CREST REPORT – Stress and Burnout
Stress and burnout is a very real, and seriously underappreciated issue that is becoming more and more apparent. Cyber security professionals are one of our nation’s greatest assets, from protecting critical infrastructure to protecting your online purchases. These professionals work out of sight and unfortunately that also means that their hardships are mostly unseen. Here is a summary of the “Combatting Stress and Burnout in Cyber Security” CREST report. It was bourne out of a workshop aimed to raise the profile of the issue for employees and employers. The workshop discussed various approaches to support the workplace as a whole; retaining industry professionals, providing assurances that stress and burnout is recognised, real and steps are being taken to combat this. The information gathered from the workshops and online contributions very clearly show that stress and burnout in Cyber security is a very real issue with most fundamental needs to combat this not being met throughout the industry. Stress is not necessarily entirely negative for cyber security professionals, indeed, CSPs tend to be drawn to high-pressure situations even in spite of difficulty, brief stress can be stimulating, motivating and even enjoyable and drawing on the notion of eustress, some individuals perform better when mildly stressed (Fevre, Matheny & Kolt, 2003). However, when stress is continually experienced beyond an individual’s limits they then run the risk of burnout, burnout is essentially a state of physical, mental and emotional exhaustion and does not improve your performance. Recent studies have shown a variety of contributing factors to the increase of stress and burnout in CSPS. Rather than a singular factor, the nature of work confers several issues, combined and interdependent, that results in a naturally stressful working environment. Several reasons cited by CSPs are as follows: constant and increasingly sophisticated attacks; lack of downtime; solitary nature of remote working; a skills shortage; threat of job loss or replacement. These are just afew of the issues CSPs are dealing with, often alone, on a daily basis. Unfortunately, the statistics paint a worrying picture, with 30% of team members experiencing ‘tremendous’ stress; 27% of CISOs admitting to inhibited performance due to stress and 23% of CISOs stating stress affects relationships outside of work. The workshop was divided into two parts to reflect the main objective; 1) to increase the understanding of stress and burnout in terms of fundamental human needs and resources and, how people can recognise when they or others are merely surviving: 2) to provide practical tools and ideas to combat stress and burnout and move towards reviving and thriving in the cyber security workplace. The first section of the workshop posed two questions to participants, asking to consider the fundamental human needs that when met in balance enabled a human being to be mentally healthy and to consider what innate resources do human beings possess to help them meet their emotional needs. Participants answered well in-line with most of the essential human needs and innate resources identified in historic social sciences research and their relevance discussed in terms of the cyber security context. The need for security captures most physical needs but in the context of cyber security; this refers to an environment where people can live and work without experiencing excessive fear of losing their job or not feeling part of a team, allowing healthy development of individuals and families, without security individuals may experience an inability to meet other basic human needs such as food, shelter, warmth. The need for control explains CSPs require a sense of autonomy and a choice over what happens to them and others, the experience of feeling well-supported but also independent. Other needs identified include emotional connection to others; a connection to the wider community; privacy; status; achievement and competence; meaning and purpose. Innate resources identified by CSPs include long-term memory; rapport; emotions and instincts; observing self and others. It is important to identify and understand fundamental human needs and also the innate resources we have to meet these needs, an individual’s ability to utilise these resources correctly and healthily is hindered when they are experiencing too much stress. To build onto this, participants were also asked to consider what barriers may be present and prevent needs being met both generally and with a focus on the cybersecurity workplace. Participants identified a variety of barriers present specifically in the cybersecurity world that supported previous research findings of stress and burnout and could be placed into one of the three following categories: environmental toxicity (workplace bullying; poorly managed change; remote working without adequate support; unhelpful culture regarding wellbeing); a person’s internal ‘guidance’ system is damage (unhelpful conditioning; psychological damage due to trauma); missing coping skills (excessive worrying and rumination, attentional deficit, unrealistic expectations). Following on participants were asked to consider the signs and symptoms of stress and burnout to look for in oneself and one’s colleagues. Again, participants were able to conversate very well on the warning signs of stress and burnout, naturally considering burnout as a temporal construct with varying symptoms depending on severity. Participants identified that in the early stages, individuals may seem anxious, lacking in confidence, unusually erratic, poor time-keeping and overwhelming feelings. When these minor changes go unnoticed the effects can compound into more noticeable or prolonged changes such as: insomnia; reduced performance; increased substance intake. Eventually this compounding leads to feelings of hopelessness, extreme loss of motivation, not caring and potentially more serious psychological distress. The second workshop section focused on the ability and tactics to combat stress and reduce its effects for oneself and colleagues. Using research in the cyber security industry several areas were identified as potential targets for stress and burnout reduction and prevention, namely: lack of appropriate self-care; management/staff relationships; team models and ways of working; working environment; technology/task automation; integration of security into systems. Using these frames participants were asked to consider the previous workshops topics in mind while formulating potential strategies. In respects to looking after oneself, there are a number of ways to relieve stress however, finding the right balance is equally important. Participants postulated a variety of methods for helping themselves: communication of struggles to family and friends; using wellbeing applications; use reframing (challenging assumptions, look for learning opportunities in situations); relaxation techniques (breathing, muscle tense/relaxation); mindfulness. Participants also discussed a variety of specific techniques relating to each identified problem area in cybersecurity (manager/staff relationships, working environment, team models. Briefly, some techniques identified were: manager compassion (thanking team members, formal structured review and check-in process, raising autonomy by supporting staff to make their own decisions); promotion of monotasking and flexible working; selecting appropriate team members for tasks based on specialty; regular time-off (extended holidays, 3-day weekends); team social events; prioritising menial tasks; access to psychoeducation/training/workshops; automation of tasks. The report highlights a clear distinction between physical and psychology needs and physical and psychological wants. Management should have a high degree of urgency around creating an organisational culture that flourishes to serve both employees and consumers. Given the differential nature of businesses and organisational culture there is unlikely to be a one-size-fits-all approach to nurturing employees, instead individual assessments of psychological needs of both employees and consumers need to be integrated into the conception of organisational structure. The alignment with human needs and resources should be always at the core of business conception. This article was written as a highlight piece for the CREST Combatting Stress and Burnout in Cyber Security – From Surviving to Thriving by David Slade, the full report can be found here: https://www.crest-approved.org/wp-content/uploads/StressBurnout-2020.pdf Note this will take you to an in-browser PDF viewer for download or viewing. References Fevre, M. L., Matheny, J., & Kolt, G. S. (2003). Eustress, distress, and interpretation in occupational stress. Journal of managerial psychology, 18(7), 726-744.