April is Stress Awareness Month. With the pace of constantly-evolving threats, budget battles and security apathy from users, it isn’t a stretch to imagine that stress is a part of the job in IT security.
So, it’s surprising to see a survey that says “Security Analyst” is the #1 least stressful job across all industries. It will be interesting to hear from you as a reader in the comments section below if you take exception to that survey result, or if you think it’s accurate.
Stress in general is your body’s way of responding to danger, whether real or perceived. The situations and pressures that cause stress are known as stressors. We usually think of stressors as being negative, however, anything that puts high demands on you can be stressful. This includes positive events such as getting married, buying a house, going to college or receiving a promotion.
From an IT security perspective, security stressors are typically related to feelings of lack of control. Let’s identify five triggers that can drive up stress levels and consider how security pros can reduce them.
Keeping Current with Threats
There were over 6000 new common vulnerabilities and exposures (CVEs) published in 2016. While not all are present in your environment, that is still a big number to keep up with and compare against hundreds or thousands of servers, apps, devices, and so on.
This is an example of a stressor related to lack of control, but in this case, it’s best to get by with a little help from your friends. Loneliness or isolation increases stress levels vs. having a strong support network. Use your network by building a feedback loop that includes IT operations, system, application and network administrators, and information sharing with peers through cyber threat intelligence (CTI).
IT security would be a lot less stressful if users were not part of the equation. They are the weakest link in security, constantly finding ways around company controls, falling victim to phishing attacks and exposing credentials.
Every attempt at controlling users has to be balanced with the need for business to be conducted with less friction. Education can go a long way towards raising the security awareness of users and reducing the vulnerability they represent towards the organization. To reduce the stressor of users gone wild, create education goals and measure them to instill a sense of accomplishment for both the employee and security team.
How to justify a security project is outside the scope of this article, but those tasked with securing their organizations do feel the pressure of falling behind attackers and the standard of due care. That pressure drives a need for budget resources that correlate with the evolving threat landscape, but it isn’t always easy to justify to those outside of day-to-day security operations.
Budget approval may be out of your hands so self-awareness of stress-triggers and emotions when a budget decision does not swing in your favor can help to keep your attitude and outlook positive. In these cases, focusing on your organization’s current investments and identifying opportunities to improve current programs, such as employee awareness, can help re-instill that crucial sense of control.
The Task Backlog
There are always new policies to write in response to changing technologies, threats and regulations. User demands and project changes add to the pile of assignments. And a lack of skilled personnel to tackle these tasks plagues many organizations.
Getting away from the grind seems difficult to do and may feel counterproductive when you have a long to do list. Over half of American workers aren’t taking their vacation days, in some cases because they fret about returning to a mountain of work. And 61 percent of them reported working while on vacation. It may take some planning, but getting away can help you become more productive.
Unpredictability of Incidents
Nothing contributes to stress quite like a security incident. Incidents derail planned work, result in immediate pressure to find, contain and recover from the breach, and bring unwelcome attention from people who don’t always understand what’s happening.
One way to mitigate that stress is to frequently evaluate your plans and procedures for dealing with unexpected incidents. All organizations in today’s threat environment should operate with the assumption they will be, or already have been, hacked. Knowing that you have plans in place to reduce the exposure when an incident is detected can restore some sense of control.
Implementing policies and controls are a big part of IT security, so feeling out of control can have a big impact on stress levels. Rely on your network, gain a sense of accomplishment, stay aware of your emotions, take some time off and build good plans to reduce the common stressors in IT security.