Security

How to Support Mental Health for University Cybersecurity Professionals

The high-stress nature of the discipline means prioritizing workers’ well-being to prevent burnout.

Amy McIntosh is the managing editor of EdTech: Focus on Higher Education.

Protecting a higher education institution’s sensitive information is a high-stress job. The day-to-day responsibility of maintaining a secure technology environment is a lot for an individual to bear, and experts suggest that the pressure and expectations placed on the cybersecurity unit, and on the CISO in particular, can take a toll on their mental health.

In a Dark Reading webinar, held Feb. 10, representatives from computer security software company Netskope spoke with Marcia Goddard, neuroscientist and chief corporate officer for The Contentment Foundation, about perspective, strategies and resources for security leaders to support their teams’ mental health and wellness — and their own.

“As a cybersecurity professional, you deal with threats,” said Goddard during the webinar. “It’s your job to deal with something that you cannot see, that is not there — and if you do your job well, it will never be there. From a neuroscientific perspective, your brain wants to see what it has to run away from. If it cannot see it, it remains in unpredictability mode all the time.”

FIND OUT: Tips for dealing with digital fatigue in higher ed.

She explained that the brain will create a stress response that will keep reoccurring, because the threat is always there. Even if one problem is solved, there might be another around the corner.

According to Shamla Naidoo, chief security officer and head of cloud strategy at Netskope, the stress of the job can seep into all areas of a person’s life.

“The CISO job is not just difficult and challenging, but the volume can also be overwhelming,” Naidoo said in the webinar. “What happens is that you spend most of your waking hours — and, frankly, sometimes your sleeping hours — thinking about the job, the technology, the bad actors, all the things that are happening, and you leave yourself very little room for self-care.”

There has long been a stigma about addressing mental health and wellness, particularly in the workplace. But in order to support cybersecurity and IT staff and equip them to successfully do their jobs while maintaining their mental well-being, university and IT leadership should make this support a priority.

Click the banner below for exclusive content about cybersecurity in higher ed.

Mental Health Support Should Start at the Top

To prioritize mental health and wellness in higher education organizations and to ensure employees are comfortable asking for help when necessary, senior leadership should lead the charge. Often, when topics like mental health are brought up, organizations will look to HR to take the reins, but senior leaders who have invested in cybersecurity teams should be paying attention as well.

“Cybersecurity has become a board-level conversation that has sponsorship from the CEO,” said Mike Anderson, chief digital and information officer at Netskope, in the webinar. “The mental health of our teams and our leaders should also have that same priority.”

Within the IT department, empathy and active listening are key to supporting team members.

“As leaders, I think one of the things we have to do is keep an eye on the well-being of our teams,” Naidoo said. “It’s not just in what they say. It’s in what they don’t say. It’s not just in what they do. It’s in what they don’t do.”

Goddard suggested integrating well-being best practices into existing structures, like performance reviews or employee engagement surveys.

“Being well is not the same as being happy,” Goddard said. “So, as a leader, don’t try to make your entire team happy all the time. I think that’s the trick to maintaining your well-being when you aren’t happy — that’s what you want to focus on.”

Naidoo warned that for IT leadership, it’s important to balance these tools against the time constraints and requirements of the job.

“As a practitioner, we are really busy, and CISOs in particular are very busy,” said Naidoo. “So, one of the things we have to do is make sure the resources are not so time-consuming that it shifts focus from the priorities of the job, but it actually does shift into focus the personal priorities without taking up the entire day.”

Goddard said that practicing gratitude is a simple way to maintain well-being throughout the day.

“It’s about simply taking a moment as an individual or as a team leader together with your team, which would be ideal, to consciously think about and talk about what you’re thankful for,” she said. “Practicing gratitude actually activates a brain system that’s involved in feelings of positivity and relaxation because it helps to restore balance in your body.”

Mindfulness is another technique to practice when you’re overwhelmed. Goddard recommended a 60-second technique to relieve stress: Near a window, take three deep breaths, close your eyes, and for 20 seconds describe to yourself what you’re hearing. Then, for the next 20 seconds, describe what you’re seeing. For the last 20 seconds, describe what you’re feeling.

“It takes one minute, and it has a massive impact on your immediate stress response,” she said. “You will immediately calm down. This is not an hour of meditation. This is 60 seconds out of your day.”

DISCOVER: How to avoid security breaches within the IT department.

Mental Health Support Must Span Departments

The COVID-19 pandemic has impacted everyone’s work life in some way, not only cybersecurity or IT leaders. For those working remotely, in-person interactions have moved to video calls, which eliminates some of the interpersonal connections one might have gotten from being in person, sharing meals and casual conversations with coworkers.

“When we have a one-on-one with someone in our team, we have to ask a question: ‘How are you doing?’ And that isn’t about their job necessarily, but how are they doing overall?” Anderson said. “That’s something we have to be intentional about and ask. It’s really easy to be all about business, but at the end of the day, we’re all people first.”

No matter the department, it’s important that the organization’s culture encourages employees to use the mental health resources available to them.

“Psychological safety is what you need in your organization in order for any of this to work,” said Goddard. “A lot of organizations will have all these resources available, and then, on average, the research shows that only about 10 percent of people in organizations actually make use of resources. So, that means that there’s something in the culture that doesn’t create the space for people to actually do that.”

EXPLORE: 5 questions to ask when evaluating cybersecurity assessments.

As far as CISOs are concerned, Naidoo suggested putting some of the on-the-job skills into practice when thinking about mental wellness.

“We’re so good in cybersecurity at documenting and creating playbooks, creating opportunities for structure and discipline, to deal with large volumes and make everything manageable,” she said. Mental health “is no different. It just has to be a priority. We need structure. You should have a playbook for helping people and teaching them how to navigate this.”

metamorworks/Getty Images