Infosec mental health support and awareness hits Black Hat 2018

LAS VEGAS -- Rather than continue being reactive to social issues, Black Hat 2018 took steps to be more proactive in addressing and bringing awareness to the topic of infosec mental health.

The Black Hat conference set up a "self-care" lounge for attendees and included two complementary sessions covering the negative infosec mental health issues of depression and burnout and how the cybersecurity community can prove to be a source of aid for those suffering from post-traumatic stress disorder (PTSD).

During "Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community," speakers Christian Dameff, emergency medicine physician and clinical informatics fellow at the University of California, San Diego, and Jay Radcliffe, cybersecurity researcher at Boston Scientific, shared personal stories of depression and burnout, as well as ways to identify symptoms in oneself or in co-workers.

Radcliffe noted that the widely acknowledged skills gap could be a contributing factor of infosec mental health issues. 

"With global staffing shortages in information security, we're seeing departments that should have 10 people work with five. And that increases stress," said Radcliffe, adding that infosec workers can even have a "hero complex" that leads to taking on more work than is healthy.

Radcliffe said workers and employers should keep an eye out for common symptoms, including, "feeling cynical, no satisfaction from accomplishments, dreading going to work and no work-life balance." He suggested options such as speaking to counselors, therapists and psychologists, and also being mindful that workers take vacations and managers ensure time off is encouraged.

In the talk, "Demystifying PTSD in the Cybersecurity Environment," Joe Slowik, adversary hunter at Dragos Inc., expanded on those topics and talked about how working in the infosec community helped him deal with PTSD from his military service in Afghanistan.

Slowik was careful to point out that PTSD should not be confused with burnout, depression or other infosec mental health issues because, as he wrote via email, certain "solutions or mitigations that may be appropriate for one, [may not be for] others."

"For example, it is likely advisable to tell someone to step away from work for a bit to combat burnout -- but in the case of PTSD where an individual may gain empowerment or agency from doing work they love/are successful at, such a step may in fact be counterproductive (it is for me)," Slowik wrote. "Similarly, for depression, treatment may simply be a combination of taking time away, medication, and some degree of therapy, whereas successful treatment of PTSD requires more intensive interventions and likely must be ongoing and continuing to be effective. Combining all of these into the same category means very real mistakes can be made, which at best leave a situation unresolved, and at worst exacerbate it."

Slowik added that being in the infosec community was "empowering" because it allowed him "to do well at doing good."

Information security work has allowed me to reclaim a sense of agency by having direct, measurable, recognizable impact in meaningful affairs.

"One of the more pernicious aspects of PTSD is a loss of agency deriving from a moment of helplessness when one's life/integrity was placed in severe danger or risk -- re-experiencing this event leaves one feeling worthless and helpless in the face of adversity," Slowik wrote. "Information security work has allowed me to reclaim a sense of agency by having direct, measurable, recognizable impact in meaningful affairs, and at least for me has been instrumental in moving beyond past trauma."

The talks showed two sides of the security community that don't often get talked about: how the work can be both the cause of -- and the remedy for -- infosec mental health issues.

The attendance for the two talks was noticeably lower than for the more technical talks. It is unclear if this was due to poor marketing, unreasonable expectations for attendance, or the social stigmas surrounding mental health issues.

Slowik said he was grateful for those who attended and noted that the lower attendance could also be attributed to his talk being "the first scheduled talk the morning after Black Hat's infamous parties."

"Numbers are irrelevant, as conversations after the presentation made it clear this really reached members of the audience," Slowik wrote. "My only hope is that this talk, along with other items from the Black Hat Community track, are made publicly available since so many good lessons and observations were made in this forum and these should be shared with the wider information security community."