Dutch digital resilience is at risk if too little attention continues to be paid to the mental well-being of IT specialists, Sander Hofman, manager of sales engineering at Mimecast, has warned.
Creeping security cutbacks at organisations, the increasing threat of cyber attacks and feeling unrecognised make the cyber security professional job tough.
“Research we commissioned worldwide shows that a quarter of IT professionals are considering changing jobs in two years because of the risk of burnout,” said Hofman.
In a labour market already severely strained by major shortages, this could deal a serious blow to Dutch digital resilience.
Interestingly, though, burnout rates among cyber security specialists in the Netherlands (35%) are considerably lower than the global average (56%). “This is partly due to the Dutch being down-to-earth,” he said. “We talk shop. We are also quick to point things out and, because of our directness, we also dare to do so to higher management.” Moreover, the part-time culture in the Netherlands might play a role, too, he ponders. “As a result of that culture, our work-life balance in the Netherlands is better than in many countries around us.”
Despite the fact that Dutch people dare to sound the alarm when things are not going well, there is still too much misunderstanding in many boardrooms about the work of cyber security and IT specialists, added Hofman.
“We are also prone to finger-pointing,” he said. “Take the mayor of a municipality hit by ransomware who said on television that an employee had set his password incorrectly, without any further background information. Perhaps there was a reason for the error? Was there huge time pressure or too much work? That background is often disregarded, and conclusions are immediately drawn and widely shared. That does not help in creating a safe workplace.”
Brain unprepared for cyber threats
It’s time to start taking the cyber security profession more seriously, said Hofman, not only by management and board, but throughout society. The pressure security professionals face is namely similar to that of soldiers in war zones. Peter Coroneos is the founder of CyberMindz.org, an organisation that promotes mental health in the cyber community.
“Our brain, which is the product of two-hundred million years of evolution, is entirely unsuited to stress in a digital environment,” he said, explaining that our limbic system is responsible for our “fight-or-flight” response and can switch very quickly, bypassing the rational part of our brain.
“When we are face-to-face with a predator and have to start thinking rationally about being in danger, and what the possible options and scenarios are, it’s already too late,” said Coroneos. “So, your limbic system takes over and makes you react and flee in a millisecond.”
In this reaction, all sorts of things happen in your body. All kinds of stress hormones are released, extra blood is pumped to your muscles, and you become hyper-alert.
“The beauty of this system is that when you are safe again, your body and brain return to their de-escalated state,” he said.
However, Coroneos warned: “The latter does not happen when the threat is not physical. This is because our brain cannot distinguish between physical and what we might call psychological threats. And psychological threats are precisely what is commonplace in our current, digital world. This means your limbic system remains in continuous stress, and there is no discharge.”
This is hence the cause of many cyber specialists’ burnouts. Mimecast’s survey shows that 46% of Dutch respondents feel more pressure to prepare properly due to the increasing media coverage of ransomware attacks.
Moreover, they worry about their cyber insurance coverage and fear devastating attacks on their critical infrastructure.
“Add to that a chronic shortage of cyber specialists and you can understand that the workload is high,” said Hofman. “Moreover, their work is often invisible until a major incident occurs, after which the security team is often held responsible. They are expected to minimise the impact on the business, while this is often unrealistic with the available resources.”
Cyber criminals, meanwhile, have infinite resources and capabilities, which often makes cyber specialists feel they are fighting a losing battle.
Accountability and recognition
CyberMindz uses the Integrative Restoration or iRest protocol to help cyber specialists deal with continuous pressure and threat.
“This is a protocol that was developed for soldiers by Richard Miller, a US clinical psychologist, but it also works very well for IT professionals,” said Coroneos.
Hofman stressed that it’s essential for organisations to take notice of their IT professionals and cyber specialists. “The demand for cyber expertise is huge, and competition is high,” he said. “But I still see very few companies really ensuring a secure working environment for IT professionals. At Mimecast, we have a platform where our employees can, without the knowledge of the organisation, ask for help whenever they need it.
“I also recently spoke to a customer who told me they have an independent coach around for people can talk to. Not a manager or someone internal, but an external person with whom you can share your worries and stress.”
More board-level attention to the pressure and stress experienced by cyber professionals is a first step, according to Hofman. From that, a safe workplace with the right conditions needs to follow.
“But ultimately, as a society, we must acknowledge the conditions and daily challenges IT professionals face,” he added. “I just hope an organisation like the NCSC or a similar body will take up the gauntlet and start caring about cyber security specialists’ well-being in the Netherlands.”