Psybersecurity: Hacking the Mind for a Better Defense

By John San Filippo

At the recent CU Intersect conference in New Orleans, which Finopotamus was an official media sponsor, Steve Koinm, chief information security officer (CISO) and co-founder of event co-sponsor Pure IT, took the stage to address a threat that doesn’t always show up on a firewall log: the mental health of the people behind the screens. Moving beyond technical exploits, Koinm introduced the term “psybersecurity” to address the high-stakes psychological pressure of credit union security. While most presentations cover hacking hardware or software, Koinm’s focus was squarely on the human element and the internal battle against burnout.

The Burden of 100% Accuracy

The core of the stress in cybersecurity stems from the asymmetrical nature of the job, he noted. In most credit union departments, a small margin of error is expected and manageable. However, the security team is held to a standard of perfection that is naturally exhausting because the “offense” only needs to be effective once to cause a catastrophe, Koinm shared.

“In cybersecurity, we’re playing defense. So, we’ve got to be right 100% of the time. The offense is out there, they’ve only got to be right once, and then they get past us,” Koinm told the audience.

This creates a state of hypervigilance where the defender never feels truly off the clock. Unlike first responders or the military, who often have designated downtime or “waves” of threat, cyber adversaries are active 24/7, he explained. As such, they often ramp up their busiest activity while the domestic team is trying to sleep, forcing defenders into a state of permanent readiness that wears down the nervous system. “But when we try to make that permanent readiness, it becomes exhaustion disguised as dedication,” noted Koinm.

The Creeping Threat of Burnout

According to experts, burnout in the IT world isn’t a sudden, explosive event. It is a gradual decline that often goes unnoticed because it doesn’t appear as a task on a to-do list. Because cybersecurity professionals are often motivated by a noble sense of mission – protecting the credit union and its members’ financial lives – they tend to ignore the warning signs of their own mental fatigue. “It’s a creeping thing that happens,” explained Koinm. “It’s not something that’s on your to-do list, it’s not on your calendar, I’m going to get burned out on this day.”

Koinm was candid about “imposter syndrome,” a real psychological phenomenon where professionals feel like they are “winging it” and fear that someone will eventually discover they aren’t as competent as they seem. Many leaders feel that admitting to being overwhelmed confirms these fears, yet Koinm reminded the audience that everyone is navigating these challenges in real-time with no perfect roadmap. “We’re all making it up as we go along,” he said. “We all use whatever experience we had before to do what we can do, and then we actually work forward from there to be able to try to build those things forward.”

Lessons from the “Jolt Cola” Era

To illustrate the dangers of powering through exhaustion, Koinm shared a personal story from his early days working for the math department at Oklahoma State University. At the time, he prided himself on ensuring that his work never impacted his users. He would stay up all night to finish maintenance tasks before the staff returned in the morning, fueling himself with a constant supply of caffeine.

“I had a two-liter bottle of Jolt Cola in my hand every day,” he recounted. “Take that bottle of Jolt, good to go for a day.”

Eventually, the chronic lack of sleep caught up with him. While attempting to delete a specific directory, his narrowed focus and mental exhaustion led to a simple but devastating typo. He put a slash in the wrong place and accidentally deleted the entire department’s files—everything from staff data to laboratory work. While his rigorous backup routine saved the day, the experience taught him that a tired brain is a liability. To maintain a more stable mental state, he added that he has now been caffeine-free for over 30 years.

Strategies for Mental Resilience

To combat the “psybersecurity” risks of burnout, Koinm suggests a mix of personal discipline and cultural changes within the credit union. He emphasizes that showing up for the organization first requires taking care of the individual.

• Schedule Real Vacations: Professionals should aim for a real vacation at least three times a year to let alert levels normalize. Koinm shared his own experience of a six-week, 17,000-mile motorcycle trip to Alaska, where he strictly limited his “on” time to only a few hours a week.

• Invest in Proficient Training: People want to feel competent. Training isn’t just about career advancement; it’s about giving staff the tools to know they aren’t imposters.

• Make Space for Fun: Whether it is a “whiteboard challenge” about the optimal slice of pizza or a competitive chicken nugget eating contest, lighthearted office activities build bonds that resist stress. Koinm noted that for his team, these “silly” contests are what bring a sense of enjoyment back to the workplace.

• Implement Peer Recognition: Using systems like Bonusly allows team members to hashtag and reward each other with points that turn into real dollars. Koinm uses his own points to buy giant Lego sets, which he finds helpful for taking his mind off the stress of the job.

“But we can’t show up for others until we can actually show up for ourselves,” he added. “The goal is progress. The goal is not perfection.”

Building a Sustainable Security Program

Beyond personal habits, the structure of the security program itself can either contribute to or alleviate stress. Koinm recommended a “fix the basics” approach to eliminate the “noise” that causes alert fatigue, such as broken integrations and unpatched systems.

He also urged leaders to cultivate their teams by giving others the chance to step up. If a leader doesn’t allow their staff to take ownership, the staff never grows, and the leader never gets to unplug. This ROI on “cultivating the team” is real for the business because it creates a more resilient, effective defense. “You cannot and should not do this alone,” Koinm insisted. “Don’t do this alone. You need to do this in a team. This is a team sport as we’re doing this.”

The Power of Community

Koinm’s final takeaway for the credit union industry is the power of shared experience. Cybersecurity is often seen as the “department of no,” but by reframing the role as risk management and enabling the business, the mission becomes more positive. Most importantly, security professionals must step out of their silos. “Be part of a community like this,” Koinm said, referring to the conference attendees. “These are other folks who are going through dealing with a lot of these same things and trying to figure it all out.”

By acknowledging the psychological weight of the role, he added that credit union leaders can ensure their teams don’t let temporary stress turn into a permanent “stress fracture.”