Chronicles of Cybersecurity Consulting - 4th in series - Stress in Cybersecurity

Hey there,

Hope you are doing well and looking forward for Q2 2025.

This is 4th in series - Chronicles of Cybersecurity Consulting 

- Stress in Cybersecurity.

Featuring:

• ✍️ Story of a remote OT assessment for a factory from future - industry 6.0.

• 📘 Some hard lessons learned and conclusion.

• ‼️Stress in Cybersecurity: How to Identify stress and some industry stats.

• ↪️ Managing Stress in Cybersecurity: Manage Before It Becomes a Problem.

• 🧑‍🎓 Other Chronicle → Tales from the OT Trenches by Rob Hulsebos.

• 📲 Call out to seasoned pros to share their chronicles in cybersecurity.

But before we begin, do me a favour and make sure you “Subscribe” to let me know that you care and keep me motivated to publish more. Thanks!

Ready? let’s dig in.

Yours truly.

— Yousuf.

Together with (Sponsor):

Ready to level up your work with AI?

HubSpot’s free guide to using ChatGPT at work is your new cheat code to go from working hard to hardly working

HubSpot’s guide will teach you:

• How to prompt like a pro

• How to integrate AI in your personal workflow

• Over 100+ useful prompt ideas

All in order to help you unleash the power of AI for a more efficient, impactful professional life.

Get the free guide and level up your AI game today!

Remote OT Assessment for a Factory from Future

Not too long ago, I found myself leading a remote Operational Technology (OT) security assessment for a global manufacturer.

What unfolded over the week of onsite assessment, could only be described as comedy of errors, that would make even the seasoned cybersecurity professional question their career choices and also to realise what stress can do.

Pour yourself a cup of coffee (or something stronger) as I share this cautionary tale of remote assessments gone wrong.

Setting the Stage: The Remote Assessment Challenge

As budget, language & other restrictions prevented me for this international travel, I was faced with the daunting task of conducting a remote OT security assessment for the first time.

The solution seemed straightforward enough: engage a local internal resource with years of experience to be my "eyes, hands and legs" at the facility.

Onsite consultant would collect the necessary data through discovery and site walk-throughs and my role would be to guide remotely, handle analysis and reporting.

What could possibly go wrong? As it turns out, everything.

"When industry faces an alarming rise in cyberattacks, proper assessment becomes critical," I reminded myself, channelling the insights from threat intelligence reports showing manufacturing as the most attacked industry.

With OT environments being particularly vulnerable and specialized, I was determined to make this remote approach work despite the challenges.

The Training: Three Workshops and a Prayer

To bridge the knowledge gap, conducted multiple two-hour workshops for the local consultant, covering OT basics, equipment identification (PLCs, HMIs, engineering workstations), and included visual aids, step-by-step guides, and examples.

"By the end of these workshops," I confidently told project team, "he'll be able to identify a PLC from fifty paces!"

Looking back, I probably should have tested that theory before sending him into the wild.

As the cybersecurity saying goes: "The risk I took was calculated, but man, was I bad at anticipating the worst case scenario and missing out early warning signs!"

Day One: The Mysterious Disappearance

The morning started with a virtual kick-off meeting with consultant and client. We established clear objectives for the day, confirmed the consultant had his checklist, and I made myself available for remote support throughout the day. The consultant headed off into the facility with a confident stride, and I settled in for what I expected would be regular updates.

Fast forward to the end of the day: complete silence. No calls, no messages, no data and no reachability. Like that one email afraid of attachments, he seemingly developed a fear of communication. When I couldn't reach him directly, I contacted the client, who calmly informed me that our consultant had left at the end of the day without giving much update but told them that:

But, what I can tell you is that your factory is:

As security professionals often joke: "You can tell me what you did, or I can look at the logs". Unfortunately, in this case, there was nothing to tell and there were no logs to check.

Day Two: The Miraculous "Industry 6.0" Factory

The next morning brought no consultant and a confused client.

By noon, the client reached out asking about our missing expert.

After finally locating him in the comforts of his 3 or 4 start hotel room and connecting with him, I learned he was so called "sick" – a revelation he hadn't bothered sharing with anyone internally within project team and or client.

My initial thoughts were:

Once I confirmed he wasn't in any serious illness and or critical condition, we scheduled an update call later that day.

And that's when I heard perhaps the most innovative claim in manufacturing history:

"The entire factory with dozens of production lines is running without any PLCs and or HMIs," he declared with unearned confidence. "They are very advanced."

I was in an aww struck - a factory from the future - industry 6.0!

Ah yes, Industry 6.0 – where production lines operate on hopes, dreams, and the occasional interpretive dance.

I managed to maintain my composure while mentally reciting the cybersecurity mantra: "Keep Calm and Don't loss it - yet”.

I asked: you must have collected, observed and recorded something while site walkthrough the entire 1st half and partly second half, right?

and gently reminded him about the training materials showing exactly where the PLCs would most likely be located as shown

and bunch of other screenshots and videos that were shared during prep work, and asked if he had checked such cabinet enclosures and so on; his response was a masterpiece of simplicity / stupidity / likely just the stress talking:

"Oh, I didn't think of that, the factory was so advanced and everything seems to be working on its own and I had to walk miles and miles .. bla bla… this was my first time visiting a factory".

and I gave him the virtual look:

- well much more than that in my mind 😁- which I can’t say here, you know why.

So, it seems that trekking "miles and miles" through an industrial facility is the new extreme sport nobody asked for.

Who knew that wandering around a maze of machinery could leave you more exhausted than a sloth on a treadmill?

Not to mention, it’s so distracting that you might start hallucinating and miss checking key things even if you have your checklist beside you.

And by the end of it, you’ll probably forget why you were there in the first place, leaving the plant engineer wondering if you were just there for the cardio. 😉 

Day Three: Assessment Reboot and Recovery

With a not-entirely-thrilled plant team awaiting our return, it was time for a strategic pivot. Like any good incident response plan, we needed to adapt quickly.

I simplified the consultant's tasks to the absolute basics: take clear pictures of devices and record their information in a pre-formatted template on day 3.

End of the day - when asked to provide the asset inventory list and pics, after going through a horrific set load of blurry pics - I was a bit furious now, but still maintaining my calm I gently inquired how come all these pics are unreadable and useless - he said - I have a very old phone from 1980s. This is the best I can do.

I reminded my self that for next time:

At-least, I was relieved that we are not dealing with an alien factory from the future. We can identify many PLCs, HMIs and other important OT infrastructure this time around - just in a blurry way.

Day Four and onwards: The Recovery

By now, I realise that stress was the root cause of all the drama. If only I could knew.

After apologising with client like multiple times, I now had to move to plan X.

i.e., ask onsite consultant to just follow-up with collecting paper artefacts from the checklist. Client needed some extra assurance this time, so I had to tell them that:

I also enlisted the client's technical contact point as additional support, providing them with quick brief on the discovery objectives, items to check, commands to run, and basic information to be recorded and pics to be taken, along with some network data collections, essentially what we needed to accomplish in the first place.

Client agreed to do the above and also arrange web meetings with a translator for the rest of the discovery on processes and procedures related discussions.

This approach saved the day and were able to accomplish the mission impossible.

Disclaimer: Please note, this is not to mock the consultant, but rather to highlight the point on what stress can do to ones actions.

Given that most of us (including myself) may have gone through many stressful situations, which may have impacted our judgements and also decisions.

Together with (Sponsor):

Never Miss Another Warm Lead With Our AI BDR

Never miss a hot lead again. Our AI BDR Ava tracks intent signals across the web—triggering perfectly timed outreach when prospects are ready to buy.

She operates within the Artisan platform, which consolidates every tool you need for outbound:

• 300M+ High-Quality B2B Prospects, including E-Commerce and Local Business Leads

• Automated Lead Enrichment With 10+ Data Sources

• Full Email Deliverability Management

• Multi-Channel Outreach Across Email & LinkedIn

• Human-Level Personalization

Free up your sales team to focus on high-value interactions and closing deals, while Ava handles the time-consuming tasks.

Book a demo to see how Ava can 10x your outbound.

Wisdom Through Pain (Lessons Learned)

This experience reinforced several critical lessons for me and hopefully you as well.

1. Make sure to see if the person have previously done similar project and or have visited such sites (at-least) or else accompany him with a person who has done it before.

2. Identify early signs of stress within project team and dealt with upfront.

    

3. Enhanced Education - Ensure verifying understanding of the material presented a gazillion time for the newbies - quiz and test understanding.

4. Clear Communication Protocols - establish frequent check-ins to get progress updates and address challenges faced by consultant (if any), quickly. Clearly define what constitutes an "issue" and ensure that all parties know who to contact and when.

5. Contingency Planning - Identify backup personnel who can step in if the primary consultant is unable to continue. Build flexibility into project timelines to accommodate unexpected delays or setbacks / surprises.

6. Client Expectation Management -  Be transparent upfront with clients about the potential challenges and limitations of remote assessments, consultants skills, especially in specialized environments like OT. Keep clients informed about progress and any changes to the assessment plan.

7. Simplified Task Assignments - Ensure tasks are clearly defined and simplified to match the consultant's skill level and experience. Provide additional support mechanisms, such as templates or checklists, to help consultants stay on track.

8. Adaptability - Be ready to pivot or adjust the assessment plan if initial approaches are not working. May involve simplifying tasks or bringing in additional support.

9. Technical Support Availability - Ensure robust remote support infrastructure is in place to assist onsite consultants in real-time if they encounter technical difficulties or need guidance.

10. Specific Expertise - If possible, use consultants with some task specific expertise, e.g. IT assessment experience for discovery work, some network engineering experience for identifying network tapping points and collecting data etc.

By applying these lessons, future remote assessments can be more effective, efficient, and less prone to unexpected challenges.

What would you add? Add even if its some humour 🙂 

Conclusion: Finding Humour in Security Challenges

While this experience was frustrating, it illustrates the unique challenges of skilled resources, unexpected outcomes for remote assessments. As with any security incident, the key is not to dwell on what went wrong but to learn, adapt, and – in this case – find the humour in the situation.

As one cybersecurity sticker wisely states: "My speed of response to your problem is inversely proportional to your bad attitude". What now?

When faced with absurd situations, maintaining a positive attitude can be your greatest asset.

Remember, in the world of security consulting, the best stories come from the worst assessments – and this one certainly earned its place in my collection of professional war stories.

Next time you're dealing with a challenging assessment, just be thankful your consultant isn't claiming your facility operates on magic instead of PLCs!

Until next time, keep your security strong and your cabinet doors open for inspection.

It’s Prevalent, but Not often discussed!

Do you feel that you are stressed? due to personal life situations, your current role, demanding job, meeting billable hours or sales quotas, demanding boss, unhappy clients, job security due to upcoming restructuring etc.

If you answer, yes to any of the above questions, you are not alone.

100s or 1000s of cyber professionals suffer on a daily basis in their personal lives and professional careers due to a phenomenon less talked about or recognised in cyber industry and that is - Stress!

Yet, there’s lack of attention by professionals like myself and the industry as a whole on this topic.

As people (men in particular) don’t want to be perceived as weak due to peer pressure.

Some people are good at managing stress (comes naturally and its related to their upbringing, mental and physical health), while other aren’t good at managing stress.

The work-life balance pipe tune that many businesses claims to play are merely a show off without really going extra mile to help individuals. Only handful of companies goes the extra mile to ensure employee well being.

Stress could lead to anxiety and could turn into an ugly head as some form of chronic disease.

Stress in Cybersecurity: How to Identify?

Cybersecurity professionals face constant pressure to protect critical systems, leading to significant stress. This growing concern is highlighted by alarming statistics.

We need to regularly discuss how to identify and manage stress and emphasize the urgency of addressing this issue.

Identifying Stress in Cybersecurity - Stress in cybersecurity often manifests as physical, emotional, and cognitive symptoms that can escalate into burnout if left unchecked. Here are some common signs:

• Physical Symptoms includes Chronic fatigue, frequent headaches or muscle tension, and sleep disturbances like insomnia.

• Emotional symptoms include anxiety, feeling overwhelmed, cynicism or detachment from work, and a sense of inadequacy or reduced professional accomplishment.

• Cognitive symptoms include difficulty concentrating, forgetfulness, and reduced ability to process complex information under pressure.

Recognizing these symptoms early is crucial for preventing long-term consequences for both individuals and organizations.

Statistics on Stress in Cybersecurity

The data paints a stark picture of the stress levels in the cybersecurity industry:

• Prevalence and Causes of Stress:

  • 66% of cybersecurity professionals report their roles are more stressful now than five years ago. according to 2024 State of Cybersecurity survey report from ISACA. The report also highlights typical causes of stress to be:

    • Increasingly complex threat landscapes (81%).

    • Insufficient budget and resources (45%).

    • Hiring and retention challenges (45%).

  • 84% face additional challenges due to evolving threats and high-profile breaches, according to a report titled - A Survey-Based Quantitative Analysis of Stress Factors and Their Impacts Among Cybersecurity Professionals.

• Impact on Well-Being: According to Palo Alto blog - an antidote to stress in cybersecurity - More than 90% of CISOs said they suffer from moderate to high stress and a third believe their jobs would be at risk if their organizations were breached, according to a survey of 408 CISOs in the U.S. and U.K. Even more worrisome: 26.5% said stress was impacting their mental or physical health; 23% said the job was eroding their personal relationships, and 17% said they turned to medication or alcohol to deal with job stress.

• Burnout Rates: Burnouts are a growing concern according to study done few years ago, which concludes that 79% of cybersecurity professionals experienced burnout in the past year. Enterprises lose an estimated $626 million annually due to productivity loss linked to mental health issues in cybersecurity teams. Strategies for identifying and mitigating burnout by Fusion Cyber is a good read → Cybersecurity Burnout – Causes, Symptoms, Impact, and Prevention.

Managing Stress Before It Becomes a Problem

1. Build resilience through emotional intelligence by developing self-awareness to identify stress triggers early. Foster a supportive environment with empathy and open communication. Engage in emotional leadership training to manage high-pressure situations effectively.

2. Set work-life boundaries by logging off at designated times and taking regular breaks to reset focus and energy.

3. Leverage Technology for work efficiency and automation to reduce repetitive tasks.

4. Promote a wellness culture by advocating for mental health programs like counselling and stress management workshops. Encourage team-building activities to foster camaraderie and reduce workplace tension.

5. Develop time management skills by prioritizing tasks with frameworks like Eisenhower’s Matrix and breaking down large projects into smaller steps.

6. Seek Professional Help: Consult a mental health professional if stress becomes unmanageable to prevent burnout and long-term health issues.

Conclusion

Stress is an inherent part of working in cybersecurity, but it doesn’t have to lead to burnout or diminished performance. By recognizing the signs early, leveraging available resources, and fostering a culture of wellness within organizations, cybersecurity professionals can not only manage stress but also thrive under pressure.

Remember: Taking care of yourself is not just good for you—it’s essential for the security of the organizations you protect.

Stay resilient!

Related Securing Things Offering

Want to learn more with a touch of few chronicles from cybersecurity consulting?

Other Chronicles

Rebooting the prison → Tales from the OT Trenches - by Rob Hulsebos, where Rob shares his experience troubleshooting a problem at a Dutch prison for a BMS system, only to find out later that the cause of the issue was not the configuration itself but nearby interference.

Share your own Chronicles and lessons learned

Calling📲 out to other seasoned pros to share their chronicles in cybersecurity. Reach out to me directly via email and or LinkedIn (see at the end).

My Recent Most Viewed Social Posts

In case you’ve missed - here are some of my recent most viewed social posts.

• Cybersecurity and AI Across the Industrial Automation Stack - Monthly Digest # 1 - ✅ Industry Trends, Market Insights on cybersecurity and AI across the layers of industrial automation stack (Cloud, ERP, DMZ, MES, SCADA, HMI, PLC/Edge), physical devices & more.🚀 [Securing Things by M. Yousuf Faisal].

• ISA/IEC 62443 Standards - Part 5 - Security Program Elements (SPEs) for 62443-2-1:2024, Upcoming Asset Owner ACS Security Assurance (ACSSA) Certification Scheme to ISA/IEC 62443-2-1, 2-4, 3-2, 3-3 by ISCI, CISO's role, other interesting reads.

• The Digital Factory (Data Flow) - Part 2 Industry 4.0 data/event driven data flows and security considerations and how's CISO's role is evolved in OT security.

• Cybersecurity & Data Privacy for Hong Kong - HK Cybersecurity Market, upcoming Critical Infrastructure Bill 2024 regulations, Data Privacy Program Core elements, HK markets and more.

• Biggest Cybersecurity Acquisition Ever - ✅Google Acquisition of Wiz - a $32B Bet to End “Security Theatre” and future of Multi-Cloud Security, also includes analyst views what this means for the cybersec industry.🚀 [Securing Things by M. Yousuf Faisal]

• ISA/IEC 62443 Standards - Part 3 - series covering essentials of the standard.

• Tip to remember ISA/IEC 62443 Standards Group & Overview Part 2.

  Continue to be the most viewed post with more than 4.3K views at the time of writing this.

• 📢 📰 Secure by 3Ds (Demand | Design | Default) 📢 📰 ✅ The trifecta reshaping IT & OT cybersecurity industry!

• What the heck is ITDR - A crash course on Identity Threat Detection & Response.

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.