Dealing with Cybersecurity Stress
 

You may be feeling stress at this very moment, but do you really understand what it is and where it comes from, especially as an IT Security professional? 

What is Stress Really?

What do you consider stressful?  How do you spot stressful situations? According to WebMD, stress is:

“the body's reaction to harmful situations -- whether they’re real or perceived. When you feel threatened, a chemical reaction occurs in your body that allows you to act in a way to prevent injury. This reaction is known as "fight-or-flight,” or the stress response.”

This article goes on to add:

“And while a little stress is OK -- some stress is actually beneficial -- too much stress can wear you down and make you sick, both mentally and physically.”

Identifying Cybersecurity Stress

The average person deals with a fair amount of stress on a daily basis, but now put yourself in the shoes of the average Chief Information Security Officer (CISO) and see how far the stress level can skyrocket. A Dark Reading article titled “Security Spills: 9 Problems Causing the Most Stress” reported on these stress-inducing realities that the average CISO faces on a daily basis:

1. Talent is scarce, problems are plentiful: according to the article “In November 2018, the InfoSec Institute polled 785 IT and security professionals on career-related questions. When asked which work-related issue keeps them up at night, 12% said they had too much work but not enough staff to help with it all.”
2. Unforeseen responsibilities: It turns out that many IT Security professionals got their job because it fell on their shoulders. Even those trained specifically for cyber security find themselves picking up more and more responsibilities as new threats, new applications, new devices and new regulations appear daily.
3. Employee and end-user education: It’s no secret that the human element of cyber security strategies tend to be the weakest link. The Verizon Data Breach Report provides enough statistics on this subject to have anyone’s stress level come to boiling level.
4. A constant stream of threats: It is no longer a matter of if, but when a threat will impact your organization. As we have covered previously, it seems that no organization is safe.
5. Nobody seems to get it: The stress mounts as poor understanding of security risks and practices can be seen at all levels of the enterprise. Employees fail to change default passwords, employ easily guessed passwords, and/or share passwords with others. It's a problem that ranges from low-level to administrator accounts.
6. IT complexity muddles visibility: Gone are the days when you could rely on only one vendor for all of your security needs. Today there are literally over 1,000 independent vendors and may of which will be exhibiting at this year’s RSA conference. Is it any wonder the stress level increases as you have to decide which vendor is best and which vendor may be out of business soon?
7. Consumers + IoT = disaster?: It seems that everyone has a device or two or three they wish to bring to work to make their job easier. However, this wreaks havoc with internal security policies and protocols without some level of oversight and controls adding at least another 10% to the average stress level.
8. Data governance: It’s hard enough to deal with internal policies, but now compound that with enforcing the ever growing and ever-challenging regulations that crop up around the world and the stress level compounds again. Have you dealt with the European Union’s GDPR or California’s CCPA yet?
9. Working together to face nation-states: It’s bad enough to have to protect against the lone hacker or even a handful of mis-intentioned employees, but to face the onslaught of a nation-state attack is an entirely different level. The recent press on the subject of Iran, China and Russian led attacks alone is enough to send anyone running for a Xanax.

Reducing Stress

You actually don’t need tranquilizers or even a psychologist or support group to deal with this stress if you approach you cybersecurity strategy from a position of prevention instead of remediation.

Learn more here.