One Monday morning in the fall of 2017, in the pre-dawn hours of another alcohol-fueled business trip night out, Thom Langford hit rock bottom. The CISO had been passively spiraling for a while, but finding himself on the roof of a building in Rome, distraught and suicidal, he had reached his mental max. Langford was eventually talked down and spent the next month away from work and in the care of family and mental health professionals.
As he tells it now, alive and well, the build-up of his breakdown was barely noticeable to those around him. Catalyzed by the pressure of growing a security team at a global company that was “as politically charged as it was not interested in security,” he essayed that the seeds had been long planted for his eventual “drowning.”
“The cost … was an intense environment where my main role was PowerPoint and politics, and constant air support for the team,” he wrote last year in a candid and heartfelt post. “Combine a tough travel schedule and the global, always-on element, I never truly switched off. That said, one of my mottos was ‘Work Hard, Play Hard’ so evenings with teams, internal clients and their customers in different countries were long, hilarious and helped us bond even closer to perform even better. Frankly it was exhausting and my sleep suffered. So I did what every self-respecting professional does, and started to self medicate with alcohol.”
Langford’s story was arguably one of the most important things to come out of cybersecurity in 2019, as it cast a real (and well-known throughout infosec circles) person’s arc at the center of a boiling issue within the industry. The crisis of mental health is growing everywhere, and its tentacles are hardly limited to infosec. But this sector is notably unique in its susceptibility to the dangers of burnout - the most common manifestation of a prolonged period of workplace stress.
You’re constantly on the defensive
As the saying goes, attackers need to be right only once, and you need to be right all the time. While that’s probably overblown – adversaries require multiple things to break their way after establishing an initial foothold and before they can penetrate deeper into the network – the point stands that you are under constant threat bombardment and have far more ground to cover than your digital foes.
One transgression can impact huge numbers of people
Think about the most prolific data breaches of all time. They have affected tens, if not, hundreds of millions of people. In many cases, the incident began due to a simple oversight, such as a misconfigured system or unpatched vulnerability, or was enabled by a failure to promptly detect malicious activity underway. In many cases, junior employees are making these mistakes, the drivers for which will be discussed in depth in this e-book. But if you consider how costly a data security incident can be in terms of reputational harm, customer attrition, legal fees and more – the Ponemon Institute estimates the average cost of a breach is now pushing $4 million – the decisions being made in your SOC are arguably the most critical of all to your organization’s bottom line.
Every day is a battle
With the attack surface only proliferating with the rise of cloud, mobile and Internet of Things, attackers have their pick at systems to compromise. Companies aren’t experiencing devastating breaches every day, but they are under constant scanning and pinging. A University of Maryland study found that computers with web access are facing hacker attacks an average of every 39 seconds.
Malicious hackers seem to always be one step ahead
Intruders are regularly innovating and fine-tuning their methods to infiltrate targets and hide their a tracks in the process. In fact, the very technologies organizations are adopting to fight back – like machine learning and artificial intelligence – are being used right back at you by the bad guys.
The “tough-guy” culture pervades security teams
Sure, you’re not donning a military or law enforcement uniform, but you’re still working in defense and first response. Any psychological toll you feel is sometimes dismissed as having no place in an industry that prioritizes toughness, so there is a notion among some that raising issues of mental illness may be construed as weak.
The SOC Analyst Job can be montonous, tedious, and repetitive
Not all security tasks are created equal. For as glamorous as the field of infosec can be described, much of your day may be spent mired in labor-intensive and very detail-oriented tasks involving general screen staring (commonly referred to as “eyes on glass”) and paperwork. For example, boredom can reign supreme in the SOC if Tier 1 analysts are spending most of their hours manually clicking through thousands of daily alerts firing in from disparate detection mechanisms and then either ignoring or escalating. Ignoring or escalating. Ignoring or escalating. Aside from the monotony, self-doubt can creep in. What if you ignored an alert you should have escalated?
You can incite the ire of your adversaries
In early 2019, well-known cybersecurity industry veteran Jeremiah Grossman asked his nearly 60,000 Twitter followers a surprising poll question: “As an information security professional, how many death threats have you received?” Most respondents answered zero – thankfully – but more than 20 percent clicked that they have received at least one, with six percent of the nearly 800 voters responding their life has been threatened five or more times.
Skills are short
Probably the most talked-about shortfall in security is the talent gap, with some estimates suggesting there are more than a million unfilled positions in infosec. Good security is complex to get right without having adequate and adept personnel. And then there is potentially a bigger question to ask: Is the skills chasm self inflicted due to all of the above?
If future security stars are being discouraged from continuing on their career path, the drivers and remedies for this attrition must be seriously confronted and addressed.
“We’re an industry that’s often measured on failure… on something going wrong,” Langford said during a video interview with Information Security Media Group. “And when you combine that with the fact that we’re an industry also charged with keeping secrets all the time. We don’t talk about what we know. We’re confidential for obvious reasons. I think it makes quite a toxic combination when combined with things like stress and burnout.”
Fortunately, the tide is turning, and it feels like something of an epochal moment is upon us. The topic of mental health is coming out from the shadows with stories like Langford’s and others. The greater industry is embracing this tough conversation as well. For example, the annual Black Hat USA conference in Las Vegas, considered one of the most popular infosec gatherings in the world, launched a session of tracks in 2018 specifically geared to mental wellness.
This e-book is dedicated to making sure you or your employees don’t fall off the deep end. The last thing a depleted, but business-critical, discipline like security operations needs is more beleaguered professionals – or worse, ones who have reached their breaking point.
Security operations analysts of all tiers, engineers, architects and managers – really anyone with ties to the SOC, whether within the enterprise or a managed security services provider (MSSP) – will find value in the contents of this guide. Some may use it to help identify common burnout symptoms in hopes of staving off a meltdown. Others can leverage it to discover proven and practical solutions to remediate those warning signs – or for tips to help avoid a toxic, self-esteem-destroying workplace in the first place. Leaders and managers are also covered with best practice checklists for building a workplace where SOC pros can prosper.
Remember, we’re all in this together. Your adversaries spend their days collaborating to advance their craft. To counter them, we must not only be agile and clever, but also determined to dig in our heels together and fight on.