Hopelessness in Cyber

For all of my friends who may be struggling in cyber.

Why is the suicide rate so high in cyber security and what can we do about it?

As someone who has lost more than a few friends to suicide, and one in the past 12 months, I am stunned at the stats in cyber security. What are we doing wrong? What can be done to reduce these numbers?

According to a Cyber Security Research Institute survey conducted in October 2020 which asked over 2,000 cyber security professionals about their mental health, over one-third of them have considered suicide, and nearly one-fifth have attempted it. This is a truly horrifying thought and does not bode well for those who choose this industry or for the industry itself.

The cyber security industry is one of the fastest growing and most important of modern times. There are massive shortages of qualified talent and far too many are being asked to do more than humanly possible. As history proves out, it is very likely that those who keep their jobs in the coming recession, will be asked to do far more with less, and against growing threats. Cyber is also one of the most challenging career choices that often demands long hours, perpetually moving goal posts, constant interruptions and unrelenting pressures from multiple sides. Management often places intense pressure and unrealistic expectations on those tasked with defending our computers that run literally everything.

Cyber is sadly, (while in my view by far one of the most important jobs of today), one of the most under-recognized and undervalued roles out there. The efforts of cyber security defenders are often only seen when they try to institute a desperately needed defense that people are resistant to or after years of never having an incident, one happens. Then all of attempts to tighten security are forgotten and the years of successful defense are literally thrown out the window.

Cyber security professionals are all too often faced with a severe lack of resources, and management and co-worker support. There is little to no understanding from employers, peers, and worse yet the woefully ignorant public that fails to see that their resistance to follow even basic protocols is more often than not the trigger of breaches.

I suppose with what I know of how cyber defenders are treated in general, I should not be surprised that the suicide rate in the cyber security industry is disproportionately high. In fact, the rate of suicide ideation in cybersecurity is not just a little bit higher based on the stats, but rather more than double the rate of the general population. As we all can understand, the reasons for the gigantic difference are varied and complex. I will repeat, cyber security professionals are often overworked, underpaid for the time they invest, and certainly under-appreciated.

As the threat landscape, expands, evolves and becomes more profitable for criminals, the need for more sophisticated security solutions grows. This all leads to even greater pressure on cyber security professionals. Our industry is suffering from massive burnout and a feeling of being overwhelmed or even hopeless in some more severe cases. Cybersecurity professionals are seen as loaners or introverts, but it goes further into the realm of social isolation and loneliness.

The lack of understanding and empathy from their employers, peers, and the public, often makes doing the hard and tireless work a very lonely and thankless task. Some people say we in cyber have it easy. We can work from home and it is easy non-physical work. The truth is that the level of responsibility for other peoples’ lives (medical, finance, law enforcement, national defense, infrastructure) is at times unrelenting. Most people don’t ever experience what it is like to have a 911 system, or 5,000 peoples’ jobs, or potentially hundreds of thousands of patients’ abilities to get care or the safety of our key defenses in your hands. But they are quick to blame the cyber security team when something goes wrong, no matter how little support they were provided in trying to prevent the event.

While there is no easy answer, there are a few things we can do to reduce the rate of mental health challenges and more specifically suicide in cybersecurity. We can seek to raise the quality of life for those who may be challenged but do not have such serious issues as suicide ideations.  

Employers and peers should be more understanding and supportive of cyber security professionals. This includes providing more resources, support, and recognition of their value and efforts. They should be encouraged to take breaks, rest, disconnect without the incessant Boo Hoo interruptions, emails, calls, etc., that make taking time off in this industry pretty much useless. This can be done by forcing the taking of regular vacations (without interruptions), engaging in recreational activities (without interruptions), and setting healthy boundaries with work that are enforced at the highest level of the company.

When things do get difficult, cybersecurity professionals should be encouraged to reach out for help when they are feeling overwhelmed or struggling. They should be able to do this with support and without concerns for their positions, etc.  This could include ensuring they talk with a mental health professional, or get other professional help when needed.  

Reaching out to a friend who you think may be having a rough time, or better yet, who would simply enjoy the conversation, can have a huge impact. Co-workers should look in the mirror and check themselves so they may refrain from complaining about unimportant things, making a big deal out of inconveniences that are necessary and generally being jerks to those who are really just trying to protect them from themselves and honestly others’ jobs from jerks who care only about how easy something is for them to do...to he!! with the security.  

According to another survey of 1000 cyber security employees in 2022 by Tines, 64% of respondents say that their mental health affects their ability to get their work done, and 64% say their work impacts their mental health. The survey also found, 51% of respondents have been prescribed medication for their mental health, and of those, 58% are currently taking medication for their mental health. Additionally, 49% are currently seeing a therapist.

Bottom line is, we have a problem that is simply not being addressed fast enough or with the vigor and commitment it should. Initiatives to address stress, burnout and depression start because they feel good, but then as I have seen lately in projects I have been pressing for outside of my own employer, they simply go nowhere.

Employers are often the worst at allowing for actual downtime, demanding professionals that are on vacation be left alone, and being sure the cyber professionals responsible for the security of the company assets, get the level of support that other critical areas of the company receive.

Above all, park the judgment and criticism and support those who are ALWAYS on supporting and defending your jobs, privacy and lifestyle.