The importance of taking care of our people and their mental well-being -TEISS® : Cracking Cyber Security
Culture / The importance of taking care of our people and their mental well-being
April Fools’ surprises can be a delight, making this the one day each year that security professionals don’t mind getting exposed to shocking content. The rest of the year, the sort of awfulness that arises in monitoring and investigations can be seriously traumatic. To take care of our people, we need to increase access to preventative and post-exposure mental health services.
1st April is a tough day to work in cyber security. More popularly known as “April Fools’ Day” in the USA, the first has a special place in the hearts of some for the whimsical and clever hoaxes that tech companies traditionally publish on that day.
Taking inspiration from the BBC’s 1957 “spaghetti-tree hoax” broadcast (a.k.a., “the biggest hoax that any reputable news establishment ever pulled”), tech companies use 1st April to “introduce” new products and services that seem perfectly plausible at first glance. All to set readers up for a laugh and some rueful disappointment once they realize the “new” products are glib fakes.
For me, the best tech company “new product” prank was built on BoingBoing’s 2003 “Unicorn Chaser” concept. In 2009, quirky retailer ThinkGeek “introduced” a new restorative beverage of the same name designed to bring writer Xeni Jardin’s vision to the masses. The advert read:
“We’ve all been there. You are innocently Twit-blogging on the Interscape, logging a few hours on Facebook, or checking your e-mail and you click on a link without thinking. Suddenly, you are confronted with an image or video so horribly nauseating it makes your eyes bleed. …
“Introducing, the Unicorn Chaser – a drink shot specially formulated to cleanse your mind and soul. … Chug it within one minute of viewing the offending internet image (really, as fast as possible) and in mere seconds you will begin to feel better. It won’t erase your memory, but each Unicorn Chaser will pump you with enough goodness that it just won’t matter. You’ll be healed. You’re welcome.”
If this were a real product, it would be the most profitable item sold in every vending machine and convenience store on the planet.
I printed the ThinkGeek advert out and posted it right above the coffeemaker in my squadron’s breakroom. That “ad” stayed in pride-of-place in our collection of cartoons, quotes, and humorous debris until after I retired. I think that Xeni’s joke (and ThinkGeek’s interpretation of it) resonated with my Airmen (and a surprisingly large number of our visitors), because there’s a common joke in cyber security circles that our professionals “can’t be shocked anymore.”
The logic goes that those of us in security (or, depending on the telling, in IT support) have all been exposed to absolute worst content than humanity has to offer in the normal pursuit of our duties. That is, we’ve reviewed monitored communications, searched through drive shares for contraband, pursued forensic examinations of digital evidence, etc. and have come across things we would never want to experience. It’s funny … most of the time …
I’ve found over time that it’s less a joke than it is a warning for those outside of our profession: please don’t look at naughty or offensive content on your work computer because then we’ll all have to look at it in the process of bringing you to justice and we really don’t want that content searing itself into our brains for all time. This is, unfortunately, a real job hazard.
I’m not about to claim that we have it as bad as those poor folks whose job is to review controversial social media content all day. If you haven’t already read Casey Newton’s article “The Trauma Floor” on The Verge, I highly recommend it.  About halfway through Newton’s article, he talked about the resources available to the “content moderators” who are tasked with reviewing controversial content:
“… employees are told to cope with the stress of the jobs by visiting counsellors, when they are available; by calling a hotline; and by using an employee assistance program, which offers a handful of therapy sessions. More recently, yoga and other therapeutic activities have been added to the work week. But aside from occasional visits to the counsellor, six employees I spoke with told me they found these resources inadequate.”
Consider how audio and video content “sticks” in your mind after exposure. Now, imagine something vile following you everywhere you go after first experiencing it. Only no one else can see it, and it interjects itself randomly into your thoughts, souring everything. It takes more than a one-time chat or a yoga class to silence the mind.
Given what’s revealed in the article I can see why those well-intended resources wouldn’t be adequate to address the problem. Such resources may not be adequate for anyone whose job forces them to consume especially vile content. That is, the sort of content that – once consumed – doesn’t swiftly fade away like a mildly-amusing cartoon.
The worst content becomes a source of increasing discomfort, interrupting regular thought. It can poison and corrupt previously innocent ideas, places, or activities by association and transference. The worst of the worst can become a source of Post-Traumatic Stress.
For context: I worked closely with the commanding officer (and chief psychiatrist) of the U.S. Army’s 85th Medical Detachment (Combat Stress Control) in the 1990s. Since I compiled the doctor’s monthly readiness reports, he reciprocated by teaching me how his unit functioned. The CSC Det provide immediate intervention for psychological trauma casualties. The more stress that a soldier was put under, the greater the negative health effects they would experience.
Being exposed to gruesome or horrifying experiences greatly magnified stress and had a lasting negative impact on some soldiers’ mental equilibrium. The doctors worked with affected soldiers early – preferably before they manifested signs of dysfunction – to pre-emptively mitigate the effects of traumatic stress and keep them healthy.
Later, I attended a lecture at the 2010 Defense Cyber Crime Conference where a law enforcement presenter from the National Center for Missing and Exploited Children explained how mentally and emotionally exhausting their work was. The process of painstakingly searching Internet posts to identify, track, and rescue minors had a cumulative crushing weight.
Most team members could only endure five years or so of exposure before the horror wore them down. NCMEC leveraged employee assistance services for their staff, including access to mental health professionals. The presenter said that the services helped … but it wasn’t a cure. Some things can’t be forgotten; only numbed.
In my opinion, there’s a long-term hazard integral to cyber security work for the technologists, legal experts and HR professionals who review our reports. The content dredged up during misconduct investigations can expose security and security-adjacent workers to some of the worst content that humanity can create.
The Internet was already a horror-show before social media. Now … It’s a wonder.
It’s because of this that I’ve come to advocate for expanded investment in mental health resources for cyber security workers. We need to consider the potential short-term and long-term damage inflicted on our colleagues as a direct consequence of doing their jobs. We should push for preventative care and invest in coping skills early in a worker’s career, rather than wait on a worker to request for help following a traumatic exposure event.
Yes, I’m advocating for stealing the Army’s idea; mental fitness is a human issue, not an exclusively military issue. I’ve learned what long-term exposure can do to strong workers. We don’t want to “burn out” our highest-trained and most-valuable personnel any more than we want them to become physically disabled from falling off a ladder. If you need to be clinical about it, consider it a pragmatic “conservation of key resources.” Speaking personally, I’ve seen what PTS can do to people. I don’t want to see that affect my team.
On April Fools’ Day I expect to see a lot of well-intentioned jokes, pranks, and hoaxes as part of the traditional shenanigans. I’m not especially worried about the shocks and surprises that are likely to pop up. No one is likely to be disturbed by a tongue-in-cheek fake advert for a “Tauntaun Sleeping Bag.” Those may delight and disappoint, but they won’t cause irreparable harm.
I’m quite concerned about the shocks and surprises that might pop up during the rest of the year during routine monitoring, analysis, and investigation support. Leaders at all levels need to evaluate whether the generic “employee assistance” resources are adequate for the needs of our cyber security (and security-adjacent) personnel.
For them, we may well need better access to advanced resources to help our people develop more effective resiliency and recovery skills. We owe it to them for what they are exposed to and for the good work they do on our behalf.
 Be warned the article is a dark glimpse into a disturbing world, so proceed with caution.