Celeste Paul had worked for the U.S. National Security Agency (NSA) for several years as a researcher, and over time she noticed a troubling trend. Operators, some of the NSA's most vital assets, were exhibiting signs of stress and burnout.
While everyone experiences stress, chronic stress can have profound impacts on a person's mental health—especially if that person has an underlying health condition—including anxiety, depression and a decrease of cognitive ability.
Paul and her colleague, Josiah Dykstra, decided to conduct a survey to see how fatigue, frustration and cognitive workload affected real-time tactical cyber operations, and they made the results, Cyber Operations Stress Survey (COSS): Studying fatigue, frustration, and cognitive workload in cybersecurity operations, publicly available so others could learn from it.
They wrote that the high-risk, high-reward nature of the cybersecurity profession, like many other stressful occupations, can negatively impact the workforce. "While considerable research has helped evaluate and improve technology resiliency, human resiliency has been understudied despite the important role of humans in the design and execution of cybersecurity programs."
Greater understanding of human resiliency under stress for tasks that involve "attention, memory and visual perception" would be beneficial for the people performing these tasks—and the organizations they work for.
"We know that stress negatively affects cognitive abilities, task effectiveness and general well-being," Paul and Dykstra explained. "These types of effects are harmful to high-risk, mission-critical environments where failure has great consequence."
Stress is the bodily response to pressure from a life experience or situation. When a person encounters stress, the body produces a stress hormone to initiate a "fight or flight" response and activate the immune system, allowing the person to react quickly to a dangerous situation, according to the United Kingdom's Mental Health Foundation.
"Sometimes, this stress response can be an appropriate, or even beneficial, reaction," the foundation explained. "The resulting feeling of 'pressure' can help us to push through situations that can be nerve-wracking or intense, like running a marathon or giving a speech to a large crowd. We can quickly return to a resting state without any negative effects on our health if what is stressing us is short-lived, and many people are able to deal with a certain level of stress without any lasting effects."
But if stress becomes excessive, or if a person feels he or she has no control over the stressor, there can be lasting repercussions.
"If our stress response is activated repeatedly, or it persists over time, the effects can result in wear and tear on the body and can cause us to feel permanently in a state of 'fight or flight,' " according to the foundation. "Rather than helping us push through, this pressure can make us feel overwhelmed or unable to cope. Feeling this overwhelming stress for a long period of time is often called chronic or long-term stress, and it can impact on both physical and mental health."
For instance, chronic stress can disturb the immune, digestive, cardiovascular, sleep and reproductive systems, the National Institute of Mental Health (NIMH) explained in a fact sheet.
"Some people may experience mainly digestive symptoms, while others may have headaches, sleeplessness, sadness, anger or irritability," the NIMH stated. "Over time, continued strain on your body from stress may contribute to serious health problems, such as heart disease, high blood pressure, diabetes and other illnesses, including mental disorders such as depression and anxiety."
Types of Stress
Stress is the bodily response to pressure from a life experience or situation. It is typically divided into three types:
Acute Stress: The most common type of stress, resulting in a "fight or flight" response where symptoms disappear as soon as the stressor is gone.
Episodic Stress: When acute stress occurs regularly and a person does not have time to recover from the stressor, which can result in a lower overall tolerance of stress and increased sensitivity to stressors.
Chronic Stress: Long-term stress from situations where a person feels he or she does not have control over the outcome, potentially causing serious effects to mental and physical health.
When it comes to work, many people who experience chronic stress also begin to show signs of burnout or mental exhaustion. For instance, in a study of its workforce, the U.S. Air Force found that "shift work, shift changes and hours worked contributed to high occupational stress and burnout in cyber warfare operators," Paul and Dykstra wrote.
Paul and Dykstra's survey participants were asked to self-report their fatigue levels (pre- and post-operation), their frustration levels (pre- and post-operation) and their cognitive workload on 10-point scales.
In their analysis of 126 cyber operators—who completed 361 surveys total—Paul and Dykstra found that operator fatigue and frustration increased significantly during the course of an operation, which averaged 5.12 hours.
The survey authors also assessed that the nature of the work—where failure is not an option—was mentally and physically demanding, increasing the level of stress operators experienced during their work.
Dykstra and Paul's research ultimately led to changes within the NSA to acknowledge and support cyber operators' mental and emotional well-being, especially when they were managing operational stress.
"Training for this type of work is extensive, expensive and employee turnover is costly," they wrote. "The health of your talent is as much of a risk management issue as it is a human resources issue."
The NSA looked at Maslow's hierarchy of needs—physiological, safety, belongingness and love, esteem, and self-actualization—and used that to create a Hacker's Hierarchy of Needs, Paul said.
"We have a lot of the same needs. We need equipment—tools and access before anything else—but once we have those authorities, do we have a team and organization that supports us?" she asked. "Once we start getting into esteem and self-actualization, this is where we talk about what we need to be happy."
The NSA's mission requires the formation of a team of people who strongly believe in the organization's mission and are willing to take risks to achieve something greater than themselves. And to recruit these individuals—and retain them over the long term—the NSA has taken steps to promote a greater value of work/life balance and a culture of mindfulness.
"We've put a lot of effort into developing employee and wellness services, and a civilian fitness program that lets people work out on duty time," Paul said. "And we have a mindfulness program and a meditation program, which teach great techniques and team building."
Acknowledging that some of the stress operators experience related to their work cannot be shared with individuals who do not also work at the NSA, the agency created a mentoring program where employees can discuss interpersonal or work conflicts while promoting balance.
"Sometimes you need someone to remind you that work/life balance is important," Paul said. "Sometimes we think of work/life balance as a selfish thing, but it's important because we bring so much into work with us. Managing that balance can help us manage our stress better and be better hackers."
The NSA is not the only organization taking an aggressive approach to promoting work/life balance for cybersecurity employees. IronNet, a cybersecurity firm founded by retired Gen. Keith Alexander, former head of the NSA, has also adopted this stance because cybersecurity is a field where there are currently not enough people to meet the demand, says Bill Welch, co-CEO of IronNet.
To promote balance, IronNet has an unlimited vacation policy and does not use a time-clock system. This allows employees to produce their best work during the times when they are most productive, Welch adds.
"What we care about is outcomes," he says. "And I think that's what everyone should care about. Whether that takes you four hours or 40 hours, that's not relevant to us as a company."
And leading with this philosophy from the top is essential, Welch says, explaining that to help manage his own stress load, he works with his assistant to schedule time in his calendar for family events and important milestones, like his son's baseball games and his wedding anniversary.
He takes a similar approach with his team, checking in with direct reports to make sure they are spending time away from the office with their families so that when they come to work, they are more productive.
"That one or two days less at the company is not going to hurt our company," he explains.
This philosophy is reinforced by IronNet's HR team, led by Chief People Officer Melissa Logsdon.
"We do quarterly check-ins with all our employees," she says. "I, as an executive, put a lot of pressure on midlevel managers to make sure people are taking that time that they need. I tell my managers if their reports are not taking two or three weeks a year, you've got to have a serious conversation with them."
Recruitment and retention depend on the organization's building a support network in and out of the office, Logsdon says. For instance, IronNet regularly hosts company events at its sites around the world to allow employees to engage with each other in a low-stress environment, so when they are working on a high-stress project, they have an established rapport.
"We do company events so people like who they're side by side with," she adds. "We have those moments of intense work, where [operators] settle in and have to work a million hours, so it's essential that we're doing [the work] with people we like."
Being at this level of "plugged-in" with the people an individual works with and manages can help them spot the signs that an employee might be close to burnout and needs to take a step away.
Adam Darrah, director of intelligence for cyber threat intelligence firm Vigilante, says when he notices someone is putting in exceptionally long hours or is exhibiting a change in mood, he'll pull that person aside and ask them directly: What do you need? Do you need to turn your phone off and walk away for a few days?
"Thankfully, we have a very open team, and people are quick to support each other," he says. "But you have to intuitively understand how people are really doing and ask them directly. And if they won't tell me the truth, I'll just tell them they're fired for three days. Please turn off your phone and walk away—we're fine."
Another component of managing chronic stress and preventing burnout is ensuring that employees are engaged and feel like they are in control of their career plan. This often starts with some self-examination and having open discussions with mentors about where a person's career is going and the steps he or she needs to take next to achieve that next goal, says Ashish Gupta, CEO and president of Bugcrowd.
Gupta asks himself regularly: "What do I like to do? Am I good at it? Is it what I'm doing today?"
Posing these questions helped Gupta transition from primarily coding as an engineer at HP to a role he was more passionate about.
"What was really exciting for me was taking transformational technologies to market and applying them in a way to give value to the customer," he says, adding that this realization encouraged him to apply to business school, enter the consulting world and eventually make his way to Bugcrowd.
"I go back and ask: Am I doing the thing that I'm passionate about?"
Bugcrowd has implemented this philosophy into an initiative it calls Hire to Aspire. That effort has several goals: it focuses not only on hiring the right person, but also on equipping that individual to be successful in their new position and on helping them manage their future career planning.
"It comes back to learning and impact—doing that in a well-understood process, with a well-understood management team. It's a journey," he adds.
And to help retain employees and ward off burnout, it's essential to offer learning opportunities where security operators can grow their skill sets or explore new challenges.
"When we started out many years ago to build a community, we were very clear that we needed a Bugcrowd University that is built around and for the community," Gupta says. "We see trends happening in certain tech, we can take those and help people learn to fix associated issues."
Most importantly, though, is for people at all levels of the organization to treat each other with kindness so they feel supported in both life and work, Paul said.
Megan Gates is senior editor at Security Management. Contact her at email@example.com. Follow her on Twitter: @mgngates.
This article is adapted from Security Management Magazine with permission from ASIS © 2020. All rights reserved.