George Kamide
Resilience is now the prevailing ethos and strategy for cybersecurity programs. This idea is typified by the axioms, “assume breach,” or “not if, but when.” Cybersecurity’s journey to a resilience model makes perfect sense against the evolution of networking and business technology needs. However, our mental model for how we cope with challenges and stress has not kept pace. In this blog, we’ll look at ways infosecurity teams can build toward stress management strategies to match the resilience-focused approach of modern cybersecurity.
Resilience and Control (or Lack Thereof)
Today’s cybersecurity landscape is vastly different from the past. IT infrastructure has shifted from local, physical setups to cloud-based systems. Business applications have moved from on-premises software to third-party SaaS solutions, affecting core operations like marketing, customer management, and accounting. Even custom-built applications now heavily rely on open-source libraries and third-party repositories. These changes have pushed systems away from centralized control, increasing complexity and reducing visibility.
While our approach to cybersecurity has evolved to emphasize resilience in response to these technological shifts, the industry’s culture is stuck in a bygone era. There’s a noticeable lack of effort in building resilience to the inevitable stress of working in such complex security environments. Instead, we often remain stuck in a “grinding it out” mentality.
The role of culture
Cybersecurity’s specialized nature often isolates teams, fostering a culture that oscillates between a hero complex and martyrdom. This separation, fueled by jargon and poor cross-functional communication, reinforces the belief that “only we can fix it” during incidents. This mindset trickles down to individual analysts and responders, creating an unsustainable approach to problem-solving.
The industry’s tendency to use warfare metaphors exacerbates this issue. Events and incidents become obstacles to “conquer” or “smash,” rather than challenges to navigate. This belligerent vocabulary is increasingly misaligned with the reality of modern cybersecurity.
For instance, OX Security reports that the average AppSec team monitors 129 applications and triages over 119,000 security alerts annually – a volume that defies a conquest mentality.
Instead of “fighting the tide,” we should consider a shift in perspective. The word “cyber” originates from the Greek κυβερνήτης (kubernḗtēs), meaning “to steer, to pilot.” This etymology suggests a more flexible, adaptive approach to security challenges – one of navigation rather than conquest. Such a shift could better prepare our minds for the complex, shifting challenges in security both from within and external risks.
Where do we go from here?
Before implementing new frameworks or technologies, we must address the overall culture of security teams. We need fewer martyrs and more resilient defenders – professionals who can be fully present and better equipped to navigate security incidents and vulnerabilities. Based on conversations with hundreds of security leaders, here are key actions managers can take:
-
Establish clear communication guidelines:
Implement policies that specify which channels are for what types of communication, including time boundaries. This can help reduce cognitive load and confusion among team members.
-
Set and monitor “wellness goals”:
Include these in performance reviews to demonstrate that wellbeing is a priority. These could range from completing hikes to practicing meditation, with regular check-ins for accountability.
-
Sponsor pragmatic wellness programs:
Many organizations have budgets for professional development or wellness. Investing in quarterly sessions around stress management techniques can help inculcate resilience into a larger team. It will also send the signal that the organization values wellness.
-
Enforce time off:
Combat the “unlimited PTO” trap by mandating regular mental health days. One effective approach is to have each team member schedule one weekday off per month for rest, no questions asked.
-
Foster a supportive culture:
This is the hardest task, and will take time. Create an environment where team members feel comfortable asking for help or time off without judgment. Recognize that everyone faces personal challenges and prioritize empathy and support. Crack down on gossip and shaming.
By implementing these strategies, cybersecurity teams can build a more resilient and sustainable work culture. This shift from a “grinding” mentality to one of navigation and self-care will not only improve individual wellbeing but also enhance the team’s overall effectiveness in facing complex challenges. As security strategies continue to evolve in process and technology, so too must the cultures surrounding the humans who are integral to our defenses.
About the Author
Bio: George Kamide is the co-founder and Executive Director of Mind Over Cyber, a 501(c)3 nonprofit organization dedicated to improving mental well-being and preventing burnout in the cybersecurity industry through the teaching of accessible mindfulness techniques for defenders. He also co-hosts the Bare Knuckles and Brass Tacks podcast, where he gets into good trouble along with CISO George Al-Koura.
