Drowning in toxic cybersecurity culture

From Bits to Bias: Unveiling the Hidden Dangers of Toxic Cyber Cultures

Robert Wood

On the Soft Side of Cyber, we've talked about what makes up a strong culture. This is also the final article in our short series on diversity, equity, and inclusion (DEI). We started this series with the different layers of diversity and the benefits of a diverse team. Next, how leaders can foster greater equity (not equality) within their teams. Then most recently, we talked about some practices to make the team more inclusive.

Peter Drucker once said, "Culture eats strategy for breakfast."

Culture is powerful, especially one that embraces DEI and helps it thrive. In this article, though, I'd like to focus on what makes a culture toxic. I'll also provide some ways to spot if you work inside one.

Signs of a Toxic Culture

When you're in an organization, look out for these things. They might be telling you that you're working in an unhealthy culture. This is by no means exhaustive. But it will give you a place to start looking.

  • Favoritism and cliques: The group of favorites or the "inner circles" indicates a lack of equity. This kind of relationship dynamic pushes people away and makes them feel excluded.
  • High turnover and low employee engagement: People want to avoid staying in a toxic culture. The same goes for their interaction with it. In some ways, this is a very obvious outcome-oriented manifestation.
  • Discrimination and biased engagement: Does your team have a "bro" culture? Are the only get-together times happy hours? Are the managers only hiring or promoting their friends? These all might be signs of discrimination impacting employee engagement.
  • Stagnant career growth: Do employees from diverse backgrounds keep getting stuck? Is there a glass ceiling for people not in the boss's inner circle?
  • Inadequate feedback and communication: Everyone should have access to effective feedback to improve. When you never get feedback, never step back to learn, or people are unwilling to speak up, that's a red flag.
  • Chronic emergencies: If everything is an emergency, nothing is an emergency. Emergencies are stressful, so if there's always a fire to put out, then stress will be everywhere. This points to a need for clearer priorities or mounds of technology or organizational debt.
  • Office gossip: Gossip, at its core, is about talking about someone behind their back. If this has become a favorite pastime in the office, that's problematic. This points to deeper issues around unhealthy communication styles.

Red Flags for Cyber Teams

The above areas are all more general to an unhealthy work culture. This section will focus on red flags more specific to a cybersecurity team. Why is that necessary? I've seen these things happen enough to know that it's a problem in our field.

  • Blaming and finger-pointing: Everyone has a job, and only some are security experts. Even experts make mistakes sometimes. Blaming another team member, like a developer who has a bug in their code, fuels "us versus them" thinking. The same dynamic plays out with victims of phishing emails all too often.
  • Overreaction to risk: Everything can't be a P0. Not all risk is bad, and it's inevitable. Leaders who overreact to the slightest bit of risk fuel stress. This also drives more reactive over proactive thinking.
  • Shame game: Calling out someone who made a mistake and making them feel small is toxic. If we ever going to be effective enablers, we need to come alongside others, shoulder to shoulder.
  • Shelfware: Does your team buy many tools but never use them to their full potential? What if they never get used at all? This is all too common in cybersecurity, and it steals focus and budget, both of which are valuable.
  • Self-importance: Cybersecurity isn't the most critical thing in your organization. It can't be. It's always going to play a supporting role in some mission. I've seen many in cybersecurity who believe their work is more important than any other function. Ego drives them, not sound operating principles.

What Harm Can a Toxic Culture Have?

A lot.

This brings us back to the Peter Drucker quote at the beginning of this article. Culture is vital to an organization's success. A study from SHRM cited several findings that jumped out to me:

  • Almost half (49 percent) of employees have considered leaving their current organization.
  • Turnover due to culture may have cost upward of $223 billion over the past five years.
  • 76% of Americans point to their manager as setting the culture. Only 36% of those people say those same managers don't know how to lead a team.

This study came out in 2019, and things have only gotten crazier. Another survey from HWI conducted during the great resignation looked at toxic culture. This cited that 34% of people voluntarily left their jobs during the pandemic. Of that, 28% cited toxic culture and mental health as their primary reason.

Surveys have bias, so we should take these citations with a grain of salt regarding specifics. Still, if we look at the themes of the findings, it's pretty alarming.

Major takeaway: A toxic culture hurts your organization and your people.

Concluding Thoughts

As a leader, you should pay attention to the culture you're helping create. You shouldn't put up with a toxic culture as a team member. We can do better, and I hope this article helped shed some light on what it means to be in a toxic culture. We'll continue to explore the aspects of a strong culture and how to make them even better in future posts.