Too Sleepy to be Secure?

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 181 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

How many of us can say that we get enough sleep, consistently? And not just the number of hours asleep, but the quality of sleep as well? In this busy world with work, family, and community obligations, good sleep often takes a backseat, and we find ourselves drinking that extra cup of coffee to get us going in the morning. Not to mention there’s a global pandemic, which makes everything a little harder.

Our guest this week is Lincoln Kaffenberger. He’s the threat intelligence service lead at Deloitte Global, and he has been conducting survey research into the role sleep plays in keeping our organizations safe. Our conversation reviews the data he’s gathered, the conclusions he’s developed, and his recommendations for organizations that want to encourage a culture where team members are coming to work rested and ready to give their best.

Lincoln Kaffenberger:

I didn't start off in tech at all. I started off as a political science international studies type major in college, joined the Army, did military intelligence there, and then started transitioning my way into cyber, specifically into the field of cyber threat intelligence. So I've been in my current position for about a year and a half, but I've been in cyber threat intel for the last six years. And it's just been fascinating. I love the tracking of bad guys in the very dynamic, always changing environment. And so it's something that I found that I love and a lot of other people feel the same way.

David Bittner:

Can you describe to us some of the stops along the way and the evolution of threat intelligence that you've seen over the years you've been at it?

Lincoln Kaffenberger:

Sure. Sure. So I started off in the Army, so very much like a traditional physical threat intelligence, from a counter terrorism and counterinsurgency standpoint with a couple of deployments in Afghanistan, then moved stateside to D.C. and get to see intel at more of a strategic area. Got out and then did a little bit of government contracting for a short stint and then got to do strategic cyber intel in that regard with the government.

Then joined the International Monetary Fund. That's where I got to do threat intel at a very, very interesting level because one day I'd be doing tactical intelligence, helping our SOC understand who was behind some of the incidents that we might see. And then next day I'd be helping my CISO understand what does the threat landscape look like for us and how should that inform our investments? And then the next day I'd help show economists how to measure and understand cyber risk as it pertains to the global economy, which is really unusual for most threat intel folks. But it was something that was actually really, really exciting. Came over here to Deloitte and have been helping grow our threat intelligence program. It's been pretty exciting to see, threat intel, as it's evolved over the last few years, especially as it pertains to other areas I've been studying like stress and sleep.

David Bittner:

Can you give us some insights? So what is your day-to-day like these days at Deloitte?

Lincoln Kaffenberger:

I have the pleasure of managing a wonderful team that's geographically dispersed, and we're looking at threats that come directly at Deloitte trying to understand, not just what is hitting us, but why it's hitting us and who's behind it, what are the intentions because that helps inform all of the decisions that we make from a high level standpoint. Whether it's what we do operationally to prevent these things from occurring or from a leadership perspective, how it informs investments and from a risk management standpoint, how it informs our risk tolerance. So there's so much value that intel can provide and that's what we're really trying to ensure is that we're giving the most value to our organization.

David Bittner:

You mentioned earlier that one of your interests is people's stress levels at work. And I know you recently conducted a survey to that end. Can you, first of all, tell us what prompted the creation of the survey?

Lincoln Kaffenberger:

There were two parallel things happening. One, there've been a number of articles in the industry of people coming out talking about stress and how burnout is prevalent in our field. And so I was seeing that, and then simultaneously, I'm also getting more and more people in my life telling me how you need to sleep more. And I didn't believe them. I don't like sleep. If I could go without sleep, I would. That would be my preferred superpower.

But then my wife conspired with her sister who got me this book called, Why We Sleep by Matthew Walker. And so I read the whole book and became really fascinated by all the different scientific research that correlates sleep to things that are actually really important to our field of cybersecurity, especially my subfield of cyber threat intelligence. And so it started getting me to wonder, I'm pretty sure that there's a lot of folks in this field that are sleep deprived, but I don't know that for sure. And I wonder what relationship, if any exists, between all this stress and the burnout that I'm hearing about in the industry and our sleep habits. So that's what caused me to go and do the survey.

David Bittner:

Well take us through it. What sort of questions were you asking?

Lincoln Kaffenberger:

Yeah, sure. So fairly straightforward questions and it only took a few minutes for respondents. But after the generic questions like where do you live, what's your role in cybersecurity, I asked things like how many hours a week do you work? How often are you working more or how often do you work late? What would you say your stress level is on a scale from one to 10? What are the causes of stress? How much are you sleeping? How many hours a week do you get for sleep during a weeknight? How much are you sleeping on the weekend? How much do you try to catch up with sleep on the weekend?

And then I asked a lot of lifestyle questions to help understand what could be impacting their sleep, such as how frequently or how often they work out, what time they finish their workouts, what time they finish drinking caffeine, what time they finish drinking alcohol, how often they're checking their phone before they go to bed or looking at a screen right before they go to bed. All of those have been shown to have an impact on your sleep quality and your sleep quantity. And so I asked those questions and it was fascinating to see what some of the responses were.

David Bittner:

Yeah, well share it with us. What sort of things did you learn?

Lincoln Kaffenberger:

I went through and did the aggregate. So first I need to caveat that the number of respondents, we've got 141 respondents, the majority of whom were in the U.S., like 75 percent were U.S.-based. And from a cybersecurity job breakdown, a third of them were self-proclaimed cyber threat intel professionals, almost 18 percent said that they were CISOs or senior level leadership like that. Another like 12 percent, which was the next highest percentage, were incident response. And then almost 40 percent made up the rest of the gambit. Not a huge sample size and kind of a biased sample size. So I just want to caveat what I'm about to say with that.

But with that, we found that people on average, all of these respondents worked about 49 hours a week. So almost 50 hours a week. They averaged saying that their stress level was about six. It was actually an average of 5.89, so round it up to six. The average sleeping six and a half hours during a weeknight and they rated their sleep quality at about a three on a scale of one to five. And then when you dive down into some of the subgroups, not a ton of variation, when you look at the profession. One interesting thing that shouldn't be surprising though is incident response, they recorded having a lower sleep quality. There was like a 2.7, as opposed to the three. They had a higher stress level. They rate it at a seven, whereas the average was around a six.

David Bittner:

Well, so what did you learn here? Going into this, did you have any suspicions about what you might find and how did it align with those notions?

Lincoln Kaffenberger:

Sure. So one of my hypotheses was that the majority of folks in cybersecurity aren't sleeping the medical recommended average of between seven and eight hours or more. And then that definitely held true when we looked at it across the board. A lot of folks are sleeping far less than that. And obviously stress was a part of the reason for even doing this survey. So when I looked and I thought, "All right, let's take a look at the stress levels and then average those out." And it looked alright. What are the reasons for stress? And the top cited reasons were high workload, lack of staffing, and lack of budget or other resources. So basically it's a lot of work to do and not enough people or resources to do it.

And so that prompted a lot of this rest. One of the things that I thought was interesting for stress causes, some people put other managers or leaders. But interestingly, it wasn't generally their boss. Their boss was one of the lowest causes of stress. So people generally have a good boss. It's the other bosses that suck. Then sleep was right in the middle of the pack as far as a reason for stress. So when I started trying to compare and correlate average stress level to say the number of hours of sleep, I didn't actually see a correlation there nor did I see a correlation between people's rated stress level and the number of hours that they worked. What I did find was a weak correlation between their stress level and the quality of sleep.

And it's what I saw as people's stress level increased, their quality of sleep decreased. Which stands to reason, right? The more stressed you are, the more uneasily you sleep at night. And there's also that cyclical response to the worse you sleep, the less well you are able to handle stress. You're more irritable and things like that.

I also noticed that, and it was a very slight correlation, it was only seven minutes difference, but people that had higher stress levels, it also took them a little bit longer to fall asleep. They got me wondering, "All right, what if I take a look at the sleep quality?" And I started looking at that to see what insights we could glean. As I looked at that, I found as people's sleep quality decreased, we saw that the average number of hours of sleep that they got also decreased. And what's interesting is when you actually read the other scientific literature and the medical studies on sleep, this is a consistent finding that people think, "Oh, I'm just going to get six hours, but they're going to be good sleep." That's generally not what ends up happening. If you want to have good sleep, you need to actually put the time in. Quantity is quality with sleep apparently.

The other thing that we saw is that as people's sleep quality decreased. The number of hours that they worked also increased. And again, that stands to reason. If you're working more hours, you have fewer hours in your day to do other things in life, sleep being one of those things. The other interesting thing that we found is as people's sleep quality decreased, we also saw it took people longer to fall asleep. People that got really good sleep, took them like 15 minutes to fall asleep. Whereas those that reported getting really poor sleep quality, it took them as long as an hour to fall asleep. So that's a pretty big swing.

Same too, the number of times that they were averaging waking up in the middle of the night. Those that got good sleep, it was around one, between two and one times a night, generally, to do something like go to the bathroom or help a kid or something like that. Versus those that had poor sleep quality, they were getting interrupted as many as five times a night. Again, stands to reason if you're getting interrupted a lot, your sleep quality is going to go down. One of the things, like when we looked at why people were getting interrupted sleep, some of the things that came up about almost 20 percent of the time were work emergencies and phone notifications, and they were tied to that. So our field is one of those fields that also has this operational, we're always on, component to it. And so that certainly does play an impact on our sleep, which as you see, has impacts on stress and health as well.

David Bittner:

I think we hear a lot, particularly right now in the midst of the pandemic and combining that with the divided political era that we find ourselves in that you hear people talk about doom scrolling. They wake up in the middle of the night, that phone is sitting on the nightstand. And so they reach over and grab it. And next thing you know, an hour has gone by, and really mainly what you've done is cranked up your anxiety level.

Lincoln Kaffenberger:

Absolutely. And it's not just the anxiety level. What the science shows, and what some of the findings from this study also support, is when you look into your phone, that light coming from your phone tells your body to wake up. And one of the things that we found looking at this, the people that recorded having lower sleep quality also reported more frequently checking their work email right before they went to bed, more frequently looking at a screen within an hour of going to sleep and less often giving themselves any chance to wind down. So all of that holds with that doom scrolling, like what you're talking about is in the middle of the night, when your body is trying to slowly drift into sleep, we're not giving it that chance because we're throwing light at it, which confuses our body's circadian rhythm. It makes it think that it's time to stay up or time to be active when it should really be telling it to go to sleep.

David Bittner:

What is your sense in terms of how this can affect an organization's security? If we've got the folks who are tasked with these things and they're stressed out and nodding off at their desk, it seems to me like that can't be a good outcome.

Lincoln Kaffenberger:

No, absolutely. When we think about how this affects organizations, this is actually one of the areas where I find most fascinating is what can we do about this? Not just as a person. I feel like medically those recommendations are fairly straightforward. But as organizations, it's a lot more tricky, I think. And so one suggestion, one thought that I've had is this idea of cyber crew rest. So for pilots, they have to go and have a minimum number of hours of break and ideally a certain number of hours of sleep between when they fly. And so I think we should introduce something like a cyber crew rest, because the alternative is where we tell analysts, "Hey, you're too sleepy to secure," or "Too sleepy to actually do your job well. I can't trust your analysis. I can't trust that you've actually done all the things necessary that you didn't miss something with this ticket, you didn't miss something with this incident response remediation effort."

Going back to, like I said, incident response, there are many times where an incident response team will have to work long stretches at a time. And at some point, after you've worked 18, 20, 24 hours, your ability to focus decreases significantly. The chance that you are going to not be good at problem solving or just fail to remember things increases significantly. And so it really puts an organization at a higher level of risk. And so from an organization standpoint, the better option should be, all right, plan for these kinds of stretches and have rotations where you can put fresh people at a problem and make sure that the people that are just coming off actually get that time to rest.

Obviously there'll be lots of HIPAA regulations and things that have to work through, but there are great sleep tracking devices out there right now. And so if organizations were to find a way that was legal, ethical, all the workers actually agreed to it, to where you could track people's sleep quality and then that affects who's on call and who's doing what in a given day. So you're putting the right people, the most rested people, on a problem versus those that are not as well equipped to mentally handle a problem.

David Bittner:

Yeah. It's interesting to me what I perceive as this, I guess almost a cultural thing, which is I think it's a myth that the more hours you put in is somehow a measurement of your dedication to a company. You see this in startups. You have the startup CEO who never sleeps, who works seven days a week and because that's the only way that we're going to get ahead. And I just think, as you're talking about these things here, I mean, there is a point where you hit diminishing returns. Yes?

Lincoln Kaffenberger:

Absolutely, absolutely. Can't remember the CEO's name, but I know he said that he doesn't work any more than 50 hours a week because he's found that any more than that, he does just that, you hit diminishing returns. And I remember several leaders that I really respect that are probably some of the best at their jobs, best in their fields, they ensured they were getting seven and a half hours of sleep because they believed that their job was to make good decisions. They need a well-functioning mind to do that, and sleep is paramount for that mind.

This is an area where a lot of people would just assume that caffeine can solve their problems or they just push through. And what's interesting is that's not always the case. Caffeine helps you not fall asleep or maybe feel less sleepy, but it doesn't necessarily help your brain do things better. And it doesn't negate the problems that come with not sleeping well, unfortunately. At least that's what some of the literature is showing.

David Bittner:

Yeah. I'm curious, you started our conversation by saying that your own attitude towards sleep initially was that you tried to minimize it. How have your views changed as you've gone through this journey in the survey and your own education?

Lincoln Kaffenberger:

Absolutely. So twofold. So one it's, I'm starting to get a little bit more sleep. I'll be totally transparent, and I am still not getting the full clinically recommended. I'm getting about six and a half hours, which is better than what I was getting. So I'm a little bit better every day. The other thing that I think is really critical is I'm not alone in this belief that, "Oh, I'm superhuman. I can do this, I can push through." I think a lot of other folks feel the same way. So part of what I do and what I've encouraged others to do is test yourself. Go and keep a sleep journal where you track how many hours of sleep you're getting and just do it for like a short period, like two weeks, four weeks.

Test yourself and see, all right, when are you going to bed? When are you waking up? How often were you waking up during the night? Look at how often and how many times are you drinking caffeine throughout the day? How often are you drinking alcohol or other substances that would affect sleep? When are you working out? And do that for a period, and then also test yourself cognitively.

For me, this is actually where I want to go and do the next phase of analysis. Memory has been shown to be the main thing that is affected by poor sleep. And so go and do tests where you learn something in week one and then go and test it yourself in week two to see how much of what you just learned that you actually remember and what you recall. And if you can see that, "Wow, I don't remember any of that stuff," and then maybe try changing your sleep habits and then test your memory again. And if you see like, "Wow, I actually remember all that. I can save myself all that time instead of having to go back and search and relearn that thing, I can just recall it." And so that is part of what changed my mind and I think that would also work for others as well.

David Bittner:

What about from a leadership point of view? You said you yourself, you have a team of folks that work under you. If I'm in charge of a group of people, how can I set the tone that sleep is a priority and that you're going to be rewarded for coming to work well rested?

Lincoln Kaffenberger:

No, that's a great question. And it's a challenge that we face, our team is globally dispersed. And so part of the challenge too, is it's not just dealing with people, whether they are rested, it's also, am I getting them in the most productive part of their day? So if I'm based in D.C. and I'm talking with folks in Asia-Pacific, I'm either talking to them really late their time or really early in their morning, where it's the opposite for me. And so trying to balance that is challenging. But what ends up happening unfortunately is it will be like the early to middle part of my day and I'll see some of the Asia-Pacific folks still on. And so really trying to encourage them, "Hey, no, no, no. Work during your time. Give yourself time to rest," and having to nudge them towards that. That's one of the things that we've been doing.

The other thing that I'm trying to do, which as you heard earlier about my changes in sleep, I'm trying to lead by example in that. I'm not there yet, but trying to make sure that you're getting enough rest. And so looking at the data, at the surveys, CISOs are regularly getting six and a half hours of sleep. So if they are wanting people to get more sleep, they themselves should also get more sleep as well. I think the medically recommended is at least seven, and then the closer you can get to eight, the better.

David Bittner:

How about naps? I worked for a company once and they had some little nap rooms where if you wanted to go take a half an hour and either just close your eyes or take a quick snooze, that was something they supported. Is that a helpful thing for folks?

Lincoln Kaffenberger:

Absolutely. The literature certainly supports that, taking naps is certainly huge. Every little bit helps. I actually asked about that as well. And people said that they felt like they could take naps. Not many do, especially for folks that are on incident response or working any situation where you're going to have to be up for a longer stretch than usual, taking a 15 minute or even an hour and a half, if you can, is certainly very, very helpful and beneficial. So thankfully, for most of what I've seen in the organization or from the survey, is that most organizations that the respondents worked for, they seem to be open to people taking naps as needed.

I asked people about their beliefs about sleep and work. One of the things that I asked was, "How much sleep do you think you need to do your job well?" And the majority of folks said between seven and eight. But then I also asked them, "How little sleep can you get by with and do your job well enough?" And a lot of times people would say things like six and seven to six hours. But in my field of cyber threat intel, our professionals had the highest percentage of people, of all the different professions, that said that they could get by with less than six hours of sleep and do their job well enough. For me, that was fascinating because when you look at the aspects of sleep deprivation that have the biggest impact on a person, sleep deprivation negatively impacts your memory, your ability to problem solve, your creativity and it makes you more likely to have cognitive bias, to really hold fast to beliefs that you had already established and be unwilling to compromise.

All of those are horrible, horrible for cyber intelligence professionals. We rely on our memories to do our job well. We're constantly trying to solve difficult problems. We need creativity to be able to think outside of the box at how bad guys are doing the things they're doing. And bias is like a cancer of the mind for our field. We have to recognize and be able to overcome those biases to do our job well. It makes me feel like my profession in particular has a long road to go with recognizing sleep and its impact on our performance.

David Bittner:

Our thanks to Lincoln Kaffenberger from Deloitte Global for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.