The Hidden Battle: Mental Health in Cybersecurity

I’m writing this today for you as much as for myself. We’ve gotten real here before, but this time, I wanted to hit a bit differently. The tone is a bit more serious, maybe a little more exhausted. Dark humor is the way I try to convince myself it’s not that bad.

The reason I’m most impressed that I’ve hit submit on 23 weeks straight of long blogs and newsletters is because any given week is a crap shoot on where I am mentally. The last few weeks have been hard ones, and today is no different.

Luckily for me, I have put in a lot of hours on the subject matter, and I know I am not alone. But I also know not everyone feels like that, and so I was called to share a bit more and dig a bit deeper this week.

Let’s get vulnerable.

With hardly any effort at all, I found that it was not just in my head. Mental health issues within cybersecurity grow at an alarming rate.

Headlines for Cybersecurity Mental Health.png

The industry demands nothing short of perfection—zero tolerance for mistakes. Our adversaries are persistent and smart, requiring we remain two steps ahead, constantly anticipating their next move. It’s like playing chess with ghosts, where a single oversight has the potential for devastating consequences.

We’re fighting against the clock too. Hackers don’t punch out at 5 PM, and neither do we. I can’t tell you how many family vacations over holidays I’ve been on an incident bridge running command on a response effort. It became a joke that July 4th was just destined to have me holding my phone up in the woods searching for cell signal while dealing with adversaries who knew the US folks would be AFK.

Sleepless nights and bleary-eyed mornings are par for the course. Any security consultant’s go-bag includes all sorts of stimulants. I remember we used to trade espresso beans in our hotel rooms while going over pcaps.

Some of us live for this as there’s a thrill in the chase, the constant learning, and the triumphs when we outsmart our foes. But let’s be honest, it’s not always sunshine and rainbow tables. It’s not always as glamorous as popping boxes and flying off to brag about it in Vegas. The mental toll can be heavy.

Today I want to expose the realities of mental health in our industry while also sharing the life rafts I’ve been using to stay afloat. Likewise, consider this your invitation, rather, I implore you to share what works for you so I can try on new mental health fits.

Reasons staying sane is such hard work

High Stakes, High Stress

As cybersecurity professionals, we’re entrusted with safeguarding the internet - the very fabric of the world we live in. That’s not a small job. The consequences of failure can be severe—data breaches, financial loss, reputational damage, and sometimes even lives at risk. With all this new data around mental health in our field, those lives at risk - including our own.

This isn’t FUD. I’m not being hyperbolic. I’m not selling anything. This is a major issue.

We’ve lost so many people. It’s a niche industry, the job market is fairly incestuous, and the conferences are just a bunch of friends getting together and talking about cool shit - so when we lose one of us, we all feel it. Deeply. IYKYK

Lack of Predictability (hours and threats)

Unpredictable work hours are our constant companions. Not only do attacks never seem to happen during normal business hours, but our circadian productivity rhythms rarely do either.

Sleep? What’s that? We’ve mastered the art of powering through on caffeine and sheer willpower. It’s like living in a cybersecurity version of Groundhog Day—except Bill Murray never had to deal with Kubernetes.

Lack of Work-Life Balance

Let’s face it; achieving a work-life balance in this industry is about as elusive as the bugs we hunt.

The boundaries between our professional and personal lives blur into a beautiful shade of grey. Who needs weekends, anyway?

I looked at the popular r/cybersecurity subreddit last week, and the top posts were either “How can I break into this industry?” or “I’m so burnt out I’m quitting and fleeing the country.”

Not many of us are putting in a casual 9-5. Especially if you’re on the front lines of your org and dealing with detection and response, it can be never-ending.

An old colleague of mine liked to put it this way:

“I’d drive uptown to the corporate office where our business partners sat. It would be like I was a soldier strolling into Saigon out of the rice paddies. Covered in mud and blood and sporting a thousand-yard stare. They’d be there in their finely pressed linens serving tea, wondering why I looked so tired.”

Heavy Responsibility and Accountability

When you’re doing cybersecurity right, it is a silent victory. Nothing happens means it’s working, but that is hard to digest as a win or explain to leadership.

When you’re doing it poorly, it is a loud failure. You might have never met your executive team before, but if you get popped, I’m sure they’ll miraculously find your cell phone number.

As if that wasn’t enough, the fate of user data and critical systems lies in our hands.

And when the inevitable incident occurs, cue the sleepless nights and self-doubt.

“Did I miss a vulnerability? Should I have clamored louder for the budget to implement that new detection solution?!”

The impostor syndrome creeps in like malware in a Call of Duty waiting room. (Catch the reference here)

Exposure to Disturbing Content

Oh, and let’s not forget the dark side of incident response—the stomach-churning exposure to disturbing content. Nothing quite prepares you for the sight of some of the content that many in our industry are forced to deal with.

I’ve been lucky enough to avoid this sort of incident response, but a whole lot of us have to deal with hard drives filled with CSAM or sex trafficking victims.

What the data tells us

Recent studies show that a staggering percentage of cybersecurity professionals have experienced burnout, anxiety, and other mental health challenges. It’s like we’re part of an exclusive club that no one really wants to join.

Take this report that Tines put out last year during mental health awareness month on The State of Mental Health in Cybersecurity. Here are some interesting findings:

Mental Health in CyberSecurity Stats

Many of you probably read the newsletter a few weeks ago, where I celebrated a year of sobriety. So this next highlight struck me.

Alcohol usage in cybersecurity

That was me. It wasn’t a healthy relationship with alcohol, and so I decided to take a beat and evaluate that relationship. I guess I’m still figuring it out, but I do know that it was directly impacting my physical and mental health. It’s not like I’m waking up a ray of fucking sunshine every day now, but I’m certainly not actively making it worse, and that feels like the right choice for me.

My life rafts

These are my cheat codes for increasing the good brain chemicals. It’s not like I do all of these daily (might be singing a different tune if I did!), but when I feel the weight of depression and the spiral of anxiety creeping up, I have to go on the offense.

Somedays, I do none of these. Some days I do one. Other times by the grace of the universe, I do a combination that gives me just enough to get through.

  1. Evaluating my relationship with alcohol & social media

    We talked about kicking my drinking habit already - one sparkling water at a time. The second part of this is a constant struggle. My career was built on Twitter. How do I give up this community I rely on, love, and admire? I actually believe in the goodness of online communities. But sadly for me, there is a direct correlation between my mental health and the use of social media. I’ve deleted Instagram, and I’ve removed myself from Facebook entirely. Probably should admit how many times I’ve reinstalled the former.

  2. Moving my body in ways I enjoy

    Moving is critical. Our bodies are literally storing information all of the time and require us to move in order to understand and move through those experiences and feelings. For me, it’s lifting. I lift weights, and I feel like a whole new person.

  3. Not eating like an asshole

    Y’all, I live in Austin. It’s so easy to get delicious food at all hours of the day. Though, I recognize a HUGE difference in how I feel and approach the morning depending on what I’ve eaten the day before. If you are interested, I read this book about eating for depression. Goodreads Link

  4. Basic hygiene

    Damn, if this one doesn’t feel like the hardest to accomplish sometimes. Getting out of bed feels daunting, and I’m supposed to brush my teeth and shower? It’s painful, but when I force myself to do this, it always works. Doesn’t cure anything by any means, but the trend on the day starts to look different. After a few days stuck in bed, a shower and a shave can be just what the doctor ordered.

  5. Clinician assisted Ketamine

    The use of psychedelics is controversial, I know. But the six-week period where I went in for regular ketamine treatments was actually life-saving. I was in an incredibly dark place, and this moved my baseline to something more manageable - where my coping strategies and other tools were working again. It is a privilege to live somewhere this treatment is available and a privilege to afford it. Grateful for all of that, and I hope the laws continue to shift in a way that makes psychedelics broadly legal and affordable.

  6. Building a team

    They say you’re the product of the five people you spend the most time with. In that regard, I’ve been focused on building a team around me that is trying to do nothing but maximize each other. Lately, this has been my weekly coffee with new but powerful friendships in some Austin security nerds, Stephen and Michael. Thank you for being consistent, supportive, and easy to talk to.

Other resources I can’t not mention, but that feel obvious and haven’t been super useful to me. But everyone’s toolbelt is different.

  • Therapy - The virtual stuff is super approachable these days. My one recommendation is treat it like speed dating, and find one you connect with. This took me years.
  • Online support groups - Not necessarily my cup of tea but I did join a few sober communities when I was exploring that. I never went to a meetup but I can see this being super powerful.
  • Meditation apps - This has been a goal of mine to solidify a meditation practice for years. I do listen to Calm occasionally when fighting insomnia but that’s about it. The data on meditation is unquestionable, it is incredibly beneficial.
  • Treatment centers - Big guns. Use them. No shame in a grippy sock adventure.
  • Local meet ups - Loneliness is a killer. Go bump into some folks in meat space if you’re feeling up to it. You never know who you’ll meet to be on your personal maximizing team.

Your turn

Whether you are in the field or not, I want to hear from you.

Are you in the same boat as I am? Have you been dealing with the same kind of deflation and exhaustion from hearing about more and more loss among peers, colleagues, friend groups, etc.? Have you used any of my cheat codes or the other resources listed here?

What works for you, and what doesn’t?

As concerned as I am for myself, for you, and for our industry, I am equally hopeful that the amount of creativity, perseverance, grit, and ingenuity required to be in cybersecurity will actually end up being the catalyst for our own healing.

We’ve yet to meet a problem we can’t solve.

Except for phishing.

Join the Newsletter

Every Friday, I'll send you the latest edition of Vulnerable U - My free newsletter with a mini blog topic, collection of the news I'm reading this week, and more!

Subscribe to get my best content. No spam, ever. Unsubscribe any time.

The Hidden Battle: Mental Health in Cybersecurity
Older post

The Growth Mindset Revolution

How mental health has become a crisis and our industry is finely tuned to perpetuate it

Newer post

Threat Modeling Depression

How mental health has become a crisis and our industry is finely tuned to perpetuate it

The Hidden Battle: Mental Health in Cybersecurity