It goes without saying that most IT shops operate in a high-stress, high-workload environments. As technologists, we have limited budgets, limited staff, and dozens of projects on our plate — it often feels like there aren’t enough hours in the day just to keep up with today’s workload, never mind planning for tomorrow’s.
Just ask yourself when the last time was that you heard someone complain about too much work or not enough time. For most of us, the answer to that will be measured in hours rather than days or weeks. On the business side, it’s just as hectic — competitive pressure is increasing and, in response, business is moving faster and faster. These factors, and dozens more, mean tremendous stress in the workplace — both in and out of the technology organization.
Generally speaking, we know that the costs of workplace stress are high. The negative health effects on employees have been documented, as have negative impacts to the organization, such as increased turnover and increased absenteeism.
However, are there “hidden costs” to the organization over and above what’s already been documented? More specifically, do the effects of increased work pressure and stress include decreased security for the firm as a whole?
While this question hasn’t been as clearly explored as some other aspects of workplace stress, it seems logical that there would be an impact, and if there is, it’s probably something that we as technology and security professionals ought to be thinking about.
It’s About Priorities
Information security, as we all know, is often about planning for contingencies: We plan for how to respond to virus outbreaks, we plan how to keep the business running when the lights go out, and we map out what to do when our infrastructure is breached.
In our planning process, we often map out roles that certain individuals will perform throughout the event. We assume, as part of the planning, that individuals with a key role in the plan will prioritize appropriately to perform the tasks assigned to them.
For example, our incident response plan might specify that employees noticing an unusual activity report it to the appropriate individual in the organization — someone equipped to evaluate the occurrence and initiate the right actions. However, what happens when that person is overloaded with other priorities that might interfere with them following the plan?
A simple scenario can illustrate how stress might influence a security-related plan. Say that an employee in a finance organization notices some unusual files on his computer desktop. The incident response plan might require that he report this event right away to the organization’s technology department so that a determination can be made if the machine was compromised.
However, what if this happens to be right in the middle of the end-of-the-month crunch? Would he report the event (and potentially miss his deadline to get the numbers in) or would he do the work first and report the suspicious activity later when he has more time?
Human nature predicts that he’d do the numbers first (since as a finance employee he fully understands the ramifications of missing that deadline) and follow the incident response plan later (which maybe he skimmed once when he saw it in the back of the employee handbook).
Competing priorities in this case might trump a carefully crafted plan.
It’s About Panic
One of the things we do understand about workplace stress, and stress in general, is that individuals under stress are much more likely to panic than a calm individual.
For example, it has been well documented that individuals behind the wheel of a car are more likely to panic (and thus be involved in — or cause — an accident) when they are under stress. Panic, in information security, is the enemy — both for emergencies as well as when it comes to acting on defined security plans.
Any emergency medical technician will tell you that the worst thing you can do in an emergency situation is panic. A clear head is required in order to appropriately assess and respond to any emergency situation, and emergency situations in a technology context are no exception to this rule.
We expect our technology employees to have a clear head when approaching potential security incidents such as malware outbreaks, potential intrusions and so on. We also expect our non-technical employees to keep a clear head when following the defined contingency plans that we have in place for situations like disruptions to the workplace environment (e.g. natural disasters) or reporting potential compliance violations.
In fact, one of the many reasons that we define a process ahead of time is exactly to keep people focused in the heat of the moment. In other words, we want people to respond in a way that we’ve thought about ahead of time rather than in an ad hoc way in the midst of a crisis.
However, panic has an impact outside of just emergency situations. If an employee is in a state of overload because they have too much on their plate when they are called upon to perform a security-related task (such as read through a log file or review the list of active users on a device), they are less likely to approach their security duties with the same kind of gravity and diligence as we might want.
Going back to the accountant from the last example, if part of his job is to review the list of users with access to the payroll system, he might cut more corners or, even if he’s not cutting corners, miss something vital if he has a deadline looming.
What Can Be Done?
Realistically speaking, it’s unlikely that workplace stress is going to go away; in fact, it’s pretty unlikely that stress in any of our firms will (or can) be even reduced slightly by citing the (as yet sparsely documented) potential impact on an organization’s information security due to increased workload and workplace stress.
However, there are a few things that we can do to help minimize any potential impact on security measures from workload and stress.
For example, we can make sure that employees are trained on the underlying reason for the security processes that we’re asking them to follow. If they are cognizant that the security-related tasks have equal (or greater) priority than other things they might be struggling with, they are much more likely to prioritize appropriately.
By increasing the reliance on automated tools for security functions, and decreasing the amount of effort and time required by individual employees, we can make sure that these critical functions get done — even if stress is high.
Most importantly, though, awareness of the role of stress, exhaustion and other modern workplace pressures (and explicit discussion of these factors) during our planning — planning for incident response, for business continuity, and so on — can help us design strategies that are resilient enough to account for fluctuations in workload and tension level.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.