Beyond the spotlight of the cybersecurity industry’s IPO-fueled paydays and reputation-making research lives the slow burn of daily anxiety.
In just about every industry, mental health is overlooked and under-appreciated. But in cybersecurity, “it’s even more stigmatized,” according to psychiatrist Ryan Louie.
“Nobody wants their security clearances or career advancements somehow impacted because of perceptions about mental health,” he told CyberScoop.
And so Louie, who works at a 30-bed psychiatric ward in San Francisco, took to the 2020 RSA Conference, one of the biggest cybersecurity conferences in the world, to start a conversation about mental health.
“We want to get more people [from] all different industries to start thinking about this,” Louie said after his presentation at the conference on Friday.
Alert and bespectacled on stage, Louie explained why, as a psychiatrist who treats patients of all stripes, he became interested in cybersecurity.
“Fundamentally, I’ve always felt that the most powerful thing for people in their lives is to feel safe,” Louie said. “It’s the digital corollary of that. We’ve got to feel safe digitally to be mentally well.”
That starts with protecting patients’ medical information. Last year, a researcher reported that sensitive data on an estimated 146,000 patients at a Pennsylvania rehab clinic was left in an insecure database. While no malicious use of that data was found, it is the sort of information that malicious hackers could use to extort or further victimize a vulnerable population.
Treating victims of data breaches
Louie’s words resonated with the audience of coders and developers.
Mustafa Perveiz, a network engineer at an insurance holdings company, used the Q&A to reflect on how stressful it can be for corporate employees whose one wrong move — clicking on a phishing link, for example — “can jeopardize the entire company.”
“It can be challenging for employees if they are told, ‘If you lose a device, you may get fired,’” Perveiz told Louie, and the crowd. “So, even before getting hacked, some people can take that really hard.”
The people repelling hackers are carrying burdens, too. It could be the incident responder who spends the better part of a month on the road, or the combat veteran who fights cybercrime but also the battles he or she brought home from war.
There is data behind this anxiety.
Ninety-one percent of chief information security officers surveyed by Osterman Research and domain name vendor Nominet reported moderate or high stress. A quarter of them said their job has affected their mental or physical health, according to the survey published last year.
But Louie says there is still a lack of data exploring the psychological impact of incidents like breaches. He has treated patients who have been hacked and describes a “digital corollary” to post-traumatic stress disorder in which they are afraid to go online for fear of having their information compromised again.
The more (anonymized) information that mental health experts can gather on hacking victims — and the cybersecurity professionals responding to the hacks — the better equipped they will be to treat them.
“If someone comes into your clinic saying they’ve been hacked, don’t just brush it aside,” Louie advised his fellow mental health professionals. “Ask them questions. Ask them cybersecurity questions.”
Mental health is increasingly being discussed at major cybersecurity conferences like Black Hat and RSA. Louie wants to build on that momentum.
“I think it’s an emerging field at this point,” Louie told CyberScoop, appealing for more people to join the cause.