Considerations on how burnout affects staff, and how to identify the signs and support.
Mental health and burnout should be considered as a business issue, and be considered to be part of resilience.
In a panel discussion at the With Secure ‘Sphere’ conference, Mental Health in Cybersecurity (MHinCS) chair Sarb Sembhi said businesses should look at how to support employees in “how they work, how you eat, how you engage, and what it is that you could and should be doing to take care of each other.”
However Sembhi said that businesses often see mental health and burnout as just an issue for HR to deal with, but it is only an HR issue “if you’re not in cybersecurity, but if you’re in cybersecurity then it’s a cyber resilience issue.”
He said: “If the enterprise believes in real cyber resilience, they need to help make all of you more resilient.”
Too Much Pressure
The discussion, led by conference chair Marcus John Henry Brown, saw Noora Hammar, head of security assurance at the Volvo Group, discuss when she felt burned out, when managing both a development product, and also a digitising project.
“I was at the point in my career where I wanted to thrive and succeed, and I thought it if I said no people will think I am difficult,” she said. “So I end up having burnout as the level of expectation towards me to was too high, it was too pressured.”
Saying she felt the pressure of stress in her personal and professional life, she raised this with a manager who didn’t understand the problem, so she was left to raise the issue with colleagues who “visualised how much time was consumed per product, how much responsibility per product and how much will be on the backlog because I’m unable to cope with them just by myself.” Showing this to her manager made them realise the pressure she was under and got her workload reduced.
Sembhi acknowledged that this is not something that is discussed, and “people go through this on their own and think that what’s happening to them is unusual and it’s the norm, but it’s wrong.”
Great Expectations
Sembhi said that 20 years ago, we had one standard - BSI 7799 - and since then we have more regulations, more compliance, more attacks and more breaches, and “transformational technologies” that have to be secured, and this increases the workload. “Yet we take it on because we think it is the right thing, and I think it is very common and we just don’t talk about it,” he said.
In recommendations of how to deal with this, the panel recommended scheduling shorter conference calls to allow time for work breaks, encourage peer support and collaboration, and set rules for having a better work balance.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.