Steering the cybersecurity ship in a toxic work culture

Has your cybersecurity guy been looking a little haggard and irritable lately?
It’s hardly surprising. Evolving threats, chronic understaffing and tight budgets mean cybersecurity teams are often fighting with one hand tied behind their back. Even a happy, well-oiled department may feel frazzled and burned out on a regular basis. But when you have to manage cybersecurity in a toxic work culture, the stress climbs up by several notches. Communication suffers, resentments build, frustrations boil over, and talented workers may even walk out the door. And your organisation’s cybersecurity suffers.

Some level of conflict is normal in any workplace. But how do you recognise a toxic work culture, and what's the antidote? Navigating a toxic environment is never easy, but our guide should help you understand how troubles begin, and what you can do to resolve them.

How to recognise a toxic workplace

Low morale, cynicism, a lack of trust in leadership, high absenteeism and high turnover are all hallmarks of a toxic work environment. Specific behaviours to watch out for include narcissistic leadership that dismisses employee concerns, hiding information, gossiping, lies, manipulation, favouritism and in some extreme cases, outright bullying.

This is certainly not a positive or productive environment to work in. In these situations, people often switch to survival mode, become defensive and focus their efforts on dodging blame or taking credit for things they haven’t done. Simple questions may result in a web of evasions and stonewalling. Individuals may be scapegoated, new practices discouraged or new ideas ignored.

Some individuals are drawn to the most destructive behaviour sets, and may seek to exploit the culture to gain undue influence or hide their own poor performance by shifting blame. Others may simply be cracking under pressure and lashing out. As a result, good workers may become less productive, and a talented cybersecurity team can feel like it’s spending more time fighting internal battles than repelling external threats.

Be honest, fair and focused

If you’re a cybersecurity lead, your first priority is to protect your team the best you can. Establish what is under your control and what isn’t. You can’t change the culture of the whole organisation, so start small, and start with yourself.

Ensure you’re setting an example for your team with fair, appropriate and scrupulous behaviour. When dealing with others, document everything. Ensure meeting notes and next steps are promptly recorded on email chains and in shared documents, making it harder for anyone to twist the truth. Conversations should be noted down and instances of questionable behaviour documented.

People who lie or manipulate will often seek to deflect questions or throw blame at others. Don’t take the bait: stay on track. You won’t make progress by playing their games. Instead, stick to relevant facts and work towards solving the problem at hand. Cyberattackers move fast: internal distractions and miscommunication at your organisation could give them the opportunity they need. Don’t give them that chance.

Security leaders can make a difference

Individual employees may not have the clout to engineer substantial change, and may need to move issues forward via HR and management. This is where security leaders can make a difference. They should be open and accountable, and work to practically influence areas that are within their control. Specifically, cyber leaders need to create a safe space for their team and enable them to do their best work. Areas to focus on include:

1. Ensuring their team feels comfortable reporting security issues or errors, and avoiding a culture of blame
2. Respecting different points of view rather than encouraging a “yes” culture
3. Introducing culture training and other development programs
4. Working with HR and line managers to deal with serious incidents or behaviours
5. Developing the management team’s “soft skills” via training – particularly important in cyber, since many senior staff have taken a technical route into management
6. Setting clear expectations of individual roles and relationships with other departments

Toxic cultures can both feed into and result from a high-pressure work environment. Arguably the biggest thing a CISO can do is making sure their team has the support they need to do their jobs. That means ensuring the board understands the pressures you face, and securing budgets to operate effectively.

Building an inclusive workplace

A lack of diversity is hurting cyber. Women only represent around 10% of the cybersecurity workforce in the Asia-Pacific region, with workers from ethnic minorities also under-represented. Working to counter discrimination and unconscious bias and building a welcoming work culture can help your organisation become more diverse and enrich your talent pool.

An inclusive cybersecurity department will also be open to other parts of the business. That means sharing information in a way that makes sense to other departments, and encouraging everyone at the company to feel they have a stake in cybersecurity. Making training enjoyable and tailored to individual teams, and regularly reminding non-technical staff that flagging issues or anomalies is not just okay, but actively encouraged, is a great way to build a positive work culture as a CISO.

A toxic work culture can be turned around

Toxic behaviour can cripple even the best equipped cybersecurity teams. Given the severity of a breach, in-fighting or other distractions that might reduce your operational effectiveness should be taken very seriously.

That doesn’t mean coming down hard is necessarily the best option. In the short term, staying focused on your business goals and recording interactions can keep your team on track. But to transform your cyber culture for the long term, change needs to come from the top. Toxic behaviours will struggle to gain a foothold in an open, accountable environment with clear goals. Change takes time, but if you celebrate your successes, learn from failures and build an inclusive and diverse team, your security posture will get stronger by day.