (mental) athlete

In recent years, Mental Health Hackers’ Berlin has organized several Wellness Villages at security conferences, allowing professionals to try massage chairs, weighted blankets, stress dolls, meditation techniques, talking to a therapist, or yoga. “Personally, I love yoga,” she says. “I try to do it every day, so I’m keeping a schedule.”

Berlin also enjoys walks, bike rides, kayaking and other outdoor endorphin-releasing activities. It helps that the company that employs her, Blumira, pays for these hobbies. “We get money every month to spend on yoga lessons, or gym membership, or therapy, or massage, specifically for mental health-related things,” she says. 

Some security companies have extended these benefits to their employees’ families. One such example is Arctic Wolf, which has modified its corporate policy around IT tools so that its researchers could use their premium video conferencing solutions at no cost to stay in touch with family and friends as well.

This, together with self-care, self-awareness, and discipline are vital when working from home, says Figueroa. He sees hackers as “mental athletes” who perform daily for nine hours or more and need to be on their game at all times. Just like runners or boxers, security researchers must pay attention to how they spend their time, what they eat and how much they sleep, habits that are associated with good mental health. “If I don’t sleep more than six hours and 53 minutes, I’m not performing at my best,” he says. “So, for me, I’m very strategic on how many hours I sleep and when I wake up.”

After more than six months spent working from home, Figueroa is happy to say he is now performing at his best most of the time. On top of that, he’s drinking less coffee and eating healthier, which allowed him to shake off 20 pounds.

Such small wins have helped him stay positive and, just like Berlin, he is trying to motivate others. Working from home does feel lonely at times, but it comes with increasing flexibility that can be put to good use, he argues. For some people at least, having a living room office means less time spent commuting and more time spent learning new skills. “Now it is the time to really 10x yourself,” he says.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.