It’s OK to say you’re not OK — super easy in concept, but not so easy to do, especially when your job involves protecting your organization, customers, and partners from all manner of cyberthreats that keep getting bigger and badder.

Plus, in some cases these cyberthreats cross over into the physical realm and become real matters of life and death. Hello, health care and critical-infrastructure CISOs, we see you.

Job-related stress isn’t unique to CISOs, but there are several aspects of the chief security officer role that makes the stress particularly acute. Add in the ongoing cybersecurity skills shortage, the Great Resignation, and the overarching global pandemic stress, and it’s the perfect recipe for a CISO mental health crisis.

The chief information security officer role “has become one of the most important roles in the last couple of years,” Netskope CSO Shamla Naidoo said. “It also has become the most difficult role to fulfill your commitments and your obligations from a work-remote perspective.”

While the CISO’s job became more important to organizations over the past two years of remote work, eroding network and security perimeters, and the resulting larger attack surface, “the role has become more stressful,” she added.

This stress is causing some to leave their jobs or leave the cybersecurity industry altogether.

“If somebody says I’m struggling, that doesn’t mean they’re not competent to do the job,” Naidoo said. “We need to give [CISOs] a safe place where they can enter the discussion to talk about this mental health crisis in the community, but also give them some solutions and some hope in terms of what resources are out there that they can tap into, because this role is important and will remain important for the foreseeable future.”

To help start this discussion, Naidoo, along with Netskope Chief Digital and Information Officer Mike Anderson and neuroscientist Marcia Goddard will host a webinar about mental health and wellness in cybersecurity on Thursday, Feb. 10.

“What adds to the struggles of people working in the security space: It’s all new. It’s all unpredictable,” Goddard said. “There are many threats out there, so your job is to protect the rest of the organization from threats from the outside. When I look at that as a neuroscientist, I’m thinking their brains aren’t happy.”

The brain doesn’t like unpredictability and uncertainty, she added. These produce a stress response, “which is absolutely fine if there’s a wild animal in front of you that you have to run from.”

But CISOs aren’t running from lions and bears. They are protecting against ransomware, “which is like some sort of invisible thing,” Goddard said. “So the stress comes from these abstract things that are difficult to run away from, and that makes it so problematic.”

Stress and related mental-health concerns aren’t new challenges to cybersecurity professionals. And the stigma around mental health is a much larger societal problem that’s not limited to the security industry. But while COVID-19 intensified our collective stress levels — and in many cases made existing mental health conditions much, much worse — perhaps it also normalized checking in on our coworkers’ well-being and discussing our own stressors? In other words: saying that we’re not OK.

Over the past two years, many of us lost friends, family, and colleagues to the virus and suicide. With both, COVID and suicide, we hear stories about people suffering and not seeking help until it was too late.

Anderson lost his niece to suicide in 2018. “And so mental health took a new meaning for me at that point,” he said, adding that his family started a suicide prevention nonprofit.

Telling coworkers about his experience often prompts them to discuss their own struggles with mental health, Anderson said: “That vulnerability made it safe for people.”

It’s important for CISOs and other corporate leaders to be vulnerable because it sets an example for the rest of the team. It also helps normalize mental health discussions, and this became increasingly important during the pandemic, Anderson said.

“As leaders, we have to be willing to say I was not OK,” he said. “It felt like my days blurred. I didn’t have a commute anymore, or a plane that I got on, or a hotel that I went to that defined the boundaries of my day. It’s been tough. As leaders, we have to step up and be the role model. A lot of times we take everything in, and we tend to compartmentalize things ourselves, and we don’t talk to people about them.”

But we should, and that’s what Anderson said he hopes next week’s webinar will accomplish. “I’m excited that we’re given a safe place to talk about it’s OK to not be OK.”

While it’s imperative for the CISO to set the tone, she can’t normalize mental health and wellness by herself. Plus, pressures being put on the CISO by the CEO and other C-suite executives may be adding to her stress. As with any organizational change, the directive needs to come from the top and that requires executive buy in and a commitment to prioritize mental health.

“It’s a culture transformation,” Goddard said. “What we’ve seen in practice is that if you want to make the most impact, you need the entire C-suite to be on board with it. You need everyone to be vulnerable.”

Of course, cultural change doesn’t happen overnight. Removing the stigma around mental health is a larger societal issue, and we need to be much better about taking care of all of our first responders — cybersecurity professionals included.

In the early days of the pandemic, some of us banged pots and pans and howled on our front porches every night to show appreciation for health care workers. Most of still connect with co-workers via video calls where people’s homes, families, pets, and housemates — essentially our humanity — is on full display.

As we (hopefully) near the end of this collective two-year nightmare, let’s tap into this respect and gratitude for the people who work to keep the rest of us safe: check in with friends and colleagues, be vulnerable, share stories, ask questions about self-care and what others are doing to reduce stress levels. Provide a safe space to say I’m struggling. Support our security teams in these, and future, stressful times.

If you are struggling, the National Institute of Mental Health offers several resources to help. If you have suicidal thoughts, please call the National Suicide Prevention Lifeline at 800-273-8255, or visit this page for international resources.