How CISOs can deal with cybersecurity stress and burnout

Working in emergency medical services, or EMS, and cybersecurity aren't as different as one might think, according to Rich Mogull, CEO at Securosis, a security consulting and research firm located in Phoenix, and CISO at DisruptOps, a cloud security automation management firm based in Kansas City, Mo., especially when it comes to mental health and dealing with stress.

Mogull has been a paramedic for 30 years and in the cybersecurity field for 20. When he began as a paramedic in the early 1990s, the assumption was that anyone entering the field would burn out within seven years, and mental health wellness education was uncommon.

Cybersecurity stress and mental health conversations have become more frequent recently, and Mogull said the security industry can learn a lot from EMS. Mogull is presenting on the topic at Black Hat 2020.

Editor's note: This interview has been edited for length and clarity.

What are some of the concepts to help deal with cybersecurity stress and burnout?

Rich Mogull: One of the big trends is the concept of resiliency versus antifragility. A lot of people say you've got to be resilient, compartmentalize, close it off. [The idea is] resiliency is all about how many hits you can take.

Antifragility is a different concept: Absorb the hit, and learn from it. With resiliency, you don't necessarily have to change. You can just take the pain. With antifragility, you absorb it and pull lessons [from it].

For example, I sleep fine at night, but a big chunk of that is, when I see something that triggers something in me, [I wonder:] Why did that trigger me? What can I learn? Do I need to step out of the situation? Do I need to go clear my head mentally?

I've had to do that in security probably more than I've done it in medicine.

Rich Mogull

What recommendations would you give for organizations setting up the processes to identify and avoid burnout?

Mogull: There are three measures on the Maslach Burnout Inventory. There is exhaustion -- the more exhaustion, the more it is an indicator of burnout. Next is cynicism -- not skepticism, but a cynical, negative outlook on things. The third is perceived self-efficiency, which is: Am I making a difference?

Those are the things that, as an organization, you can actually look at. You can even use burnoutindex.org, where you can actually take a quiz. If you think you have systemic burnout, you can bring people into your organization to measure it and to help determine the root cause.

What's the best way for CISOs and security professionals to learn how to deal with mental health?

Mogull: There are well-known things you can do to protect yourself, starting with healthy lifestyle choices. That's a huge factor. It's OK to have a drink. It's not OK to be overdrinking every night. Take time off, and take vacations. Try to avoid rotating shifts too much because shifting your sleep schedule can have a big impact on health.

Make sure you context shift -- work is at work, home is at home. Some of the people who get burned out are the really aggressive or obsessive researchers that spend all their time working on security and don't have outside diversions to help them clear their heads.

Find a peer group that is positive and not toxic. This is something we're not great at all the time, and in security, there are really toxic elements of our culture. So, pick and choose which part of the community you invest your time and energy in.

How can organizations avoid toxic cultures?

Mogull: One of the best things organizations can do is to foster 'just culture.'

Just culture is the opposite of blame culture. In security, we are terrible at this. We like to blame people. If there's a security flaw, you screwed up, or you blame the users.

Just culture considers: What's the systemic issue here? Our users are smart, and our employees are smart, so why are they making this decision? Ask why this mistake happened? Sometimes, it is that somebody was reckless, or somebody violated policies. But, even then, you want to question: Why did they violate that policy? Lots of times, it's the system.

An example from security is shadow IT. I hate that term. Most think it means 'our users are doing things they shouldn't be doing, so we have to lock it down.' My definition [of shadow IT] is: things my employees need to get their job done that we're not giving them.

They're doing it because they have a job to do, and they did not feel they could do that in the authorized way, so they went someplace else. In just culture, we try to find out why they went someplace else, and we solve that part of the problem.

How can individuals separate work from home now that so many are working from home?

Mogull: If your office is just a corner in your house, that's OK. Turn the monitor off; turn the computer off; shut the lid; and don't check your email. I've checked my emails off hours, too, but if I'm feeling like I'm starting to get burnt out, which has happened, I checked it less and focus on doing other things. Instead, play video games using a different computer than your work computer, or go for walks or hikes. Clear your head.

This is something the workplace can support. If your manager is hitting you at all hours, that's not right. You could have rules -- no contact outside official office hours for the geographic region or time zone of employees, unless it's a true emergency, for example.

Find a corner of your house, and designate that's where work is, not where the rest of the house is. We're doing this with our kids for school. We bought cheap $50 desks from Amazon, and we stuck them in corners of the house, and that's where the kids do their homework. It's right next to where they play, but they know the difference between the two.

Finally, turn on the Do Not Disturb [function on your phone]. You have to set those barriers.