Featuring:

Jinan Budge, Principal Analyst

Show Notes:

Managers storming out of meetings. Chairs thrown across the room. Infighting and bullying so bad it leaves employees in tears. What makes the culture in a security organization more toxic than in other corporate organizations? That’s the question we explore with Principal Analyst Jinan Budge in this episode of What It Means.

Workplace toxicity isn’t new, but when Budge started trying to document it in the security organization through surveys and interviews, the response was overwhelming in terms of both volume and detail. “For example, one of the [causes of toxicity] that surprised me most is the lack of organizational support for security,” she says. “Of course, people are unhappy working in a culture where security is seen as a tax or a nuisance. That then creates all sorts of downstream impacts.”

The episode goes on to call out and discuss other top causes of toxicity in the security field, including:

  • The hero or messiah complex.
  • Lack of diversity in the security function.
  • Low leadership maturity in security.

What’s the impact of a toxic culture? For starters, it makes it difficult to keep talent. But even if you can keep staff on, Budge points out that “a toxic team is going to be so busy [dealing with infighting issues] they are not going to be out there innovating … They will be walking around in a cloud of misery and not able to engage properly.” And that could put their firms at risk.

So, what can be done to resolve the issue? Budge provides some blunt advice for CISOs and security leaders who may have a toxic culture in their organization: Start by simply recognizing the issue and naming it publicly instead of ignoring it. In an informal poll Budge conducted, 65% of security professionals said they wouldn’t or didn’t know how to speak out about toxicity in their organization. Having a whistleblower hotline to report issues can help bring toxic environments to the forefront.

In some organizations, the issues could be resolved by removing one or two key people, but Budge says the real “superpower” that can resolve toxicity for the long term is empathy. “Empathy is about listening more than speaking,” she says, adding that CISOs and security leaders going on listening tours where employees are encouraged to speak honestly can help bring real issues to light. “And I do think there is space for each of use to hold up a mirror … embracing the ideas of our coworkers especially if they’re different than yours.”

The episode wraps up with descriptions of the recent CyberShift event in Australia and a global initiative called Respect In Security.

To learn more about this topic, be sure to check out the session “The Mechanics of Cultural Change” at the upcoming Security & Risk event November 9-10 in Washington, DC or online.