Protecting our Cyber Defenders’ Mental Health
Ann Johnson: Welcome to "Afternoon Cyber Tea," where we talk with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson. And today, we are going to cover the intersection between mental health and cybersecurity. Joining me today is Dr. Ryan Louie. Ryan is a board-certified psychiatrist focusing on the mental health impact of cybersecurity. Ryan received his M.D. and Ph.D. degrees from Stanford University's School of Medicine and completed residency in psychiatric training at the University of Hawaii Department of Psychiatrics. Ryan has interned with the Office of International Health and Biodefense at the U.S. Department of State and was the recipient of a Fulbright fellowship to Japan. He has published academic articles in psychiatry and cell biology and is the inventor of the patented microtubule lumen cast nanowire technology. Welcome to "Afternoon Cyber Tea," Ryan.
Ryan Louie: Thank you so much, Ann. And I'm really happy, so excited to be on your show, "Afternoon Cyber Tea." I'm really honored to be here and share with everyone.
Ann Johnson: Yeah, I remember a few years ago, I did a presentation at the RSA Conference. I talked about mental health, and you had reached out to me and I was just fascinated that there was somebody who actually is focused on the intersection between mental health and cybersecurity. So it's great to have you.
Ryan Louie: Yeah, absolutely. It was wonderful. That was my first RSA Conference a couple years ago. And I actually tweeted out, I remember, before the conference and RSA sent out this question that said what are you most interested in and looking forward to for this conference? And I actually tweeted that I read in the abstracts about your talk that it was the human spirit, that human element of cybersecurity, that was the most resilient source of power. And I felt that was so awesome, and I really resonated with that and I said I'm going to go see this keynote. And then I was there and it was fantastic. I loved it, Ann.
Ann Johnson: Thank you. I'm honored that somebody with your credentials thought it was fantastic. I'm humbled. So let's talk about a few things. Say, I know our listeners are curious to learn about the link between psychiatry and cybersecurity. And to bring us along on the journey, can you talk a little bit about your background, when and why did this interest begin for you? How did you land on cybersecurity? And I love that cyber with a P-S-Y is a focus area. And can you break it all down for us?
Ryan Louie: Yes. So I'm a psychiatrist, so my main work is working with patients in the clinic setting. I treat patients' conditions such as depression, bipolar disorder, PTSD, anxiety, several other types of mental health conditions. Before this clinic work, I used to work in a downtown San Francisco hospital, an inpatient, locked psychiatric unit. And I worked with a lot of patients from the homeless Tenderloin community there. And as I started treating patients and keeping them stable and getting them a safety plan for their time of discharge, I started to realize that what does it really mean to feel good about oneself, to be well, to feel safe? I learned a lot from that patient population because they taught me a lot of things. They said that once they left the safety of the hospital, they were kind of on their own. There was a lot of things they didn't know where to go to, a lot of different things that were - might have been dangerous or not safe. And I would ask them - what's your safety plan? Where do you go for help? If you need assistance, who would you go to?
Ryan Louie: It got me thinking about the bigger picture of what it means to be mentally well and to be safe. I love technology, and as I started seeing how technology is so interwoven into everyday life, I started to think about that a person's safety and security, in terms of their mind and their well-being, is actually closely linked to the technology they use. So hence, I was thinking about cybersecurity, in the traditional sense, with a C-Y for cyber, into a P-S-Y, being psychiatry in cybersecurity. And I started to merge the two and think about it in that way.
Ann Johnson: That's absolutely fascinating to me. And when you think about your journey from going from being a practitioner in a inner-city hospital with some patients that were from what we would consider a tough neighborhood - right? - and then embracing that and moving into tech, it sounds like you're really purpose driven in what you choose to do.
Ryan Louie: Yeah. And I really appreciate all the things that my patients and my staff and the people we work with have taught me. It let me know that there is a great diversity of human experience that is transferrable across all fields. The fields of, let's say, inner-city psychiatry and working with people in underserved populations may seem so different from the world of cybersecurity and technology, but actually, they share a lot with themselves; same for the people providing care and the people receiving care.
Ann Johnson: Yeah, it makes a lot of sense. And so that, you know, brings me to this area of focus you have with mental health of people that work in the cybersecurity field. And it's likely some of our audience have experienced one or maybe multiple mental health challenges. The last couple years have been really hard for people, and cybersecurity is always a really hard field. So can you unpack some of the issues commonly seen and what aspects of cybersecurity are contributing to them? And how unique are they to this industry?
Ryan Louie: Yeah, that's a great question, Ann. It's something I think all of us think about every day, both within the world of cybersecurity and beyond, even in my own field of health care and patient care. I think one central aspect of it is to understand and to realize and to acknowledge, all of us, that we are constantly struggling every day. It is work that is never finished. It is always a constant effort of keeping up with the energy and taking care of ourselves and checking with ourselves in the midst of these constantly changing situations in the world. Definitely, the COVID-19 pandemic has amplified everything that was already existing, both in terms of the stressors in cybersecurity and also the stressors in mental health. COVID-19 and the pandemic made everything that much more magnified and intense.
Ryan Louie: So in thinking about this question, I oftentimes compare the world of cybersecurity with people in health care. Both of our fields - in the medical fields and the cybersecurity fields - share a lot of things in common. For instance, we often work under extreme time pressure. We don't have a lot of information all the time. We have to make decisions without all the information or things we wanted to know about, but it demands a decision so that we have to decide. It can be very stressful. Oftentimes there are limited resources, limited time, limited staff. And there are things from left field that we may not even know about. We always have to deal with those situations. And for cybersecurity professionals and people in health care, there's the constant need to want to be a team player. You want to help. Everyone has that best intention to want to do best for their customers or their patients. But then it can also get overwhelming if the boundaries are not clear, lead to things like burnout and mental health problems.
Ann Johnson: Yeah, I think that makes a lot of sense. And I can see the correlation, by the way, between first-line health care workers and cybersecurity professionals in a different way because they're both on the front lines of crisis, right? They're both dealing with crises all the time, different types of crises. But cyber defenders, you know, can be deployed in the middle of the night to a remote part of the world to deal with some type of major breach. And they're walking into a company or an organization in its worse time of crisis. And frontline health care workers, you know, every day, all day - right? - are dealing with crisis. So there definitely are parallels there.
Ryan Louie: Absolutely. There have been several recent studies that have been showing the mental health and stress impact of our cyber first-line defenders. There's an increasing and high level of burnout, of anxiety and depression and also from overall stress from responding to incidents. And it was recently found that ransomware is a very significant stressor causing this type of mental impact.
Ann Johnson: So the last few years, as I mentioned, have been really tough. Do you think some of these mental challenges are new, or do you think the result of a compounding challenges of the pandemic, other, you know, geopolitical and social issues? Are they magnified? Are they amplified more in the past? Or do you think the issues have always existed, and it is just simply a magnification, amplification, combined with everything else going on in folks' lives?
Ryan Louie: Yeah, that's a really interesting question, Ann. In my clinical work working with patients, I was actually surprised that - of course, I see a lot of amplification of mental health issues. So for example, if there was an underlying stressor or an unresolved issue in terms of mental health and if there was already some depression or anxiety going on, certainly the stressors of working from home, of isolation, of COVID-19, its impact on families and the economy, that has certainly amplified a lot of things. But I have also found a flipside in some patients where some people actually felt some relief, paradoxically, from the stress of COVID-19 because let's say if they work better at home, they actually found a sort of somewhat protected space from not having to interact in these types of ways. So I've certainly seen it in both directions.
Ryan Louie: But overall, I would have to say that the pandemic and the current situation politically in terms of what's going on in the world and in terms of health, that has absolutely magnified a lot of things and essentially shed the spotlight. It actually revealed things that were already there to start with. I've always felt that inside psychiatry and mental health is part of our DNA. It was always there. And it's a double-edged sword because there are things that we can always do better for ourselves and also things that we never knew that we could do before. So both the positives and negatives, but it was uncovering everything.
Ann Johnson: I think it's fascinating conversation, and I also want to talk about this emerging concern about attackers clinically exploiting the mental health of cyber defenders or other individuals. Can you tell me more about this concept, and why we need to understand it and act on it?
Ryan Louie: Yeah, this was something that I sort of - I was thinking about last year, I think. And I was wondering, as I'm providing mental health care to my patients, I do typically a psychiatric interview for a new patient, for example. We start out by having an interview, asking them how they're feeling, gathering information, their signs and their symptoms, what they've been feeling, their history. And afterwards, we kind of put together all the information and come to some type of a theory or a diagnosis or some kind of idea of what might be going on. And then we devise a plan with our patient. We talk together, say, hey, do we want to do psychotherapy, some medication treatment or something else? And we kind of put together a plan and move forward.
Ryan Louie: I started to think about what would happen if during that linear process of what we might call psychiatric care or maybe even precision medicine, where we would design each line of care specifically for that patient, what would happen if anywhere along that timeline of care, someone inserted themselves and made something altered for either their own purposes or maybe a bad purpose? Would we even know what was happening? Would we even be able to detect it? Is it even in the mind of the health care provider as part of their, quote, "differential diagnosis," that list of possible options and possibilities in their diagnosis list? Did it even occur? I started to think about something called the mental health attack surface. I was thinking of that. If people's mental health can be vulnerable to people with bad intentions who are trying to include that aspect of attack as part of their overall objective in doing bad things, then I worry about, could this be a new unknown or previously under-recognized kind of like vulnerability? So something that we're looking at.
Ann Johnson: It's really interesting, and I think it's something that we're absolutely going to have to keep an eye on as an industry because that exploitation of folks that are already feeling very vulnerable - and having mental health challenges is something that I would imagine that disinformation campaigns and other campaigns that we see that are super targeted - could actually have precision in making those folks even less effective in what they do.
Ryan Louie: Absolutely. I agree 100%, Ann. And although we're talking about a mental health exploit and the mental health attack surface, when I think about this thing called psychiatric engineering, I was inspired by social engineering, where someone would use various techniques in phishing or impersonation to try to persuade people to do things that may not be in their best interest. If it gets to the level of a psychiatric diagnosis of altering one's care through the alterations of thinking, of feeling, of thoughts, then that could also lead to a different pathway of an attack. And I definitely think that it can be possible. And it's already happening, like you mentioned. Disinformation, misinformation campaigns - they are already influencing people's emotions, feelings and behaviors and thoughts. That's actually the basis of mental health and behavior.
Ann Johnson: So with all that baseline, let's pivot a bit and talk about how we can better take care of ourselves and our teams. And if we could start with leaders, when it comes to identifying someone who might be struggling, what signs should leaders look out for? And what can leaders do to best support the mental health and well-being of their teams?
Ryan Louie: Yeah. That's a fantastic question, Ann. And I always think back to what you talked about in your keynote at RSA. You mentioned that although there's technology all around the world and it's so embedded in our everyday lives, what it comes down to, in the end, is actually people. We care about our teams, we care about ourselves, we care about our family and friends. I always like to tell people that, you know, we don't have to be a psychiatrist or a mental health professional or anyone with any expertise in mental health to be able to talk about it, to discuss it, to share it because already, we are already built-in experts because of who we are. We are human beings with mental health. It's like physical health. Everyone has that built into them - so give ourselves permission to take care of ourselves as we would other people and to be there for our teams.
Ryan Louie: And thinking about what leaders can do, I think back to this time when I was a medical student doing a rotation in one of my clinical clerkships. On the first day of orientation, all the interns and the residents and the medical students, like myself, gathered around in a circle with our attending physician, who was the head and who would be writing our recommendation and our - giving our grades. He said, right at the outset, said we work as a team. If anyone feels overwhelmed, there's too much stuff on their plate, I want you to just freely say - raise your hand and say, hey, I got too much. I need some help. There will be no penalties for doing that. It's not going to show up on your grade sheet or your letter or your evaluation. And just like that, he lifted up that onus of pressure from everyone. And we worked really well. We worked great as a team. We asked each other questions about patients. And I think it was stressful, but people had a good time and we got things done. I feel like we should do that in organizations, to have that leadership and openness and understanding for our team.
Ann Johnson: I think that makes sense. And I think one of the things we could do as leaders is be empathetic but also be observant and watch because people change their behaviors. And you can see changes in behaviors. And you need to be observant and you need to be present to do that. And that's probably something leaders can definitely do better.
Ryan Louie: Absolutely. I started to think about this idea called an empathic pause. It's actually something I learned during an orientation during training, but it's an idea in - when used in psychiatry, we oftentimes - when there's things that are kind of, like, sensitive or we feel like we triggered a nerve or something was particularly emotional, we kind of give ourselves an empathic pause. Take a little pause - little moment of taking a break in the conversation and say tell me more about that. You know, I - that seemed to have triggered something or that made you feel a bit different. Share with me about that. We could do the same thing in cybersecurity. When something stressful is happening, if we're not sure about what's going on, take your time with it. Give yourself a time to check in with yourself, with your team. Say, hey, are you doing OK? Is there anything we could do to help out - and really look out for each other.
Ann Johnson: You know, as a leader, it's hard, right? And one of the things - we're going through a training right now. And one of the things that is encouraged in the training course that my leadership team, and all the leadership in my organization, is going through is to ask people, how can I help you? Instead of making assumptions, just say, what do you need from me? How can I best help you? I think that's probably a pretty good best practice. How do you feel about that?
Ryan Louie: Absolutely. To always say - to look out for everyone - how can I help you? - and always be there, it's actually all the little things count, every little step of the way. It's that idea of being present, both in times of need and during times of no need, like, they're always there. It's that constant presence, that building of that culture of safety, that culture of caring, that is built in from the foundation so that when times of need are there, we don't have to build it from scratch. I think there's a movement right now of building cybersecurity built into software, into hardware, right at the start of designing the whole process. I think we could do the same, being there for people right at the outset and letting them know how they feel. And of course, like you mentioned, Ann, at every point in leadership, and people across all parts of the organization, everyone can do their part, whatever they do, to look out for each other.
Ann Johnson: Skipping, you know, leaders, or moving on past leaders, what are some of the things that individuals - right? - those that actually are working on cyber front line, how do they take care of themselves? What can they do today? What advice would you give them to cope and process with the things that they're experiencing?
Ryan Louie: Right. I almost think about that question as something of, let's say, as a physician working with a patient. I want everyone to have their mini version of that clinic session with themselves, in a mobile type of way in their own mind. So our sessions, oftentimes, are - they're not the whole day, you know, of course. They're, oftentimes, one hour or 30 minutes and after the session, they go back home and go on with their lives. I want them to take with them a mobile version of what we talked about so that they can make it for themselves; they could have it and own it and feel that it's part of them, that they can be trusted and have it useful for them. I want everyone to bring with them that sort of package. And what would that package consist of? Oftentimes, it starts with having a group of people that they trust. It could be a family friend, it could be a member of their team, a friend or someone in their family or other kind of mentor or people in the community. It doesn't have to be a lot of people. And each person can serve a certain purpose, but have that person be available to that person - and likewise, in a two-way direction - so that if there's any time of need, there's always someone to share that. And what we don't want to have happen is have someone always keep everything within themselves.
Ann Johnson: I think that is really good advice, and I like the concept of a mobile kit, right? So people - you know, you develop skills and develop muscle memory and you want to go back to rely on those so that in, as we always say, in times of stress, you don't want to be thinking, you're actually reacting. So having that muscle memory built so you react and help yourself, you're caring for yourself, that's the muscle memory they need.
Ryan Louie: Absolutely, 100%, Ann. It's something like, let's say, we feel in the psychiatric hospital. Our patient is stable. We're ready to discharge the patient back into the community, back home. We set up a discharge safety plan. What does that safety plan look like? We build scenarios. If you need help, this is where we're going to go. If you need a place to stay, get a shelter. This is where you're going to go to. If you need to get resources, to get connected to care, these are the people you're going to call. Have that plan in place so that when they leave the hospital, they have something in their hand, they have their medications, they know what to do. And we set them up with a follow-up appointment so that they know what's next. We got that support built in. That's what we want to do for our cyber defenders. There's going to be stressful things happening. They're going to be responding to incidences. Practice that in your mind, not just in terms of the technical aspects of the desktop exercise, but build in that mental health aspect of it so that they are prepared and know what to do so that when things occur, they are more able to prepare for it.
Ann Johnson: It makes a lot of sense. So as we're getting closer to the time we have to wrap up, and I could talk to you all day, but I know you always have a lot going on. Could you share with our listeners what you're working on right now?
Ryan Louie: Yeah, I'm really excited about reaching out with our community. And so that's why, Ann, when you asked me to join "Afternoon Cyber Tea" and found me on Twitter, I was so happy. I was like, wow, you know, I (laughter) - this is great. I've always looked up to you and I enjoy your work. I love what you're doing for the cybersecurity community. So I want to extend that feeling. I want to be able to work with people across all industries and in government. For example, Jen Easterly and Camille Stewart Gloster, they've been doing awesome work in government - really changing that conversation, that style of leadership to build trust and inclusivity and involvement of everyone and to get everyone participating in a very open-minded way. I think that's awesome. I would love to join that sort of effort to build an infrastructure of mental health.
Ann Johnson: That's amazing. And I think if we can just continue to raise awareness - right? - and continue to build it and talk about it - you know, we're recording this episode during Cybersecurity Awareness Month. If we can talk about it, and all of our rhythms related to cybersecurity, it removes the stigma from it also.
Ryan Louie: Absolutely. And we always think back to that basic fundamental truth that it's built into our DNA. We shall give ourself permission to do the things we want to do to take care of ourselves and each other. We are already experts in that, and we could always take that forward towards building something resilient.
Ann Johnson: So you've given me a ton of advice and given our listeners a ton of advice in this episode, but I want to thank you for sharing all of that, and we'd like to send our listeners off with one or two key takeaways. So if you were listening to this episode, what would be the thing that you would want to hear and what would be the thing you would want to leave those listeners with?
Ryan Louie: Yeah, so first of all, I want everyone to thank themselves and to acknowledge all the work that they've been doing up until this time and also - in the present, also into the future, wherever they are working, in the cybersecurity field and other industries. You are working towards safety for yourself and other people, so we thank you for that. Give yourself that permission and acknowledgement that you've come a long way. And there are still, of course, things that we can do better with, but we could always have that moving forward. And you need to give yourself that pat on the back that you've done a great job.
Ryan Louie: The second aspect of things is that always take care of your mental health and always check in with yourself. I like to say that cybersecurity is a vital sign, just like we would always take a measure of our pulse, of our heart rate, our blood pressure, our temperature. Check in with yourself with a cybersecurity check. How are we doing? How are our team members doing? How is our family doing? How is it affecting our lives? Take that pause, take that empathic pause to check in with yourself and build that trusted team of people, including your doctors and your family and people that you feel comfortable talking with. And of course, if you feel that things are getting more intense or you need a little bit of help, never hesitate to reach out. Let your doctors know how you're feeling. Get that help when you need to.
Ann Johnson: That's fantastic advice. Ryan, thank you so much for taking the time out of your busy schedule to join me today.
Ryan Louie: Thank you so much, Ann. And I really appreciate this opportunity. And thank you so much to all your listeners and your organization for organizing this podcast and providing it as a great forum to help people share ideas and learn about themselves.
Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." So I chose Dr. Ryan Louie to join me for an episode because of the really fascinating work that he does in the critical field of the intersection of mental health and cybersecurity. It was an amazing conversation, a lot of parallels, and Dr. Louie left us with a lot of good advice about how we better take care of ourselves.