Psychological warfare in cybersecurity

Just how mentally destructive could the cybersecurity industry get? 

Peter Coroneos, Founder and Executive Chairman of Cybermindz, returns to the podcast to explain how we need to protect the mental health of cybersecurity professionals in today’s high-threat environment.

What type of work are you doing at Cybermindz?

We’re using a protocol that was initially employed in the US military called the iRest protocol. It was developed by Richard Miller who has spent 40 years as a clinical psychologist and researcher in this area. Richard developed this specific 10-step sequence that enables people to get into a very deep state of rest but also processes a lot of emotional stuff that may be sublimated. This is stuff that’s been pushed down into their subconscious, but it’s still driving a lot of their responses to life.

In the context of cyber, there’s always going to be triggers. So my initiative is around bringing the iRest protocol into cybersecurity for the first time. We’ve got the full support of Richard Miller and his institute. We’ve been given permission to customise the scripts he’s developed so they speak directly to the language and culture of cybersecurity. In that way, we’re coming into cyber teams and giving them access to the things they need – things that will help them switch out of this always-on, flight-or-fight mode that we tend to get stuck in, particularly in the current threat environment.

We’ve got the tools. We’ve got the scalability and we can deliver them online. We’ve also got an amazing research capability where we can measure as we go.

PTSD is not necessarily something that is directly spoken about within the context of cybersecurity. So what are you seeing in terms of issues related to mental health?

In terms of its military application, the protocol definitely found a lot of success with PTSD and was approved by the US Surgeon General in 2010 as a complementary therapy. They’ve been using it in the military for various conditions, ranging from stress and anxiety to depression, trauma, post-trauma, pain management and insomnia. There’s a whole spectrum of mental conditions that it applies to.

It’s also been used outside of the military, especially in homeless shelters, palliative-care settings and with frontline emergency healthcare workers. It has very broad applications across a range of domains and for a range of conditions.

To your question about cybersecurity, the big thing that we’re looking at now is the skills crisis. It’s not only that we can’t recruit the people we need to meet the demand we’re facing, but it’s also about answering an important question: how do we protect the people who are already working in cyber so they don’t leave due to burnout? That’s effectively what the research is indicating. A recent Mimecast study showed that about a third of cyber professionals are thinking about resigning within the next two years. So we’ve got a real issue on our hands.

At Cybermindz we’re trying to measure the situation in Australia. We’re very fortunate to have a top behavioural psych in our team, Dr Andrew Reeves. I said to Andrew, “Do we have any baseline data on mental health in Australia, specifically on the burnout question?” He said, “I’m not aware of that, but we do have the tools whereby we can measure it.” We also have existing population norm data so that once we do the research, we can compare our cohorts against the general population. Then even deeper in, we can actually tag organisations – it’s all anonymous for the user, and we can show them where their teams sit in relation to the general population, other professional groups, and also their cyber peers.

What are you seeing in regard to the more strategic and psychological nature of warfare in cybersecurity?

Well, it is exactly that. It’s psychological warfare. It’s spy versus spy, and everyone is trying to figure out how to get around the other. It’s not exactly new. In cyber, that’s pretty much always been the game.

It turns out that creativity and insight are the first two casualties of stress. The neuroscience is very clear on this. The brain has a finite amount of cognitive reserve, and it’s going to allocate it to wherever the need is greatest at the time. If you’re in fight-or-flight mode, it’s designed to actually sequester all of the available resources in that moment – because your survival, at least historically when we were cavepeople, depended on being able to short-circuit the slower-acting but more-accurate prefrontal cortex. That’s the thinking, analytical part of the brain. Instead, you move into the heuristic brain, which is the fast, best efforts type of thing. That’s usually enough to get you out of a physical-threat situation.

But the fight-or-flight system was never designed to be locked in after that physical-threat environment was resolved. Everything is designed to go back to equilibrium, to the rest-and-digest phase. So you’re moving into different circuits of the brain and then you can start to reallocate resources back into the thinking, analytical, problem-solving and creative parts of the brain.

As professionals, these are the highest-value parts of our neural infrastructure; our processing capability is all in that prefrontal cortex. So the attackers are winning on both fronts. By keeping us locked into our fight-or-flight mechanism, not only are they burning us out, but they’re also stopping us from being effective in doing the very things we need to do to see through what they’re trying to do and to try and counter them.

Now think logically about where this ultimately leads us. We allow ourselves to get into a downward spiral where people are burning out and leaving. There’s no one to replace them, so the people who do remain are under more pressure. The attackers are moving in, they’re exploiting and the stakes are getting higher. It’s visible, so the public starts to call for political action, which results in regulation, which results in more pressure on boards, which then of course filters back down to the cyber teams.

So you end up on this terrible downward spiral of accelerating burnout. And it’s just got to stop. We have to break that circuit. Are we going to be able to change it overnight? Probably not. We know that governments have a propensity to regulate, even if it’s only symbolic. And with the skills crisis, we’re not going to be able to manufacture skills overnight.

But when you really put the microscope over this problem, the one thing we could do right away is at least preserve the people who are working at the coalface right now. That’s the obvious logical next step. Putting aside the technological solutions, I think the human factor is the big sleeper. That vulnerability is going to remain for as long as there are humans in the loop. So we’ve got to work on the human problem.

Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford and Commercial Director Michael Warnock. Listen via Apple Podcasts, Spotify or your favourite podcast app.