7 minute read
CYBERMINDZ: MINDING CYBER PROFESSIONALS’ MENTAL HEALTH
by Stuart Corner
Peter Coroneos, founder of Cybermindz, a charity dedicated to the mental health of cybersecurity professionals, has been fascinated by the human brain since childhood. He was only 10 years old when a neuroscientist uncle took Coroneos into a laboratory and showed him pickled brains in jars.
That interest has been channelled into a life-long focus on his own mental health — he has been practicing meditation for 45 years — and he turned his attention to the mental health of others in 2013 when he founded Serenityworks, a couple of years after stepping down after a 13 year stint as CEO of the Australian Internet Industry Association (IIA).
“I was thinking about what I might do,” he told Women in Security Magazine. “And I started to see some scientific reports come out around the neurological changes that occur in long term meditators: improved immunity, better emotional balance — things that I knew, subjectively, were true for me, — and, in particular, the ability to maintain a sense of equilibrium, even in very trying circumstances.
“These are skills I’ve applied in my own professional career, but under the radar. When I left the IIA, I realised this was something I could share. The game changer was really research around neuroplasticity, which started coming around about 2007 when the first papers were being published.”
Serenityworks offers a range of mentoring, stress reduction and meditation programs to individuals and teams in any industry, and from that came Cybermindz, founded in 2022.
“I was doing some work in cyber through Serenityworks. But I felt there would be benefit in setting up a not-for-profit specifically for cybersecurity, because I wanted to give recognition to the criticality of those roles. And I felt that Cybermindz could give the issues much more focus than coming out of a more generic offering,” Coroneos tells WSM.
“When I started Serenityworks cybersecurity was there in the background, bubbling away. But in recent years, it’s got more prevalent and more serious in its effects. So I wanted to really bring home the message to all of society that this is something that affects everybody, directly or indirectly. By being a not-for-profit, we’re hoping to get some federal grant funding or state grant funding. That’s easier if you’re a not-for-profit.”
The cybersecurity industry, Coroneos argues, is unique in the mental health stresses it imposes on participants. “We’ve identified at least 15 factors that come to bear on cybersecurity professionals. I don’t see any other profession, having all those 15 factors bearing on them.”
One of the most significant factors, he says, is that success is invisible: cybersecurity is successful when an organisation experiences no attacks that impact its operations. “That’s a big one and the counterpoint is the high visibility of a single failure. You can have 10,000 successes and no one will notice, but if you have one failure, it can make front page headlines.”
iREST PROTOCOL IS THE FOUNDATION
At the heart of Cybermindz services is the iRest Protocol, described as “a contemporary form of meditative self-inquiry that has been adapted from the ancient practice of Yoga Nidra into a 10 step framework which is simple to learn and easy to practice.”
It is managed and promoted globally by the US based iRest Institute. It has been endorsed, and is widely used, by the US military, in programs for veterans in more than 50 military hospitals and bases across the US. The Australian military has also been using it since 2016.
The iRest Protocol was developed by Dr Richard Miller, “a spiritual teacher, author, yogic scholar, researcher and clinical psychologist, who combined traditional yogic practice with Western psychology and neuroscience,” according to the iRest Institute.
“The US army surgeon general’s office has endorsed the iRest program because they’ve shown it can start to reverse PTSD in a month, and PTSD is something that can hang around for decades,” Coroneos says.
“it’s a process of really deep relaxation and resetting. But it’s also a process of selfenquiry, where you start to enquire into your beliefs and the narrative that you’re running in your own head, around what you’re doing in life. That can be personal as well as professional. But it only works if you’re in a hyper-relaxed state. … It’s not an intellectual exercise. It’s actually somatic. It’s grounded in the physical sensation because you’re holding it almost energetically. … By going into this hyper-relaxed state you are able to observe them with a degree of detachment and dispassion, then you can start to inquire, ‘is this still true?’”
IRest facilitators are trained and accredited by the iRest Institute and iRest training has been offered in Australia since 2013 by the iRest Institute Australasia. Coroneos says there are 400 iRest facilitators in Australia, and 7000 worldwide.
Cybermindz has partnered with the iRest Institute and this partnership is the foundation of the Cybermindz offering. Coroneos says he saw strong parallels between the issues faced by military veterans and those impacting cybersecurity professionals.
“They are both defensive type roles. Arguably, cybersecurity is even more challenging because there is off duty time in the military. You get leave. I’ve talked to many CISOs. They tell me, even if they take a holiday, they’re still vigilant.”
Cybermindz will provide iRest training to cybersecurity professionals using accredited iRest facilitators who have been given additional training to understand cybersecurity, the language of cybersecurity and the issues and challenges cybersecurity professionals face.
“I’ve created an induction course for iRest facilitators who want to deliver iRest training on our behalf. It brings them into the frame of cybersecurity, maybe for the first time,” Coroneos says. “We’re planning on using people who have worked with the military or corporates. So they already understand the corporate world, or the military world, but don’t have the specific understanding of what a day in the life of a cybersecurity professional is like.”
AN EIGHT-WEEK COURSE
The initial training for clients comprises one hour per week over eight weeks. “Every week, there’s a different theme tackling a different aspect of cyber stress,” he says. “It might be the inability to switch off, or the fear they are carrying about letting the team down, or a sense that they are not doing a good enough job. These are all themes that have emerged through our consultations with the industry.
“We’ve cemented those into a standard format of eight weeks. An individual would be invited to attend every session. We can do it in person, or we can do it online. They become part of a hybrid group where they’re with people from other organisations. We also give them practice recordings. So as we’re delivering the iRest Protocol, we’re recording it for that week. And then they are asked to go home and use the same recording every day until the next session.”
Coroneos says Cybermindz has a number of pilot programs under way with major clients to validate its approach. “We’re running three pilots with the New South Wales Government this month. We’ve got another one with the Department of Defense coming up. So we’re now ready to implement.”
EYING THE “FIVE EYES”
He is also planning to launch Cybermindz in the US in April, and in the UK later this year. “Our plan is to go through the Five Eyes [Australia, Canada, New Zealand, UK, US] because we’ve got iRest facilitators worldwide.
“We will have management teams in each country doing the groundwork. But the real power is the facilitator network and the uniformity we bring to our delivery. In theory, it shouldn’t matter who you have as a facilitator from one week to the next, because we will have approved them as being competent to deliver iRest to cybersecurity.”
Cybermindz has an exclusive agreement with the iRest Institute to deliver iRest training to cybersecurity professionals, but Coroneos says the Institute has recognised the potential to apply the model Cybermindz has created to other industries.
“They got very excited when I came to them with our model, because they could see how readily the concept could be transplanted into other domains. So they are now actively investigating training facilitators who have specific expertise, particularly in the health profession. I think that and the education sector would be the two other areas they would move into first.”
Mental Health Driven Exodus
In October 2022 Cybermindz launched a study into the mental health of cybersecurity professionals. It is being conducted by its director of organisational and behavioural research, Dr Andrew Reeves. The results will be published later in 2023 but Coroneos told WSM initial results suggested stress levels among cybersecurity professionals were already very high and likely to lead to significant numbers of people leaving a profession already labouring under staff shortages.
“What we are measuring is burnout. There are three attributes of burnout: emotional depletion, cynicism, or depersonalisation, and professional efficacy. In addition, we’re looking at sleep quality. And we’re looking at a quality of life index, which takes in four other factors. So, effectively, we’re looking at eight factors. We’ve already got a statistically significant number. … It’s showing that the professional efficacy metric — which is the third aspect of burnout, ‘how well do you feel that you’re doing in your job?’ — is running lower for cybersecurity professionals than for frontline healthcare workers. Of the three metrics within burnout, that’s the one that predicts resignation intent.
“So the takeaway from the research so far is that we are looking at a potential exodus of people from cybersecurity in the next one or two years, because they don’t believe they’re being effective in their work. They’re not getting any professional satisfaction from what they’re doing.
“Then you add in the other factors that come to bear around emotional exhaustion: the fact that they can never switch off, the fact that they’re not being recognised externally for their work. Any rational person is going to start to do a calculation and think, ‘Why am I doing this?’ That’s what we’re trying to turn around with the iRest Protocol, and we know you can do that.” cybermindz.org
LISA VENTURA
