Combating stress through autonomy, belonging and competence

Daniel Shore at MultiTeam Solutions offers advice to cyber-security leaders on the knowledge, skills and tools they need improve their own mental health and to support the people they lead

 

Working in cyber-security means working in an environment that is constantly changing and unpredictable. As a result, there is much that is out of cyber-security professionals’ control. Despite their desire to thrive in this type of environment, the dynamic uncertainty still seems to be taking its toll. 

 

At MultiTeam Solutions we collected survey responses from nearly 175 cyber-security professionals about stress and burnout, with respondents generally defining “burnout” as the point at which they’ll run out of motivation to do their jobs well. 

 

The results showed that, while most professionals in the cyber-security sector believe they are quite resilient to stress, they are also aware of their limitations. Over 50% of those surveyed admitted that they will reach the point of burnout in the next year, if not sooner, with 35% sharing that they anticipate burning out within the next 6 months. Longer-term, another 30% said they’ll reach the point of burnout within the next 3 years. In total, that’s 80% of respondents who plan on being less effective in the relatively near future. 

 

These are concerning findings on a variety of levels, one of which is the fact that burnout is not a moment in time but rather the climactic end to a journey full of stress, pressure and exhaustion. Preceding that moment, it is not difficult to surmise that one’s mental health and, in turn, effectiveness declines along the way.

 

Although this trajectory seems to be rather common, and also widely accepted as inevitable within the industry, there is room to ask, “What can leaders in cyber-security do to better support their own mental health and well-being?”

 

A human-centred approach to motivation

Although many cyber-security leaders oversee multi-team systems, mental health and well-being are rooted at the individual level. In other words, if individuals are stressed and burnt out, then teams will not function well and neither will multi-team systems.

 

Drawing from social-behavioural research, and specifically self-determination theory by Deci & Ryan, there are three key drivers of motivation for individuals: Autonomy, Belonging, and Competence (the ABCs of motivation). 

 

Strengthening all three of these drivers will increase individual and system-wide resilience to the negative experiences of constantly working under pressure and being attacked.

 

Furthermore, raising one driver is likely to enhance one or both of the other drivers as well. It is paramount, though, to recognise that in order for cyber-security leaders to support their people, they also need to have their own sources of motivation, which, in turn, will give them more capacity to support others.

 

So, the first priority is to identify strategies for leaders to strengthen their own ABCs of motivation. 

 

Autonomy

There are many things that cyber-security leaders do not have control over and many choices they don’t get to make. The following strategies focus on the things they do have at least some control over, and the choices they do get to make as ways to raise their sense of autonomy. 

 

Leaders should put resources toward a project or initiative that they personally find interesting. It can be easiest to focus on something that falls within existing projects or initiatives, or at least, aligns with an organisational goal. 

 

For example, a cyber-security leader may have a strong interest in techniques to safeguard proprietary sensitive data—for example, safeguarding data from being used in AI data sets. In turn, the leader might host a hackathon for analysts and challenge them to design processes to anonymise data in AI training models while ensuring compliance with data privacy laws. 

 

In doing so, the leader not only pursues and learns within a personal area of interest, they also align the project with the organisation’s goal of enhancing security measures. Bringing others on board and sharing interests can also tap into one’s sense of belonging.

 

Recognising decision-making opportunities is also important. When leaders get to take ownership of a decison, or at least play a key role in guiding it, they should try to embrace that opportunity. Although not all decisions are enviable, it can be empowering to take on the leadership mindset that you are one of the best people to be making this decision, or at least a person in one of the best positions to do so. 

 

Say an organisation needs to put together a working group to develop an insider threat program, and there is a cyber-security leader who has built good rapport with folks across different departments such as HR, IT and Legal. This scenario presents an opportunity for the leader to decide both who to bring together and also how to guide the working group, including setting the group’s priorities, be it internal monitoring, analytics, data loss prevention, etc. 

 

In this way, the leader takes ownership of a major part of the decision-making process and embraces their expertise, while also building their sense of competence. 

 

Belonging

Despite the amount of collaboration necessary for effective cyber-security, working in isolation or silos is very common. Hence, it can be very difficult to create a sense of belonging. Leaders may have a particularly challenging time because they often sit above most members of the organisation. 

 

There are, however, some structured, approachable ways for leaders to connect with others. 

 

One opportunity for connection is through a formal mentorship matching program. Through this type of program, leaders can be paired with one or several employees, and support them in specific parts of their professional journey–especially those that connect to the leader’s areas of expertise. These might include leading multi-team SOCs or CSIRTs, developing and/or complying with policies and regulations, or even technical skills from the leader’s background, such as threat modelling. 

 

The experience of mentoring, of course, also serves as a good way to reinforce the leader’s competence. 

 

Cyber-security leaders often carry with them myriad identities, which can include a variety of technical areas of expertise if they were previously analysts or another front-line role. In turn, it’s important to actively engage with and learn from other leaders, either from within the leader’s own organisation (e.g. by hosting roundtables with department heads) or from other organisations (e.g. through events such as conferences). 

 

A leader’s sense of belonging can be enhanced by making connections, experiencing camaraderie, seeing the bigger picture of shared responsibility in cyber-security, and working with other leaders to solve collective problems. 

 

Competence

It can be very difficult to feel competent in an industry with so much unpredictability and difficulty in measuring success, plus a constant barrage of new policies and regulations that leaders must navigate. This brings up the question of, “What can you do that you know you are doing well?” 

 

There is always the opportunity to keep up to date with trends, technologies, and regulations through ongoing education and training. In in order to be more connected with the work being done by those they are leading, a leader may choose to further educate themselves on strategies at the leadership level, such as applying the recently released NIST Cybersecurity Framework 2.0; or they may focus on more technical areas of expertise such as CISSP certification and recertification

 

Either way, staying on top of their own learning is within their control, and choosing what to learn also will reinforce their sense of autonomy. Furthermore, sharing their knowledge and expertise internally and externally to their organisation, can help leaders reinforce their sense of competence and confidence. 

 

While the effectiveness of cyber-security efforts (such as the extent to which an attack was thwarted) are often not known for days, weeks, or even years, the way the efforts are conducted (the internal processes) are often more clearly measurable and can reflect a leader’s competence in managing their people and their systems. 

 

One area that provides metrics of an effective cyber-security operation is data management. Data centralisation, encryption, backup frequency and depth of data-lake segmentation are all measures that are less influenced by external factors. In this way, they better reflect a leader’s ability to guide and manage processes as well as their expertise in a critical operational area.

 

Using metrics related to these types of processes is a more concrete way for a leader to show competence.

 

A new focus moving forward 

As cyber-security continues to increase both in complexity and the amount of pressure from doing the work, prioritising the mental health and well-being of professionals is essential to protecting the workforce.

 

Leaders who invest in the ABCs of motivation of their teams will cultivate a more robust and adaptive workforce, that is more resilient individually and collectively. Leaders, though, must first attend to their own sources of the ABCs in order to motivate themselves; then they can focus on the individuals who make up the teams and multi-team systems they lead. 

 

By fostering a sense of autonomy for themselves, leaders can feel a greater sense of control and independence in their roles. By fostering a sense of belonging for themselves, leaders help to build stronger connections and a supportive environment, crucial for mental health and well-being. Lastly, by fostering a sense of competence through opportunities for skill development and acknowledging achievements, leaders can boost their own confidence and job satisfaction.

 

By taking a human-centred approach to combating their own stress and burnout, leaders can become more resilient and lead by example.

 

---

 

Daniel Shore is co-founder and social-behavioural scientist at MultiTeam Solutions 

 

Main image courtesy of iStockPhoto.com and BrianAJackson