Episode 5: Mental health in cybersecurity | The Job Security Podcast

Introduction

Welcome to The Job Security Podcast, where we explore the unique perspectives and stories of the people who make the cybersecurity industry what it is. This week, we’re tackling a topic that affects every corner of our field but rarely gets the attention it deserves: mental health in cybersecurity.

Our industry attracts brilliant, unconventional thinkers who excel at solving complex problems under pressure. But that same pressure—combined with the confidential nature of our work, irregular hours, exposure to disturbing content, and encounters with organized crime—creates a perfect storm for mental health challenges. Unlike law enforcement professionals who receive training on compartmentalizing traumatic experiences, most cybersecurity practitioners lack formal support systems designed for the unique stressors of our work.

To discuss how the cybersecurity community is addressing these challenges, we’re joined by Amanda Berlin, CEO and co-founder of Mental Health Hackers and a prominent advocate for mental health in the technology community. When she’s not leading this vital nonprofit work, Amanda serves as a Senior Product Manager at Blue Mira and co-hosts the Breaking Down Security podcast. She’s also co-author of the Defensive Security Handbook. Amanda’s organization runs mental health villages at cybersecurity conferences worldwide, creating safe spaces where hackers can find peer support, practical resources, and community—because sometimes the best help comes from someone who truly understands what you’re going through.

The birth of Mental Health Hackers: from personal struggle to community movement

Mental Health Hackers didn’t start as a carefully planned nonprofit initiative. It began with Amanda Berlin talking openly about her own experiences with depression, anxiety, and imposter syndrome in the cybersecurity community. What started as personal vulnerability quickly revealed something profound: she wasn’t alone.

Amanda Berlin: “It was started out of me talking about my own depression and anxiety and imposter syndrome and everything else in the space, and other people being like, ‘Oh, it’s not just me that’s having this problem.’ There are others that are struggling with this, and then it kind of just became this accidental nonprofit.”

Since officially incorporating as a nonprofit in 2017, Mental Health Hackers has run villages at cybersecurity conferences across the United States and internationally—from DEF CON to events in New Zealand, the UK, Germany, and Switzerland. Their motto is simple but powerful: “hackers helping hackers.”

The organization operates on a straightforward principle: peer support works. Amanda points to research showing that people’s mental health outlook improves significantly when they have a community to talk to and trusted advisors who understand their experiences—even more than having only professional mental health support. This is especially crucial in cybersecurity, where the technical complexity of our work can create barriers to traditional therapy.

While Amanda is careful to emphasize she’s not a mental health professional—her background is firmly in cybersecurity—the organization bridges both worlds by featuring content from security practitioners sharing their personal experiences alongside workshops from licensed mental health professionals who also understand the tech space.

Creating sanctuary: what happens inside a Mental Health Hackers village

When Amanda’s kids describe what their mom’s nonprofit does, they call it “daycare for adults that are geeks.” It’s a surprisingly apt description of what Mental Health Hackers provides at cybersecurity conferences.

Walking into a Mental Health Hackers space, you’re immediately greeted by a “Free Hugs” sign—a small gesture that sets the tone for everything that follows. The village functions as a quiet respite from the sensory overload of large cybersecurity conferences, offering adult coloring books, knitting supplies, yoga sessions, air loungers for relaxation, fidget toys, healthy snacks, and comfortable seating.

But it’s more than just a chill-out area. The village features talks from both cybersecurity professionals and mental health experts covering topics like how organizing pen test results helps manage ADHD, coping with traumatic brain injury, meditation practices for stress reduction, and other intersections of mental wellness and security work.

Perhaps most importantly, Mental Health Hackers provides credible mental health information from trusted sources like the American Psychological Association, NAMI (National Alliance on Mental Illness), and the World Health Organization. This evidence-based approach ensures that while peer support is central, visitors also have access to professional resources and pathways to formal help when needed.

At DEF CON 2024, Mental Health Hackers operated within the Blue Team Village, and the response was overwhelming. Amanda notes that an surprising number of mental health professionals showed up—sometimes by accident—including spouses, siblings, and children of DEF CON attendees who work in psychology, counseling, and therapy fields.

The neurodivergent majority: mental health patterns in cybersecurity

The cybersecurity industry doesn’t just have a mental health problem—it has a distinct mental health profile. Research shows significantly higher rates of both general mental health issues and neurodivergence in STEM fields compared to the general population, and cybersecurity follows this pattern intensely.

Amanda Berlin: “There’s actually a really high occurrence of—and I know this won’t shock you—general mental health issues in STEM fields, but as well as neurodivergence. We see it all the time. We know we’re weird. That’s why we’re hired, to do the weird things.”

The most common conditions Amanda encounters in the cybersecurity community include ADHD, anxiety, depression, and autism spectrum conditions. Less commonly discussed but also present are OCD, bipolar disorder, and other conditions that carry more stigma—meaning people may be less likely to speak openly about them despite their prevalence.

This clustering isn’t coincidental. Cybersecurity work attracts people who excel at pattern recognition, deep focus on complex systems, and unconventional problem-solving—cognitive strengths often associated with neurodivergent thinking. As Amanda points out, you don’t see the same concentration of neurodivergent individuals in sales roles, because those positions require different cognitive and social strengths.

The challenge is that these same traits can create vulnerabilities. The ability to hyperfocus becomes a risk factor for burnout. Pattern recognition can fuel anxiety when applied to personal interactions. The detailed thinking that makes someone excellent at threat analysis can spiral into rumination about worst-case scenarios.

Even at the executive level, mental health challenges are prevalent—they’re just less visible. C-suite leaders often feel they can’t discuss mental health struggles because they worry it will make them or their company appear weak. This silence at the top can perpetuate stigma throughout organizations.

Beyond the screen: practical strategies for mental wellness

When Dave Johnson worked as a security analyst early in his career, he experienced something many in cybersecurity know too well: coming home mentally exhausted, feeling “dumb and numb” from hours of repetitive analysis work. His solution was creative cooking—transforming random ingredients into gourmet meals, inviting friends over for dinner parties, and using that creative outlet to shift his brain from pure consumption mode back to human mode.

This experience illustrates Amanda’s number one recommendation for cybersecurity professionals: do something that isn’t security-related and isn’t screen-related.

Amanda Berlin: “For a long time, I did not do that. I burnt out. I was help desk for a long time, sysadmin, pulling night shifts, doing patch Tuesdays, putting out fires. But then also really diving into security. And every time I would go on vacation, it would be to a security conference. I did the podcast, I did extra projects, I wrote the book—all of this stuff that was me still sitting in this chair, still looking at the screen.”

Amanda’s personal solution involves activities that get her away from technology entirely: cooking, walking, kayaking on Lake Erie (when it’s not frozen), and other forms of exercise. The key isn’t that these activities are athletic or particularly impressive—it’s that they’re completely different from staring at monitors and analyzing threats.

For polymaths who struggle to turn off their analytical minds, the strategy shifts slightly. Instead of trying to shut down thinking entirely, redirect that mental energy to domains where you’re not an expert and where failure carries no professional consequences. Learn to cook, pick up music, try 3D printing, get involved in community projects—anything that lets you experience growth and even comfortable failure outside your area of expertise.

This approach mirrors how historical innovators like Nikola Tesla and Benjamin Franklin worked: maintaining multiple projects on different tables in their labs, pivoting between them when momentum on one stalled. The key is maintaining intellectual engagement while cleansing your mental palate.

Gaming can be a valid outlet for some people, but Amanda cautions that it’s still screen time. Ideally, find at least some activities that involve physical movement, social interaction in person, or creating something tangible with your hands.

The therapist gap: why finding mental health support is uniquely difficult in cybersecurity

One of the most common questions Mental Health Hackers receives is deceptively simple: “How do I find a therapist I can actually talk to?”

The challenge isn’t just finding any therapist—it’s finding one who can follow along when you need to explain that a specific technical vulnerability led to a cascade of events that traumatized you, or that you’re struggling to cope with disturbing content you discovered while tracking threat actors, or that the pressure of protecting your organization from sophisticated adversaries is crushing you.

Amanda Berlin: “When you get into ‘this specific technical thing happened that led to this, that led to that, and that’s how I came up with the whole story,’ building there really matters sometimes. And not all therapists are good—not all therapists are gonna be good for you. It’s definitely like a glass slipper kind of time. You’re rarely gonna the first time you try a therapist find one that’s good for you.”

The problem is compounded by the fact that therapists with cybersecurity backgrounds or technical expertise are relatively rare. Some mental health professionals have made the transition from technical careers to counseling, but they’re few and far between.

Interestingly, Amanda has noticed an unusual overlap at cybersecurity conferences. At DEF CON alone, numerous mental health professionals show up—often because they’re spouses, siblings, or children of security practitioners. This suggests that conversations about supporting cybersecurity professionals may already be happening in mental health circles.

Mental Health Hackers is considering building a directory or network to connect cybersecurity professionals with mental health practitioners who have technical backgrounds or demonstrated understanding of the industry. It’s a significant undertaking that would require volunteers to help coordinate, but the need is clear.

In the meantime, Amanda and many Mental Health Hackers volunteers have completed Mental Health First Aid training—an eight to sixteen-hour course (often free or low-cost through grant programs) that teaches how to recognize mental health crises and connect people to appropriate help. It’s the mental health equivalent of CPR and first aid training, providing practical skills for supporting someone in crisis without requiring years of professional education.

Incident response for your brain: recognizing when you need help

Cybersecurity professionals are trained to recognize indicators of compromise in systems and networks. But we’re often terrible at recognizing similar warning signs in ourselves.

The physical and mental demands of cybersecurity work—irregular hours, high-stakes decisions, exposure to criminal activity and sometimes disturbing content, constant vigilance, and the knowledge that real harm could result from our mistakes—create conditions where mental health can deteriorate gradually, almost imperceptibly.

For threat intelligence analysts tracking adversaries, the psychological toll can be particularly severe. They often lack the compartmentalization training that law enforcement receives for dealing with exposure to criminal behavior. Incident responders face similar challenges, dealing with breaches that may have catastrophic consequences for their organizations while working under intense time pressure.

Even security operations center (SOC) analysts performing seemingly routine work can experience cognitive exhaustion from the repetitive nature of alert triage, especially when SOC teams are understaffed and overwhelmed by alert volume.

Amanda emphasizes the importance of peer support precisely because other cybersecurity professionals understand these pressures in ways that outsiders—including most mental health professionals—simply cannot. When someone says they’re struggling with the psychological weight of a ransomware investigation, other security practitioners immediately understand the context, stakes, and specific stressors involved.

Mental Health First Aid training helps community members recognize when someone needs more than coffee and conversation—when professional intervention may be necessary. Signs to watch for include major changes in behavior or mood, withdrawal from community, expressions of hopelessness, or signs of crisis like discussing self-harm.

The goal isn’t to replace professional mental health services but to create a community safety net that helps people get to those services when needed, and provides meaningful peer support in between.

What employers can get right (and wrong) about mental health

Company culture around mental health isn’t just about offering an Employee Assistance Program and calling it a day. It requires genuine organizational commitment, starting from leadership.

Amanda points to resources like workplace mental health.org, which provides specific guidance for employers including which diagnostic codes health insurance plans should cover for mental health services. But beyond just checking boxes on benefits packages, companies need to create cultures where using those benefits doesn’t carry professional risk.

Expel’s approach offers one example of what supportive policy can look like. The company offers a “Free For All”—four hours per week where any employee can simply opt out of work without explanation, no questions asked. If you’re reaching your limit, you can tell your team “I’m taking my four hours right now” and everyone responds with “We’ve got you covered.”

Amanda Berlin: “No questions asked, no hard feelings, nothing. The rest of the team is like, ‘Yep, we got you. You go for it and we’ll cover the rest.’ It’s just things like that, just the options of doing that.”

This kind of policy only works when leadership demonstrates through their own behavior that it’s genuinely acceptable to use. If executives never take mental health time, or if managers subtly penalize people who do, the written policy becomes meaningless.

The challenge is that many cybersecurity professionals find themselves in toxic cultures where changing these norms from the bottom up feels impossible. Grassroots culture change is extremely difficult without leadership buy-in. When executives don’t model healthy boundaries or when middle managers create stigma around mental health struggles, individual contributors have limited power to change the environment.

Organizations serious about supporting mental health in cybersecurity should consider:

• Providing mental health coverage that includes adequate therapy sessions (not just three visits per year)
• Offering flexible work arrangements that accommodate different cognitive styles and energy patterns
• Training managers to recognize signs of burnout and respond supportively
• Creating explicit policies that protect people who need mental health accommodations
• Destigmatizing mental health by having leaders speak openly about their own experiences
• Ensuring that using mental health benefits or taking mental health days carries no career penalty

The reality is that most organizations won’t implement these changes unless leadership decides it’s a priority. For individual cybersecurity professionals in unsupportive environments, the unfortunate answer may be finding a different employer whose values align better with mental wellness.

Community transformation: how cybersecurity culture is evolving

Dave Johnson’s first DEF CON was in 2001 (DEF CON 9), when he was just 17 years old. Walking into that conference alone in Las Vegas, he encountered a scene dominated by substance abuse and aggressive gatekeeping of knowledge. Information sharing happened only if you were deemed “cool enough” by the in-crowd.

Amanda Berlin’s first DEF CON came a decade later (DEF CON 20), and while some problems persisted, she found something different at Derby Con—a security conference with a more welcoming culture. There she met Dave Kennedy, who gave her a ticket to her first security conference and helped launch her career. That conference felt like finding a “long lost family” of people who shared her interests and didn’t judge her for being different.

By 2024, the transformation is undeniable. DEF CON now hosts diverse villages covering topics from mental health to career development to diverse areas of technical specialization. The conference has evolved from a space dominated by ego and exclusion to one that, while imperfect, is far more accessible and welcoming.

This cultural shift has happened through intentional effort by community leaders. People like Dave Kennedy, John Strand, and Amanda Berlin herself have worked to create conferences, training programs, and community spaces built on inclusion rather than gatekeeping. As Amanda notes, the range of villages at modern DEF CON reflects this broader transformation.

Dave Johnson: “When I first walked in, it is just all sorts of substance abuse and shenanigans. DEF CON is not that anymore. There is a—it is tremendously approachable. There’s a lot of value that you can get out of going to not only the talks, but the villages as well.”

Not everyone appreciates these changes. Some old-guard hackers feel that making knowledge accessible and creating welcoming spaces somehow diminishes the culture. But the result of opening doors is clear: more diverse perspectives solving problems, more people entering cybersecurity from non-traditional backgrounds, and a healthier community overall.

This same opening up has extended to mental health conversations. What was once completely taboo—admitting you struggle with anxiety, depression, ADHD, or other mental health challenges—is now increasingly accepted as part of the normal human experience, even in our supposedly “elite” technical community.

The work isn’t finished. Plenty of organizations and corners of the industry still operate with toxic cultures, excessive machismo, and stigma around mental health. But the trajectory is promising, and grassroots efforts like Mental Health Hackers are part of what’s driving that positive change.

Taking action: how to support mental health in cybersecurity

Whether you’re a cybersecurity professional struggling with your own mental health, a colleague wanting to support your team, or an organization looking to improve your culture, there are concrete steps you can take.

For individuals: Start by finding one activity completely unrelated to security and screens—cooking, exercise, music, art, volunteering, anything that engages a different part of your brain. Check your health insurance for mental health benefits you might not be using, including telehealth options that can connect you with therapists remotely. Consider joining online communities like the Mental Health Hackers Slack server where peer support is available. And remember that trying a therapist or two before finding the right fit is completely normal—don’t give up after one difficult experience.

For teams and colleagues: Take Mental Health First Aid training to better recognize when someone might be struggling and how to help. Create space for authentic conversation about mental health without forcing disclosure. Watch for signs of burnout in your teammates—withdrawal, changes in quality of work, expressions of hopelessness—and check in when you notice them. Share resources from Mental Health Hackers and similar organizations. And most importantly, model the behavior you want to see by setting your own healthy boundaries and speaking openly about mental wellness.

For organizations: Review your mental health benefits and ensure they’re actually adequate for long-term therapy, not just crisis intervention. Implement policies like mental health days or flexible work arrangements that accommodate different needs. Train your leadership and management teams on mental health awareness. Create employee resource groups focused on mental wellness. Partner with or sponsor organizations like Mental Health Hackers. And fundamentally, build a culture where using mental health resources is normalized and carries absolutely no career penalty.

For the community: Mental Health Hackers relies on volunteers and sponsors to operate their conference villages and provide resources. You can get involved by visiting mentalhealthhackers.org, emailing sponsors@mentalhealthhackers.org, or connecting through their social media presence on LinkedIn, Facebook, and Twitter. They also offer “Ambassador Kits” that can be shipped to conferences where their core team can’t travel, allowing local volunteers to run Mental Health Hackers spaces at regional events.

The organization is currently working toward offering Mental Health First Aid training directly at DEF CON and other major conferences, which will require both funding and volunteer instructors. For marketing teams looking for meaningful sponsorship opportunities that genuinely give back to the community, this is an excellent choice.

The connection between physical and mental health

While this episode focuses primarily on mental wellness, Amanda emphasizes something that research consistently supports: physical and mental health are deeply interconnected. Exercise, nutrition, and sleep all directly impact cognitive function, mood regulation, and stress resilience.

For Amanda, physical activity takes multiple forms—yoga, walking, kayaking, and other movement-based activities that get her away from screens and out of the analytical mindset. She started yoga by following YouTube videos from Yoga with Adrian, proving you don’t need expensive classes or perfect form to benefit.

Amanda Berlin: “I never thought I would be a big yoga person, and now—I was always a very clumsy child, I would always fall on things and break stuff, I was always in the hospital. I fall a lot less now and trip and hit a lot less things since I’ve been doing yoga, and I do it like twice a week.”

The key is finding movement that works for you personally. High-intensity interval training (HIIT), yoga, walking, swimming, team sports—all can provide both physical and mental health benefits. The goal isn’t to become an athlete; it’s to move your body regularly in ways that feel sustainable.

Dave’s experience with HIIT classes illustrates another benefit of physical fitness activities: they provide lessons in humility and community. Being outperformed by people twice your age who are supportive and encouraging rather than competitive creates a different kind of social connection than most of what happens in cybersecurity work.

Even small amounts of physical activity can make a measurable difference. Taking a walk during lunch, doing simple stretches during breaks, or choosing stairs over elevators all contribute to better mental health outcomes. For cybersecurity professionals who spend most of their working hours sedentary and staring at screens, intentional movement becomes even more critical.

Frequently asked questions about mental health in cybersecurity

What makes mental health challenges unique in cybersecurity?

Cybersecurity professionals face distinct stressors including irregular hours during incident response, exposure to criminal activity and disturbing content, high-stakes decisions with potential for serious consequences, constant vigilance requirements, and confidential work that limits who you can discuss problems with. Unlike law enforcement, most security practitioners lack formal training in compartmentalizing traumatic experiences, leaving them vulnerable to burnout, anxiety, and trauma responses without adequate coping mechanisms.

How common is neurodivergence in the cybersecurity field?

Research shows significantly higher rates of neurodivergence—including ADHD, autism spectrum conditions, and other variations in cognitive function—in STEM fields including cybersecurity compared to the general population. The cognitive strengths associated with neurodivergence, such as pattern recognition, deep focus, and unconventional problem-solving, align well with cybersecurity work. However, these same traits can create vulnerabilities when the ability to hyperfocus leads to burnout or when analytical thinking spirals into anxiety.

Where can cybersecurity professionals find mental health support that understands their work?

Mental Health Hackers (mentalhealthhackers.org) provides peer support through conference villages, online community via their Slack server, and resources connecting technical and mental health expertise. For professional therapy, look for practitioners who have technical backgrounds or experience with STEM professionals. Many health insurance plans now include telehealth options that can connect you with therapists remotely, expanding your options beyond local providers. Mental Health First Aid training can also help you build a support network within your existing cybersecurity community.

What can employers do to better support mental health in security teams?

Effective organizational support requires more than just offering employee assistance programs. Companies should provide adequate mental health coverage in insurance plans, implement flexible policies like mental health days or “opt-out hours,” train managers to recognize and respond to burnout, create cultures where using mental health resources carries no career penalty, and have leadership model healthy boundaries and openness about mental wellness. Policies only work when executives demonstrate through their own behavior that it’s genuinely safe to prioritize mental health.

How can I help a colleague who seems to be struggling with mental health?

Consider taking Mental Health First Aid training to recognize signs of crisis and understand how to help. Watch for indicators like withdrawal from the team, significant changes in work quality or behavior, expressions of hopelessness, or direct mentions of struggling. When you notice concerning signs, check in privately and without judgment, listen without trying to immediately fix problems, share resources like Mental Health Hackers or your company’s employee assistance program, and in cases of crisis involving risk of self-harm, don’t hesitate to involve professional help or emergency services.

What are practical daily habits that support mental wellness in cybersecurity work?

The most important habit is regularly engaging in activities completely unrelated to security and screens—cooking, exercise, music, art, outdoor activities, or any hobby that shifts your brain into a different mode. Physical exercise, even just walking, provides measurable mental health benefits. Setting clear boundaries between work and personal time helps prevent burnout. Maintaining social connections outside of work reduces isolation. And practicing basic self-care around sleep, nutrition, and stress management creates resilience for handling the unique pressures of cybersecurity work.

This transcript has been edited for clarity and readability.

For more cybersecurity insights and industry perspectives, subscribe to The Job Security Podcast on Apple Podcasts, Spotify, or your app of choice, or visit expel.com/blog for the latest in security news, tips, and threat intelligence. To learn more about how Expel’s managed detection and response services can support your security team’s effectiveness while reducing stress, reach out to our team today.