As published in the July/August 2020 edition of InfoSecurity Professional Magazine

By Michael M. Hanna, CISSP

Defenders of the cyber domain carry a significant weight because of the demands placed upon them. In addition to the technical skills needed to protect companies and entire communities, cybersecurity professionals must have the know-how to protect information systems and data that support national security requirements, critical infrastructure and/or sensitive customer details. Our actions directly serve to protect and sup-port our families, significant others, friends and colleagues. These responsibilities surely carry a weight for us all and incur considerable stress. How could they not?

The stressors we experience on a daily basis can influence our well-being, on and off the job. Compound these daily stressors with “black swan” events such as the COVID-19 pandemic, and we have a recipe for significant mental hardships.

Inappropriately managing stress within security departments and teams invites unwanted consequences and results. Organizations may suffer from decreased levels of trust, lower performance and productivity, and higher instances of illness among employees. This, in turn, may result in higher risks to the organization and its employees.

Life hacks provide some benefits in managing stress through high-level tips, but by truly understanding stress models founded in psychology, leaders can establish appropriate practices and promote behaviors to better support the wellness of their cybersecurity professionals.

CRUSHING WORK CONDITIONS
Stress does not discriminate based on job ranks. It affects all levels of the team and is caused by different concerns and responsibilities. A report by ESG indicated that more than 36% of cybersecurity professionals are stressed from their workloads, communicating with business leaders, ineffective collaboration between security and other departments, and keeping up with security demands across IT initiatives. The latest CISO stress report from Nominet depicts a very concerning and disheartening picture of CISOs’ well-being. According to the study:

• 88% believe that they operate in a moderate or high stress environment 
• 48% stated that their encountered levels of stress have negatively impacted their mental health
• 35% stated that their encountered levels of stress negatively impacted their physical health
• More than a third admit missing a family vacation, child’s event, or major family milestone

While any professional can suffer from chronic stress, those in cybersecurity may pay a higher toll if relentless or acute pressure is not relieved. By understanding how stress functions, we can mitigate the mental anguish, physical health decline, interpersonal tensions and reduced productivity that are common in our profession.

DIATHESIS-STRESS MODEL
Diathesis refers to an individual’s susceptibility to develop-ing a pathological state. According to research , most diathesis-stress models agree that neither a person’s diathesis nor prior experiences to stress are enough to produce a disorder or psychological event on their own. Think of a spark as stress, oxygen as diathesis and a fire as the psychological event. The presence of both stress and diathesis are necessary to develop mental health issues, burnout, and poor or decreasing job performance.

A person’s diatheses include genetic, physiological, cognitive and behavioral factors. Physiological and psycho-logical stressors are common during major life disruptions, such as a death in the family, divorce or financial insecurity. For cybersecurity professionals, stressors may come from unreasonable executives, long hours at work resolving an information assurance event, or the constant belief that the security of the organization is solely up to you.

A great way to visualize the diathesis-stress model is with a simple analogy (see Figure 1, below). Let’s assume that Cup 1 represents Person A and Cup 2 represents Person B, with both cups holding the same volume of liquid initially. Assume that Person A is less vulnerable to entering a pathological state than Person B. Think of diathesis as the blue-colored fluid in the cup. Since Person B has a higher level of vulnerability, they have more fluid at the bottom and less remaining space in the cup. Next, let us assume that both individuals encounter the same level of stress (pink-colored fluid), but since Person B had a higher level of diathesis (vulnerability), their cup overflowed, and a psychological event occurred. From this analogy, Person A’s cup did not overflow, and they were able to handle the stress event. Two things to keep in mind here. First, a stress event can be a prolonged period of experienced stress or a singular event. Second, this is a very simplified explanation of the theory, but it helps drive home the point represented by Figure 1.

The diathesis-stress model also has been used to explain common conditions such as insomnia, depression and anxiety, all of which may have been experienced by cybersecurity teams. Ask yourself: When was the last time you had difficulty falling asleep or staying asleep because of the demands placed on you as a cybersecurity professional or your personal life? For anyone in the thick of it, the response is likely: “Very recently.”

With this stress model, acute insomnia and the harm it inflicts is influenced by diathesis components such as cognitive, behavioral and environmental factors. Cognitively, we may toss and turn in bed worried about a breach or internal forensics investigation. Environmentally, we may look through our phones or tablets while in bed in the name of needed research. Neither of these activities quiets the mind enough to doze off to sleep. And, if too many evenings go this way, it becomes more difficult to break the cycle, thereby causing more harm to both body and mind.

KEEPING THE CUP FROM OVERFLOWING

Although genetics and predisposed conditions influence diathesis, scientists believe diathesis may be changed over time. But we do have more immediate control of the stress component of the diathesis-stress model. Don’t get me wrong though: Taking actions to mitigate against personal vulnerabilities, such as speaking with a mental health specialist, can go a long way. Going back to the cup analogy, managing stress is like scooping out portions of the pink fluid with a spoon and discarding it over the side before the cup overfills. If we handle stress appropriately, we keep the cup from overflowing and maintain our well-being.

So, how can we each create an environment that fosters flow and reduces stress. According to Paul Zak, the found-ing director of the Center for Neuroeconomics Studies and a professor of economics, psychology and management at Claremont Graduate University, we need to create a high-trust environment. This involves a company’s leadership building and maintaining a culture of trust throughout the entire organization.

In examining these high-trust organizations, researchers have found: 

• 74% of employees experienced less stress
• 50% were more productive and 29% expressed higher job satisfaction
• Sick days dropped by 13% and self-reported employee burnout by 40%

The next question we must ask is: How do we promote a high-trust environment? Building upon Zak’s recommendations and incorporating various psychological principles, cybersecurity teams can promote high-trust environments by doing the following:

• Inducing stress through work challenges that are both achievable and meaningful. Achieving meaningful challenges also improves self-efficacy and may result in other benefits, such as increased performance.
• Allowing for autonomy and job crafting. Cybersecurity professionals should be given freedom to operate within their job descriptions and volunteer for projects that interest them. The Job Characteristics Model delineates that autonomy and task significance (belief in the importance of work) have been shown to improve employee performance.
• Focusing on relationship building. The chemical reactions from social belonging have been shown to reduce stress, increase performance and improve well-being. Building relationships aligns with Maslow’s Hierarchy of Needs and the Existence, Relatedness and Growth models that express the importance of human belonging.
• Promoting whole-person development. High-performance psychologist Michael Gervais points out that as human beings we can improve physically, mentally and in our trade. Undoubtedly, the cyber-security community places great value in improving our craft, but very little in our physical and mental development, which are important in achieving high performance and well-being.

One thing that I enforce is a “Wellness Day” in which my team members are allowed to take one day off each month to do whatever wellness means to them. It could be spending time with family, going out for a massage, or taking a long bike ride. I must advise against changing the name because it diminishes the intent of the day. Don’t be afraid to stand up for whole-person development.

POSITIVE PSYCHOLOGY AND FINDING YOUR FLOW STATE
Positive psychology focuses on enhancing the individual or community through all aspects of life, and it aligns with some of the examples we have discussed. Within positive psychology, a flow state is the feeling when you are in the zone and performing at your highest level. You are fully focused and immersed only in the present. It feels like nothing else is going on except for what you are doing at that moment. It’s our highest performing state. We all would love to be in a constant state of flow, but that’s not practical nor sustainable. Top athletes and performers only spend a fraction of their time in flow state because of several factors, including the difficulty of achieving flow. Figure 2 provides a graphical representation of the challenges and skills that must be balanced for cybersecurity professionals to achieve flow.

To help promote flow for yourself and your security teams, it is beneficial to:

• Have and delineate concrete goals.
• Pursue activities, projects and jobs that you enjoy.
• Ensure that work is appropriately challenging and based on skill.
• Give yourself and your security team the opportunity to fight through challenges and develop. 

WHAT NEEDS TO BE ‘STRESSED’
If you are in a leadership position or have direct reports, challenge yourself to promote an environment of high trust, focus on relationships instead of solely being task-driven, and develop teams that consider everyone’s well-being before, during and after a stressful event, or series of them.

We are certainly faced with a workforce shortage that naturally induces stress. Add in unique events like the anxiety-inducing pandemic we’re all living (and working) through, and it’s no surprise stress levels are at an all-time high.

Like a fixer-upper home, sometimes the best results come from refining and improving an existing structure, rather than just tearing it down and starting from scratch. Build on what you have, within your teams and within yourself. Personally challenge yourself to develop more than just your trade craft. Push to improve physically and mentally. The benefits of whole-person development are significant and will bring out the best in you and your teams, while contributing to your well-being. 

MICHAEL HANNA, CISSP, is a member of the U.S. military. The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.