How do we fix security's toxic culture?

An illustration of three workers arguing under dark clouds
(Image credit: An illustration of three workers arguing under dark clouds)

It’s time we talk about the issue of toxic cultures within the security teams. Many will have experienced this first hand; feeling undervalued by – and separate from – the rest of the business, in-fighting within the department, and even bullying.

Not enough research has been done on the topic, but it’s definitely time to give this issue a voice, says Jinan Budge, principal analyst for security and risk at Forrester Asia Pacific. While researching retention of cybersecurity staff, Budge asked a question on LinkedIn regarding toxic cultures, and was surprised by the level of response she received.

“Within just a few hours I ended up getting 200 contributions from 75 people,” she says. “They were quite harrowing, describing their own experiences and things they’d witnessed. That’s when I knew we needed to start talking about this.”

The impact of a toxic culture

To ensure an organisation is protected from potential breaches and attacks, security teams must be at the top of their game. The work of a security professional is highly pressurised and stressful – two factors that can engender a toxic culture. This is leading to businesses losing skilled professionals; according to CIISec’s The Security Profession 2019/2020 report, more than half (54%) of IT security professionals have either left a job due to overwork or burnout, or worked with someone who did.

Any unhappy work environment should not be ignored, but there’s even more at stake when you’re talking about a business’ security department.

Amanda Finch, CIISec’s CEO, says that budget pressures, rising threats and internal constraints can all lead to the growth of a toxic working environment. “As attackers constantly find innovative ways to undo the security team’s hard work, there’s constant pressure to keep pace, let alone get ahead. This can be a big strain on individuals, leading to a stressful culture,” she explains.

“At the same time, according to our survey, 82% of security professionals say security budgets are not keeping pace with the rising threat level. With budgets tightened, 64% percent of respondents said their businesses simply hope to cope with fewer resources when necessary, whilst 51% would let routine or non-critical tasks slip. There’s a clear risk here – the more overworked security teams are, the harder it will be for them to spot and respond to real threats,” she adds.


Remote worker cybersecurity best practices

Strategies and tips to follow, helping to secure your workforce


Budge agrees with Finch’s analysis, saying: “The ultimate problem with a toxic culture is that it means you’re not looking after the organisation’s cybersecurity, which is effectively the team’s sole reason for being. I’ve seen this happen – teams are so busy dealing with in-fighting that they’re unproductive. Sometimes the biggest enemy is not actually the adversary, but the team itself.”

Disengaged employees cost businesses money and cause disruption. A 142-country Gallup study of the state of the global workforce found that only 13% of employees are psychologically committed to their jobs, with an estimated cost in the US alone of $450-$550 billion (£344-£421 billion) annually through absenteeism, accidents and lower productivity. “Over time this can even cause share prices to lower,” Budge notes.

What causes a toxic team culture?

In the Forrester report entitled Fix Toxic Security Culture Before It Kills Your Innovation, Budge called out 10 leading causes of toxicity, many of which are tied to poor management.

Lack of organisational support took the top spot, but low leadership maturity, poor communication skills, a yes culture and lack of team buy-in were also cited as clear causes.

“Bad management is creating intrinsic problems within companies’ cultures,” says Finch. “Many people in senior roles have been promoted from technical backgrounds. They entered the industry with an expectation to be heavily involved in the technical aspect, and haven’t necessarily learned the skills to manage people,” she notes.

Budge highlights that egos and individuals with a “hero complex” also added to a negative team environment. “We all know these people, they’re the ‘rock stars’, the know-it-alls who think they’re the only ones that can solve a problem. They’re not team players and they have this unchecked presence. Sadly, this is a lot more prevalent that we’d like to admit.”

The ‘dirty secret’ of toxicity however, is lack of diversity. For example, only 10% of CIISec report respondents were women. “This has doubled since 2015,” says Finch, “but still suggests there’s a long way to go. “

People were very reluctant to make a public comment about the lack of diversity in response to Budge’s LinkedIn question, but she was privately emailed by several people regarding this issue. “[They said the lack of diversity] isn’t only a cause of toxicity but also an outcome. Many women and minorities noted that they were unable, or didn’t want to stay in a team, because of a toxic culture.”

Creating a positive team culture

There’s no silver bullet for toxic cultures, but steps can – and should – be taken to identify and correct them before they destroy the department from the inside out.

The responsibility for this lies with the CISO and as Joan Pepin, CISO of Auth0, notes, “culture needs to be a priority. The CISO needs to flow that priority down to their leadership in constructive and actionable ways. They’re accountable: It’s their department, their credibility on the line and ultimately, a toxic security culture leads to a less secure company – so it’s basically their job.

“Professionalism and empathy must be expected and modelled. If a security team is empathetic, if they understand what the user, the department, the business unit [wants], and what their goals and challenges are, they will provide better security solutions, in addition to experiencing a more pleasant environment and better stakeholder engagement.”

Alongside coaching empathy, cisos need to be willing to make the tough calls when needed, ensure they recruit the right people and communicate clearly – both in terms of ensuring team members understand their roles and responsibilities, and also around building relationships with the wider business.

“A misalignment between the executive leadership’s viewpoint and what the security team thinks their remit is can cause problems over time, says Ben Carr, Qualys’ CISO. “Ideally, you should set the ground rules early on with regard to what is expected, what collaboration is needed, and how your security team will engage the business.”

CISOs have much to take on board, but everyone in the industry has a role, as an individual and team player, to acknowledge and call out toxicity when we see it, and also look at their own behaviour.

There is light at the end of the tunnel, but this will get brighter if we continue to have these conversations and bring the issue of toxic workplace cultures to the forefront

Keri Allan

Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.