R U OK day is a national day of action highlighting the importance of meaningful conversations, held on the 2nd Thursday of September each year. It's the initiative of R U OK?, an Australian non-profit suicide prevention organisation. The key thrust of the organisation is, as you might guess, to check in with people around you and ask if they are ok.
Some take a cynical view that the day is unauthentic and tokenistic. Yet, the day's not for them. It's for the hidden people working and living amongst us who put on a brave face but are facing struggles and turmoils. We wouldn't even realise; they've become skilled at masking their pain. And even if your boss asking, "R U Ok?" before getting onto the days agenda may not be totally earnest, it's better to have a hundred of these than risk not having the sincere conversations.
And this year Kurt Hansen, the CEO from one of the largest cybersecurity companies in Australia, Tesserent, wants to encourage people to check in on the wellbeing of the company's Chief Information Security Officer (CISO) and the cybersecurity team.
|
|
Cyber attacks are relentless; iTWire reports regularly of breach after breach. We report the ongoing research into cybersecurity showing ransomware is still profitable, and that even nation states are getting in on the act for their own political purposes.
Imagine owning a bricks-and-mortar store and finding at every moment, of every hour, of every day, of every week that criminals are right at your doors and windows testing every possible access point. The criminals are lined up behind each other in a never-ending queue.
This is the reality for cybersecurity defenders, except the walls are electronic not physical, and the bad guys aren't simply there in person but from far-flung corners of the world.
We've seen high-profile destructive data breaches in Australia in recent years. There are many we don't see because they are less prominent. However, there are loads more we don't see because they didn't happen. Make no mistake, the attackers tried, but were thwarted by an observant, prepared, and sharp-thinking cybersecurity team.
When the attackers only need to get it right once to breach your defences, but you have to get it right every single time to defend, it's no easy task.
The reality is, Tesserent reminds us, is that the cybersecurity experts in your business are facing stress, pressure, and burnout in a highly intensive role. This is not good for your organisation, and it's not good for Australia, if we can't attract and retain the people we need in the battle against cybercrime.
Leigh McMullen, Vice-President and security analyst at Gartner, expects nearly half of cyber security leaders will change jobs by the end of next year with about a quarter of those leaving for entirely different roles. This is at a time when AustCyber estimates the shortage of skilled information security workers will reach almost 20,000 over the next two years in Australia.
A recent global survey from Hack The Box found mental fatigue, stress, and burnout is running rampant, affecting 84% of workers within the cyber security field. A 2023 report by Splunk revealed that 79% of cyber security professionals experienced burnout in the past year.
It doesn't have to be this way. Tesserent CEO Kurt Hansen wants to encourage us all to check in on our frontline cybersecurity teams this R U OK day and ask what we can do to help - and, importantly, listen to the response.
“Cybersecurity is a shared responsibility that encompasses every individual in an organisation from the boardroom to the basement. It is not the sole responsibility of one CISO or a small team of cyber security experts. Organisations need to listen to the advice from their CISO about what they need to do to protect the organisation, its people and customers, not just on R U OK Day but all year round," Hansen said.
“Organisations also need to think more about how they can give incident response teams, much needed downtime. It is important to rotate the team to ensure that people don’t burn out if back-to-back incidents are occurring. While you need to maintain a constant 24x7 watch, it is a shared responsibility,” he says.
Hansen isn't simply spruiking rhetoric. It's a sobering reality that many members of his senior leadership team have bravely spoken up about their own personal experiences as CISOs in major organisations. As you read their stories look at their photos, see their titles, note their experience. These are people like you and I, hard-working individuals committed to their craft and found in organisations all around. Yet, in the course of their duties they experienced health issues that altered their mood, their perceptions, and their wellbeing. These could well be the stories of someone you know.
Tesserent managing partner - managed and professional services Patrick Butler
 |
Patrick has been working in cyber security for 16 years. When he entered the profession, he was totally unprepared for the stress he would face. "It took a long time for me to learn how to deal with this stress, and even now I haven't fully succeeded. When we conduct simulated threat exercises, I still feel an incredible level of stress, even though I know the impacts are not real," he says. Patrick reveals he suffered burnout and health problems after one adversary simulation exercise in 2017, where the team simulated a sophisticated threat actor within the network over a week. He along with the management team worked for large parts of the day almost 24x7 to thwart the attackers. He says, "by the end of this the sheer exhaustion and burnout took months to recover from. And this was a simulation!" Patrick advises that organisations need to consider how their business is structured to be able to work 24x7 to contain and eradicate a cyber threat. "This is not just about your incident response team or your Security Operations Centre, but also your IT and management teams as they also need to be available 24x7 in a major crisis. Often organisations haven't planned for this resulting in the significant risk of not having key resources available, or burnout in teams working around the clock," he says. Patrick knows several CISOs that have departed their role over his time in the industry, moving into totally different careers or other roles within cyber security that had less responsibility for security and incident response. Patrick's advice to CISOs on how to cope with the stress and pressure of the role, is to know your weaknesses, measure your risk and prepare for the worst. "Being well prepared reduces stress during an incident. It is important to share the accountability of risk for security across the organisation. If you find yourself still in a stressful situation despite your best efforts, then you need to become great at compartmentalisation. Find a way to protect your personal time so you can switch off and teach your mind that you have transitioned from work to personal time so that you can leave the troubles of the day behind," he recommends. His advice for employers in the public and private sector is to recognise your employees are humans and, as an employer, create processes, structures and strategies to minimise the risk of burnout in a role and stress during a cyber security incident. "This is not just good for your people, but critical to managing risk and eradicating threats effectively," he stresses.
|
Tesserent CISO Jason Plumridge
| Jason has been working in cyber security since he left the NSW Police Force in 2002. Prior to taking on the role of Tesserent's CISO he was Partner Advisory leading Tesserent's commercial advisory consulting group. When Jason commenced his current CISO role he didn't find it overly stressful due to his extensive background in law enforcement and emergency services and having to make daily decisions impacting the public and individuals in high stress situations.
But Jason has witnessed the stress and pressure other CISOs are under working with Tesserent's clients across public and private enterprises. "I would estimate that on average CISOs and other security leaders change roles due to stress and lack of support in 50% of cases. But global statistics are reporting the churn is higher," he says. Jason candidly admits during his career he has experienced burnout and health problems including PTSD and minor depression triggered by traumatic events he encountered during his policing and emergency services career. "Due to my previous experiences, very little of what could be experienced as a CISO phases me, but I am not typical in the industry," he says. He characterises the role of CISO as a complex and encompassing portfolio that generates significant competing priorities for attention and action. "A CISO can control some of these and some they cannot. For many CISO's unfortunately the inability to obtain the needed investment in technology to bolster an organisation's security can cause stress," he says. Jason's advice to CISOs this R U Okay Day is to master the ability to separate work from personal life and create boundaries. "While a CISO role requires 24x7 contactability in the event of a security incident, this does not mean you have to be personally on call 24x7 mentally and physically. You need to learn to quickly assess and prioritise requirements based on risk and impact on the organisation to effectively manage your time and stress. "CISOs need to trust in the ability of their colleagues to continue the requirements of the role when you are not available and avoid micro-managing every event. The CISO role is strategic leadership. To be successful you need to extract yourself as much as is practical from the day-to-day operational security requirements and focus on the leadership, strategy, compliance and risk functions of the role," he highlights. His advice for employers is to understand it is not just about technology, but processes and other non-technical human factors that impact your security posture the most. "Be prepared to pay market rates for the security of the organisation and to obtain the skills and experience you need," he stresses. |
 |
Tesserent senior partner - offensive security services Silas Barnes
 |
Silas has worked in cybersecurity for the past 17 years. For nine of these years, he was CISO with major Australian companies including Virgin Australia, UnitingCare Queensland and Air Services Australia prior to joining Tesserent.
Silas has watched how the role of CISO has evolved significantly since he started his first position in 2015. "Expectations are higher than ever with the continuing, relentless battle against rising cybercrime and the roles changing remit. Today the role of a CISO is very different from a decade ago when it was smaller in scope and more specialised," he explains. Silas has seen CISOs who were his peers depart the role due to stress and pressure. "One resigned and took a whole year off to recover," he reports. Silas has suffered burnout and exhaustion during his security career with the stress and pressure affecting his sleep and his ability to switch off mentally. "The combination of critical responsibilities, high pressure, and devastating consequences of breach events can make it difficult to disconnect, even when on annual leave," he says. To cope with stress and ensure more work life balance Silas has embraced skydiving to switch off from work and immense himself in the present moment. "Apart from jumping out of planes, I also make sure I take reasonable sized breaks when I take leave, ensuring it is longer than one or two days, to give myself a chance to fully unwind," he says. Silas recommends people working in cybersecurity make time for some physical activity, try to stick to a healthy diet and take it easy when it comes to alcohol. "Recognise you can only do your best. Don't waste time chasing perfection and don't beat yourself up about not being perfect, instead focus on the value you are bringing to your organisation and on continuous and sustainable improvement," he recommends. Silas suggests that security leaders consider their relationship with business social media content to support their own mental wellbeing and career satisfaction. "The increased pressure to develop a personal brand or be seen as a 'thought leader' by the wider community can bring on feelings of insecurity, inadequacy, and anxiety for those who focus on their day-to-day work," he says. "We should recognise the picture presented on social media platforms doesn't necessarily reflect the realities of working within our industry. Staying focused on your own personal journey and avoiding the trap of comparing yourself to others is important for mental health and wellbeing, no matter where you are in your career," he adds. For employers of cybersecurity talent, he recommends, "make sure that people take breaks throughout the day. It is important a CISO has a supportive and capable second-in-command they can trust. Having a capable and trusted team to share the load is really important so you can take your annual leave and benefit from the full effect of a proper disconnection. And the CISO should feel the support of the whole senior leadership team because cyber resilience is a joint responsibility," he says. |
Tesserent senior partner Mark Jones
| Mark has spent over two decades working in cyber security, with six years as a CISO at major Australian businesses. He reports that many CISOs come to the role unprepared for the challenges they will face with constantly changing and evolving adversaries and emerging technologies being leveraged. They also face challenges inside the business around unlocking funding, managing budgets, communicating in a way that the Board and senior business leaders can understand and managing a team.
"During my career, I have witnessed many people burn out and leave cyber security, some moving into other tech roles or leaving the sector completely. I know at least five former senior professionals depart the industry because the unrelenting pressure was too much. There is a lot of out of hours work required, and this can take a toll personally on relationships and an individual's wellbeing," he says. Mark stresses that organisations should make sure that they are not placing the sole responsibility for security on the shoulders of the CISO. "It is a team effort, the entire senior leadership team needs to own the responsibility for security," he says. |
 |
It doesn't end here ...
What action will you take after reading these? Will you ask your friends, family, and colleagues if they are ok, and will you listen to their response?
Check here for some workplace resources to help.
