Long hours, remote work, a lurking pathogen and an onslaught of cyberattacks have security chiefs concerned that their staff are quietly absorbing too much stress at once.
At the typical company, the early days of the pandemic were busy times. Bryson Koehler, chief technology officer at Equifax Inc., recalls how his team worked “night and day for the first five to seven days” to ensure that staff had the tools they needed to work remotely.
But for cybersecurity specialists, the work never abated. Companies from health-care to financial services have faced a surge in cyberattacks, ranging from direct attempts to break into networks to a leap in the volume of spam and phishing attacks, security chiefs say.
Avoiding burnout is the hardest part of work in the pandemic, said Omar Khawaja, the chief information security officer at Pittsburgh-based nonprofit health care company Highmark Health.
Mr. Khawaja said he scans for signs of burnout in frequent video chats with his 135 full-time employees. In “Ask the CISO” sessions, he hosts eight to 10 employees for informal conversation once or twice a week; he also schedules 20 one-on-one videoconferences every week.
“I spend a lot of time with my team pleading with them, ‘Please tell me if anything’s wrong, where I can help’,” he said. “There’s nothing insurmountable, but if we don’t know about it that’s a guarantee nothing will be done.”
Some employees, he said, have high-risk members in their household and were anxious about returning to the workplace. Mr. Khawaja assured them they would not need to be in the office until they felt safe, which he estimated is still several months out.
A couple of employees were concerned their health insurance wasn’t appropriately covering some services and Mr. Khawaja helped resolve the situations, he said.
Managing the risk of burnout can sometimes require direct intervention. At Nasdaq Inc., CISO Lou Modano said the stock-exchange operator quickly realized there were pressures silently building in its workforce.
“People had trouble separating being home and working,” he said. “With it being so easy and accessible, we found that our teams were not taking any time off. They were working round the clock as needed.”
The human resources department has stepped up its interactions with individual employees, he said, from checking that they have the equipment they need to providing support for anyone grappling with anxiety or overburdened with responsibilities.
Stress and burnout in cybersecurity haven’t been widely studied in a clinical manner, but anecdotal evidence suggests they can be serious. A report published by the London-based Chartered Institute of Information Security found more than half of the cybersecurity professionals it surveyed had either left a job due to overwork or burnout, or knew someone who had.
Security chiefs aren’t immune to the pressure, either.
With no commute, Mr. Khawaja said he lost the buffer between work and home life. His wife pointed it out the other night.
“You’ve been sitting at the dinner table, but you’re not here,” he recalled her saying. “I was trying to wrap up four or five work things in my mind.”
Now he tries to go for a 10- or 15-minute walk at the end of the business day to create closure. “This requires real discipline. I have to work on it,” he said.
At Nasdaq, Mr. Modano said more staff are now taking time off, but it had to start with him taking his own advice.
“I’ve had to pull back a little bit, and leading by example have had to say that I’m taking a personal day, or I’m taking some time off now,” he said.
“There has to be a little bit of encouragement from the management team because people are in the trenches,” he said. “This is an unprecedented event that we’re dealing with and everyone deals with it differently.”
Write to James Rundle at [email protected], Kim S. Nash at [email protected] and Catherine Stupp at [email protected]