Concern for cybersecurity workforce mental health is rising
Photo: Tima Miroshnichenko/Pexels
On National Stress Awareness Day 2022, it wouldn't be a stretch of the imagination to consider that healthcare cybersecurity professionals are experiencing higher-than-normal stress and may face elevated risks to their mental health.
There's the stress caused by a continuous threat of attacks currently weighing significantly on the whole cybersecurity workforce. Preliminary results of research on burnout among cyber professionals by the Australia-based mental wellbeing support organization Cybermindz, announced this week, point to a worrying trend, says Andrew Reeves, the group's director of organizational and behavioral research, who is leading the study.
He explained in the research update that on the key burnout metric of professional efficacy, the cyber professionals surveyed so far have scored significantly worse than the general population.
"We also compared their rates of burnout on this metric to another highly burnt-out industry: that of frontline healthcare workers, and found that the cyber professionals score considerably lower than even this group on this metric," he added.
The waterfall effect of cyber worker stress
Such deterioration in the mental health of cyber workers – who protect the operation of essential services like water, energy, telecommunications, healthcare, financial services, food distribution and transportation – affect entire populations, the organization suggests.
"Most of our critical systems now have cyber risk exposure – it's not hard to see that a reduction in our national cyber capability due to psychological burnout may have population-wide downstream effects," said Peter Coroneos, Cybermindz founder and industry veteran.
"The pandemic, floods and bushfires have shown us the systems we rely upon are not to be taken for granted. Cyberattacks are a daily occurrence and, unlike natural disasters, there is no conceivable endpoint in sight," he said in the announcement.
Coroneos did not mince words as he defined the stressors cybersecurity professionals experience:
- A single failure through a cyber breach that can affect millions of people makes headlines.
- The rapidly evolving and relentless attack environment defies the sense of job completion among the cyber workforce.
- Cyber professionals live with the notion that the one successful attack that could end their career could be just around the corner.
- While largely mission-driven, cyber professionals are not impervious to the sense of hopelessness that can be caused by a continuous threat of attack.
"We must build a strong and resilient cyber workforce," he urged in the research update. "If they fall, we all fall."
Resignations rise with ransomware
Mimecast's latest State of Ransomware global survey of 1,100 cybersecurity decision-makers, conducted in July, also indicates the gravity of these concerns.
As ransomware has continued to grow in 2022, burnout rates and resignation rates are rising, according to a posting last week on the company's blog.
"Of the many consequences of this state of siege, the cybersecurity professionals we surveyed recounted a steep human toll, including everything from burnout and absenteeism to staff defections and decreased confidence in their organizations' ability to fend off attacks. Fully one-third said they were thinking of leaving their role within the next two years due to the stress," wrote Kiri Addison, head of data science for threat intelligence at Mimecast.
About 54% of Mimecast's respondents reported a negative impact on their mental health. Such metrics can predict intentions to resign.
"I think we are seeing early indications of a cohort of professionals who are questioning their own effectiveness and concluding their efforts are in vain. When good people leave the industry, we lose so much knowledge and expertise. It then increases the pressure on those who remain behind. As a psychological driver of burnout, it's something we should all be concerned about," Reeves concluded.
While routine training for cybersecurity incident response is needed to maintain patient safety, it can also bolster healthcare cybersecurity professionals, according to CISOs that spoke with Healthcare IT News last month in a discussion about building cybersecurity muscle memory.
Conducting regular healthcare cybersecurity incident response training exercises can build confidence by knowing what to do, they said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.