I’m just going to come out and say it. I’m a blue team cyber security professional, and I get anxious. It’s taken me a while to get to the point to be able to say that, rather than I “suffer” anxiety.
When I say anxious, I’m talking about the “oh no I’ve left the gas on” thoughts when I’m 3 hours away from home, and haven’t even used the gas stove for a couple of weeks, and then spend hours trying to work out a way to just confirm that the gas was in fact off.
When I say anxious, I mean I can lie in bed after a day of work and worry that I haven’t done this particular action when triaging an alert, or that I might have missed some important piece of evidence that would have made an a completely benign alert the most important thing on the planet.
When I say anxious, I mean when I’m writing a blog post talking about anxiety I worry my experiences are not valid, or that I am less of a person for talking about it.
These are not thoughts or feelings that are specific to blue team cyber security professionals. In fact, some rough Googling tells me that “One quarter of Australians will experience an anxiety condition in their lifetime”, and that mental health issues are reportedly increasing for members of the millennial (which despite how old I feel sometimes, I am a member of), cohort.
So why does it seem that a larger proportion of my profession are affected by these issues? I’m talking specifically about blue team here because I feel like there is a distinction between red and blue and because I personally have minimal experience with red. In essence, I think it boils down to these reasons:
- We’re the people who generally find the bad shit. The bearers of bad news that something has gone wrong, a process has broken down or there was a lapse in some area. It’s hard to feel like you’re succeeding when you’re constantly finding new things that are broken, or wrong, or just plain old bad shit. It’s a never ending battle, and the blue team is always battling against unintentional and intentional vulnerabilities in the network.
- By nature we’re dedicated, we’re inquisitive, we like problem solving, and we’re evidence based. If we don’t have the answer, or can’t find the answer, it frustrates us. “Did I miss something?” “Did I look in all the right places?”. When you then bring forth stressful or anxious emotions and feelings that can be had whilst in any workplace, that are a lot more ephemeral than an indicator of compromise, or a PCAP with malicious traffic in it, it’s hard to quantify in black and white that this is the way I feel.
- We feel responsible for the actions on the network. We’re the ones who ensure that the business is enabled to do whatever it needs to do to succeed, with cyber security being but one part of that. We sometimes forget that we’re but a cog in a much larger piece of machinery. That when we are rebuffed from making changes to improve security, we ask ourselves “Did we provide them with all the information they needed to make that decision?”. “Did they not understand what I told them?”. “Do they not care?”. “Whats the point in me doing my work if nothing changes?”.
- There’s always a new threat. There’s always a new piece of malware, a new method of intrusion, a new patch. Adversaries evolve, and though it is exciting for a blue team person to learn and grow and understand that evolution, the ongoing onslaught can be a bit much. This increasing amounts of threat reporting, malware analysis and new technical tools can also leave you unsure of what to focus on.
- When other people bugger up, we’re the clean up crew. Depending on your management structures, it’s hard to be able to hold people to account for their actions for preventable mistakes. I’m not talking about accidentally clicking a phishing email. I’m talking about negligence in ensuring that a system was secured or built correctly. It’s something that does happen, and depending on the structure can be difficult to feel like action is taken to ensure it doesn’t happen again.
How do we make working in a blue team less anxious and stressful? Honestly, I don’t have the answer. If we accept by nature that people in our profession are more likely to suffer anxiety, then it comes down to ensuring that the environments in which we work are supportive, understanding, and accountable.
We talk about the “cyber skills shortage”, and I agree this is a significant issue — we need more trained cyber security professionals. But in conjunction with that, we need to ensure that the environment we put these people in enables them to thrive, to be confident in their decisions, enable staff retention and to achieve better performance. Otherwise, we could end up in a situation where these newly trained cyber security professionals burn out or the skills and knowledge of seasoned professionals is lost as they can no longer stay in such an environment.
So what can we as fellow cyber security professionals (and human beans) do to support our colleagues? Look out for the signs of anxiety and burnout in yourself and colleagues. If your blue team is genuinely concerned about a security issue, try and understand their concern and support them to bring that up with management to try and have it resolved. Support those that come and ask for assistance when they feel overwhelmed. Encourage them to seek help from medical professionals. Maybe even just ask them R U OK?