Celeste Paul had worked for the U.S. Nat­ional Security Agency (NSA) for several years as a researcher, and over time she noticed a troubling trend. Operators, some of the NSA’s most vital assets, were exhibiting signs of stress and burnout.

While everyone experiences stress, chronic stress can have profound impacts on a person’s mental health—especially if that person has an underlying health condition—including anxiety, depression, and decrease of cognitive ability.

Paul and her colleague, Josiah Dykstra, decided to conduct a survey to see how fatigue, frustration, and cognitive workload affected real-time tactical cyber operations, and they made the results, Cyber Operations Stress Survey (COSS): Studying fatigue, frustration, and cognitive workload in cybersecurity operations, publicly available so others could learn from it.

They wrote that the high-risk, high-reward nature of the cybersecurity profession can negatively impact the workforce. “While considerable research has helped evaluate and improve technology resiliency, human resiliency has been understudied despite the important role of humans in the design and execution of cybersecurity programs.”

Greater understanding of human resiliency under stress for tasks that involve “attention, memory, and visual perception” would be beneficial for the people performing these tasks—and the organizations they work for.

“We know that stress negatively affects cognitive abilities, task effectiveness, and general well-being,” Paul and Dykstra explained. “These types of effects are harmful to high-risk, mission-critical environments where failure has great consequence. Stress is detrimental to work that requires creative problem-solving—a skill that cyber operators inherently require.”

Stress 101

Stress is the bodily response to pressure from a life experience or situation. When a person encounters stress, the body produces a stress hormone to initiate a “fight or flight” response and activate the immune system, allowing the person to react quickly to a dangerous situation, according to the United Kingdom's Mental Health Foundation.

“Sometimes, this stress response can be an appropriate, or even beneficial reaction,” the foundation explained. “The resulting feeling of ‘pressure’ can help us to push through situations that can be nerve-wracking or intense, like running a marathon or giving a speech to a large crowd. We can quickly return to a resting state without any negative effects on our health if what is stressing us is short-lived, and many people are able to deal with a certain level of stress without any lasting effects.”

But if stress becomes excessive, or if a person feels he or she has no control over the stressor, there can be lasting repercussions.

“If our stress response is activated repeatedly, or it persists over time, the effects can result in wear and tear on the body and can cause us to feel permanently in a state of ‘fight or flight,’” according to the foundation. “Rather than helping us push through, this pressure can make us feel overwhelmed or unable to cope. Feeling this overwhelming stress for a long period of time is often called chronic or long-term stress, and it can impact on both physical and mental health.”

For instance, chronic stress can disturb the immune, digestive, cardiovascular, sleep, and reproductive systems, the National Institute of Mental Health (NIMH) explained in a fact sheet.

“Some people may experience mainly digestive symptoms, while others may have headaches, sleeplessness, sadness, anger, or irritability,” the NIMH said. “Over time, continued strain on your body from stress may contribute to serious health problems, such as heart disease, high blood pressure, diabetes, and other illnesses, including mental disorders such as depression and anxiety.”

When it comes to work, many people who experience chronic stress also begin to show signs of burnout—or mental exhaustion—especially in cybersecurity.

For instance, in a study of its workforce, the U.S. Air Force found that “shift work, shift changes, and hours worked contributed to high occupational stress and burnout in cyber warfare operators,” Paul and Dykstra wrote.

Also playing into this chronic stress load were the need to respond quickly to a cyber event and the vigilance often paired with the need to shield operational information from network intruders.

Speaking at the 2020 RSA Conference in San Francisco about her research, Paul said that cybersecurity is “extremely challenging and exciting—there’s always something new. That’s why we’re in this industry.”

But she also added that cybersecurity is complex, unpredictable, and prone to failure. This lack of predictability eats away at operators’ sense of control, contributing to their overall stress load. And outside factors, such as a breakup or financial challenges, can add to the stress operators experience at work.

Paul and Dykstra’s survey participants were asked to self-report their fatigue levels (pre- and post-operation), their frustration levels (pre- and post-operation), and their cognitive workload on 10-point scales.

In their analysis of 126 cyber operators—who completed 361 surveys total—Paul and Dykstra found that operator fatigue and frustration increased significantly during the course of an operation, which averaged 5.12 hours.

The survey authors also assessed that the nature of the work—where failure is not an option—was also mentally and physically demanding, increasing the level of stress operators experienced during their work.

Managing Stress

Dykstra and Paul’s research ultimately led to changes within the NSA to acknowledge and support cyber operators’ mental and emotional well-being, especially when they were managing operational stress.

“Training for this type of work is extensive, expensive, and employee turnover is costly,” they wrote. “The health of your talent is as much of a risk management issue as it is a human resources issue.”

The NSA looked at Maslow’s hierarchy of needs—physiological, safety, belongingness and love, esteem, and self-actualization—and used that to create a Hacker’s Hierarchy of Needs, Paul said.

“We have a lot of the same needs; we need equipment—tools and access before anything else—but once we have those authorities, do we have a team and organization that supports us?” she asked. “Once we start getting into esteem and self-actualization, this is where we talk about what we need to be happy.”

The NSA’s mission requires the formation of a team of people who strongly believe in the organization’s mission and are willing to take risks to achieve something greater than themselves. And to recruit these individuals—and retain them over the long term—the NSA has taken steps promote a greater value of work–life balance and a culture of mindfulness.

“We’ve put a lot of effort into developing employee and wellness services, and a civilian fitness program that lets people work out on duty time,” Paul said. “And we have a Mindfulness Program and a Meditation Program, which teach great techniques and team building.”

Acknowledging that some of the stress operators experience related to their work cannot be shared with individuals who also do not work at the NSA, the agency created a Mentoring Program where employees can discuss interpersonal or work conflicts while promoting balance.

“Sometimes you need someone to remind you that work–life balance is important,” Paul said. “Sometimes we think of work–life balance as a selfish thing, but it’s important because we bring so much into work with us. Managing that balance can help us manage our stress better and be better hackers.”

The NSA is not the only organization taking an aggressive approach to promoting work–life balance for cybersecurity employees. IronNet, a cybersecurity firm founded by General (Ret.) Keith Alexander—former head of the NSA—has also adopted this stance because cybersecurity is a field where there are currently not enough people to meet the demand, says Bill Welch, co-CEO of IronNet.

To promote balance, IronNet has an unlimited vacation policy and does not use a time clock system. This allows employees to produce their best work during the times when they are most productive, Welch adds.

“What we care about is outcomes,” he says. “And I think that’s what everyone should care about. Whether that takes you four hours or 40 hours, that’s not relevant to us as a company.”

And leading with this philosophy from the top is essential, Welch says, explaining that to help manage his own stress load, he works with his assistant to schedule time in his calendar for family events and important milestones, like his son’s baseball games and his wedding anniversary.

He takes a similar approach with his team, checking in with direct reports to make sure they are spending time away from the office with their families so that when they come to work, they are more productive.

“That one or two days less at the company is not going to hurt our company,” he explains.

This philosophy is reinforced by IronNet’s HR team, led by Chief People Officer Melissa Logsdon.

“We do quarterly check-ins with all our employees,” she says. “I, as an executive, put a lot of pressure on mid-level managers to make sure people are taking that time that they need…I tell my managers if their reports are not taking two or three weeks a year, you’ve got to have a serious conversation with them.”

Recruitment and retention depend on the organization’s building a support network in and out of the office, Logsdon says. For instance, IronNet regularly hosts company events at its sites around the world to allow employees to engage with each other in a low-stress environment, so when they are working on a major, high-stress project, they have an established rapport.

“We do company events so people like who they’re side-by-side with,” she adds. “We have those moments of intense work, where [operators] settle in and have to work a million hours, so it’s essential that we’re doing [the work] with people we like.”

Being this level of plugged-in with the people an individual works with and manages can help them spot the signs that an employee might be close to burnout and needs to take a step away.

Adam Darrah, director of intelligence for cyber threat intelligence firm Vigilante, says when he notices someone is putting in exceptionally long hours or is having a mood change, he’ll pull that person aside and ask them directly: What do you need? Do you need to turn your phone off and walk away for a few days?

“Thankfully, we have a very open team, and people are quick to support each other,” he says. “But you have to intuitively understand how people are really doing and ask them directly. And if they won’t tell me the truth, I’ll just tell them they’re fired for three days. Please turn off your phone and walk away—we’re fine.”

Another component of managing chronic stress and preventing burnout is ensuring that employees are engaged and feel like they are in control of their career plan. This often starts with some self-examination and having open discussions with mentors about where a person’s career is going and the steps he or she needs to take next to achieve that next goal, says Ashish Gupta, CEO and president of Bugcrowd—a bug bounty provider.

Gupta asks himself regularly: “What do I like to do? Am I good at it? Is it what I’m doing today?”

Posing these questions helped Gupta transition from primarily coding as an engineer at HP to a role he was more passionate about.

“What was really exciting for me was taking transformational technologies to market and applying them in a way to give value to the customer,” he says, adding that this realization encouraged him to apply to business school, enter the consulting world, and eventually make his way to Bugcrowd.

“I go back and ask these questions; am I doing the thing that I’m passionate about?”

Bugcrowd has implemented this philosophy into an initiative it calls Hire to Aspire. That effort has several goals—it focuses not only on hiring the right person, but also on equipping that individual to be successful in their new position and on helping them manage their future career planning.

“It comes back to learning and impact—doing that in a well understood process, with a well understood management team; it’s a journey,” he adds.

And to help retain employees and ward off burnout, it’s essential to offer learning opportunities where security operators can grow their skill sets or explore new challenges.

“When we started out many years ago to build a community, we were very clear that we needed a Bugcrowd University that is built around and for the community,” Gupta says. “We see trends happening in certain tech, we can take those and help people learn to fix associated issues.”

Most importantly, though, is for people at all levels of the organization to treat each other with kindness so they feel supported in both life and work, Paul said.

“We’re all in this together,” she explained. “Cybersecurity is a team effort. We all want to be happy hackers. Happy hackers are better at security.”

Megan Gates is senior editor at Security Management. Contact her at [email protected]. Follow her on Twitter: @mgngates.

Types of Stress

Stress is the bodily response to pressure from a life experience or situation. It is typically divided into three types:

Acute Stress: The most common type of stress, resulting in a “fight or flight” response where symptoms disappear as soon as the stressor is gone.

Episodic Stress: When acute stress occurs regularly and a person does not have time to recover from the stressor, which can result in a lower overall tolerance of stress and increased sensitivity to stressors.

Chronic Stress: Long-term stress from situations where a person feels he or she does not have control over the outcome, potentially causing serious effects to mental and physical health.