Charles Schulz created the famous Peanuts comic strip. One of his characters, Lucy, was often depicted at a homemade sidewalk booth with an overhanging sign advertising “Psychiatric Help – 5¢”. The homespun advice she doled out was always humorous and usually insightful. It seems that many of us on social media have seen the cybersecurity practitioners who are heirs to Lucy’s willingness to offer cheap, off-the-cuff advice on issues of mental health.
I have been reading up on the offerings at many upcoming conferences in this area, and there appears to be a recurring theme building along the lines of job burnout and its related effects on individuals who practice the art and science of information security. Related to this is the burgeoning slew of opinions on the number of practitioners who self-medicate with alcohol and various types of drugs - both prescription and otherwise. These dire stories and admonitions had me wondering just how widespread this phenomenon has become in our industry. I went digging.
Most of the hair-raising reports and warnings appeared to be anecdotal until I stumbled across an industry veteran citing statistics on the number of professionals suffering from drug and alcohol problems associated with their employment as information security professionals. I quickly reached out to him to ask about his research and how he was able to develop his alarming statistics. After much prodding and poking, I got him to admit the statistics were from an old study of first responders: fire fighters, law enforcement, and emergency medical personnel. I then asked how he simply drew a straight line from first responders to information security professionals. He just shrugged and said he felt the two career fields were similar. Seriously?
I felt any further probing would be unproductive, so I moved on. How does being a pen-tester or SOC analyst compare to working as an EMT? Does a cybersecurity threat researcher have anything in common with a fire fighter? Is the work stress of a CISO the same an emergency room trauma doctor? In at least one person’s mind, these are apparently interchangeable experiences.
The logical follow-on to this hysteria is the growing number of conferences and meet-ups that now feature self-care sessions, lectures on drug abuse, and yes, even on-site massages. I have noted one rather disturbing aspect of this new trend: the classes, lectures, and group sessions are often not run by mental health professionals. They are being run by the information security equivalent of Lucy.
Mental health, substance abuse, and burnout are all serious topics that deserve to be treated respectfully by those best positioned to effectively address them. If you need to seek out assistance for these conditions, I would strongly recommend you find a trained professional. If a less serious condition can be addressed by a massage, yoga, or a sauna, I’d like to suggest what we called a vacation back in the old days. In my experience, a massage is far more effective being administered on a white-sand beach than at a conference venue surrounded by your colleagues.
If you follow the hype, you would be forgiven for thinking the cybersecurity profession is monumentally stressful. For an industry that usually prides itself on its ability to dispel FUD (fear, uncertainty, and doubt), we seem to fall for it in its different incarnations. In this case, we really need to do a study to find out the nature and extent of the disease before doling out the prescribed cure. Or we could just pay our nickel to Lucy to hear what she has to say.
John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].
