By Diana-Lynn Contesti (Chief Architect, CISSP-ISSAP, ISSMP, CSSLP, SSCP), John Martin (Senior Security Architect, CISSP-ISSAP, CISM, Open Group Certified Architect Master) and Richard Nealon (Senior Security Consultant, CISSP-ISSMP, SSCP, SABSA SCF)

Cybersecurity professionals are often faced with making difficult decisions under intense pressure with the potential of long-term effects on the business. Over time, this stress can weigh on cybersecurity pros and potentially cause “burnout” among employees as well as long-term psychological effects.

What can be done to prevent burnout among employees and how can we support our fellow colleagues? These questions are becoming more prevalent in the industry as security breaches become commonplace.

Recently a member of the (ISC)² Community asked for a guide, pamphlet or simply help for cybersecurity folks that may be suffering from Post-Traumatic Stress Disorder (PTSD) or even burnout due to events. Over the years, many in the industry have been through events that may or may not have lasting effects on their well-being; however, little to nothing has been written or documented.

You may be thinking that it will not happen to you. One can only hope that you will not experience a breach. According to the latest Verizon Data Breach  report, 61% of all breaches affect confidential data. It is possible that you will be the person who is tasked with understanding what happened and planning the corrective action. Initially, you and your team will be held responsible for any perceived failures and may already feel demoralised.

Much like first responders and members of the military, cybersecurity professionals can face moral dilemmas. Security workers may be asked to perform work that may be morally challenging, stressful and might even cause trauma.

Cybersecurity workers have the additional stress of questioning whether their employment may be terminated at the end of the investigation. Some countries have developed laws that require the use of external investigation contractors and mandatory reporting of incidents which can increase fear of job loss. Recently, we are seeing fewer organisations terminating employees as a result of a security incidents but this possibility is still a factor of incident response stress.

We would like to offer a few words of advice to those who may face a cyber event that leaves them feeling stressed or challenged. Examples might include (but are not limited to), failure to stop wastewater mixing with drinking water, failure to keep critical services operational (hydro, gas, water), or conducting surveillance in a potential conflict zone.

Where can you reduce the stress?

External stress, such as family life, can increase the pressure on security professionals during emergencies. Family commitments, combined with the long hours (sometimes) required during an event, can cause internal conflict for an individual. In these cases, we recommend sharing the workload and allowing others to manage the situation (this is true during a security breach or a disaster). Ensure your family is taken care of first. Remember if you have issues at home, this can distract you from doing your best when under pressure.

Prior to the event, if possible, always attend designated training sessions and practice runs. Prepare for the inevitable. But, remember it is almost impossible to plan for each and every event, but these sessions will allow you to be document steps that you may/may not take in an actual event. This step will allow you to develop a Breach/Incident Response Plan. We suggest you take a page from the disaster recovery planners and conduct tabletop exercises (https://www.ready.gov/exercises ).

You can reduce stress by knowing in advance from whom you should take direction – mixed messages coming from various managers/supervisors can cause unnecessary stress. Having a clear line of reporting documented before an event occurs can save time and reduce stress. We recommend creating a document that clearly empowers employees who are charged with coordinating an event. This document needs to be understood and embraced throughout the organization (including acceptance by middle and senior management). Things included in this document should empower the coordinator pulling/acquiring staff as needed, spending powers, ability to approve overtime and what may constitute an event.

Now that we have discussed items that can build stress as an event happens (loss of employment, family commitments, moral issues, etc.), let’s take a look at things that can be done to help alleviate stress, when an event is declared:

1. Document everything you do, who you speak to and what is said:
   • This is key. Documenting things as they happen (including instructions from management) can de-escalate some of the pressure one feels when the dust settles. Always keep a log with date/time and action. Make sure you sign entries with your signature. Use this documentation during a feedback session after the event.
   • Sign any Non-Disclosure Agreements (NDAs) and adhere to them. Use your moral compass.
   • Ask your staff or direct reports to also document everything.
   • When the dust settles, you will be able to develop a roadmap of everything that has happened and pinpoint what went right and potentially anything that may have gone wrong. Always have a formal feedback session after the event.

2. Follow your breach/incident response protocol and note any areas for change.
   • Ensure that you’re not conflicted morally or ethically. Struggling with your conscience will cause additional strain on your mental health and this may last long after the incident is over.
   • Stay strong to your principles and avoid being the cause of unnecessary tension or conflict within a team.
   • Develop a positive no blame culture within the team, stay objective but listen actively.
   • Know your limitations and ask for assistance or recuse yourself if you don’t feel that you can do a competent job well done.
   • Ensure you have a nominated spokesperson to deal with public relations (PR), keep them briefed, but let them do their job – keeping others from disrupting your thought processes, and decision-making capabilities.
   • Don’t allow distractions to get in your way.
   • Permit only authorised, required, and agreed communications
   • Recognise the signs of groupthink, and do not get trapped.
   • Don’t succumb to groupthink, where the abnormal can become normalized.
   • Take a few moments out to re-assess the situation at least once or twice per day.
   • If your supervisor taps you on the shoulder to take a break, take a break, don’t ignore their advice. You may have to work in shifts.
   • If your emotions are welling up during the situation, step aside and take a break and re-assess your participation and the situation.

3. Understand you are not alone.
   • Seek out folks to talk to either for help with the situation or just as a pressure release always being mindful that you might be legally prohibited in relation to disclosure.
   • Discussing the situation with your peers or other folks in your network is beneficial as it provides an emotional release with the side benefit of potentially finding a remedy.

4. When you get home, don’t isolate yourself – talk to family, let them know what you feel and how you are being affected.
   • This step allows you to decompress and gain support from your family and friends.
   • It also helps family/friends understand why your mood may not be normal.

5. Stay engaged, and active, get rest and eat, etc.
   • The initial reactions can be to withdraw or to commit to solving the problem without taking breaks.
   • Maintain your stamina by ensuring that you eat and get rest.
   • If you have an exercise routine, stick to it. If you don’t have one, it will not hurt to take a walk to clear your head. Take the dog out for a walk.
   • Make sure you get proper uninterrupted sleep (it may be necessary to take yourself out of an environment where you may be disturbed).
   • If you are into power naps, use them wisely.

Now that you’ve taken care of yourself, what you can do for your staff or others working on the event?

1. Have staff make notes on everything they are doing, always keep a logbook.
2. Use secure communications during the incident reducing the likelihood of leakage to the media and unauthorised personnel. Examples of tools include: “Signal” or “Telegram” which encrypt messages.
3. Stay away from drugs, alcohol, and other forms of fake euphoria. Stay away from disruptive influencers such as social media, which is often fake and is used to irritate rather than assist in the situation.
4. Provide leadership to your staff:
   • Lead by example.
   • Monitor staff and watch for burnout in them.
   • Ensure they rest.
   • Ensure they eat.
   • If needed, take them aside and talk to them to see what they may be feeling.
   • Run interference for them when necessary. That means that you may need to stop managers/etc. from interfering with their assigned tasks.
   • Support them by whatever means you can.
5. Finally, your last step should be to debrief your team and create a final report. We recommend that you do the following:
• Gather all participants (keep non-participants away). Non-participants can muddy the waters and may also discourage some folks from being honest.
• Discuss what happened.
• Use the notes that have been created.
• Fill in gaps in your notes.
  • Get clarification of points when necessary
• Discuss what went right and what went wrong, yes there will be things that went wrong.
  • This should include timing of events.
  • Was the call tree correct?
• Discuss whether their participation was appropriate or was someone missed.
  • Use this for the next time (hopefully there won’t be one) but it will allow you to get the right players in place rapidly.
  • If you missed someone, how could they have helped?
• Discuss what exactly happened.
• What was the breach?
• What data was lost?
• Is there a financial loss to the organisation?
• Will it cause reputational loss?

Once you have done the debrief, do the following:

1. Take a rest.
2. Formalise your report:
   • Collect your thoughts.
   • Document your findings.
   • Document recommendations.
3. Meet with Management (do not include participants).
4. Issue a formal report. 

Once you have met with management and issued your final report, we recommend that you take some downtime to re-invigorate yourself. Reward your team, even it is only coffee and donuts, to say thank you.

This is not an exhaustive list and is meant to be a snapshot of examples that can assist in minimizing the stress/angst felt by you or your staff before, during and after a security event.

We welcome all comments, in the hopes that this will allow cybersecurity professionals to deal with stress or PTSD.