The phrase” Toxic offices” was first used in a 1989 nursing leadership guide as a prevailing theme for years in the mood. Discussion of office frustration reached a fever pitch with the advent of social media. Disgruntled employees took to the internet to share their experiences with aggressive managers, unrealistic expectations, exhausting workdays, and a plethora of other, less important complaints.  ,
Therefore, it might be claimed, the definition of the term has been diminished. Certainly, there are differences between being constantly berated by a superintendent for insignificant infractions or refusals to embrace an employee’s personal commitments and the occasional request for overtime or expectations of uncomfortable social conventions.  ,
Even if the intended meaning has drifted, the conversation on office contamination has identified a range of prevailing tendencies that have significant repercussions both for people and the companies they work for. For a variety of reasons, poisoning appears to be particularly harmful in this profession, and security is no exception.  ,
The security shortage is likely to make things worse because little teams are expected to carry heavy loads, and their managers are expected to bear the weight of the effects for any errors that might arise. This zero-failure culture results from a fragmented structure in which security professionals are isolated from other parts of an organization and expected to carry the entire problem of security from attacks without any assistance. Individuals are held accountable for events that are in fact the result of institutional failures, which are never addressed.  ,
This is exacerbated by a general lack of people skills among managers and poorly executed communication. These traits contribute to a bullying managerial culture, a demoralized workforce, burnout, high turnover rates, and ultimately, a higher risk of breaches.  ,
InformationWeek brings together Rob Lee, director of research at the cybersecurity training company SANS Institute, and Chloé Messdaghi, founder of responsible AI and cybersecurity consultancy SustainCyber to discuss the factors that contribute to toxic cybersecurity environments and the actions that CISOs and other IT leaders should take to correct them.  ,
Tech Over People ,
One of the first organizational mistakes that can lead to toxicity in the cybersecurity workforce in an emphasis on packaged solutions. With little effort or investment, slick marketing and quick-talking salespeople can easily persuade anxious executives to purchase supposedly comprehensive cybersecurity packages that offer protection from outsiders. But even the most well-designed package requires maintenance by cybersecurity professionals.  ,
According to Lee, “90 % of the cybersecurity market is product-based.” ” You can have an amazing Boeing strike fighter, but you still need a pilot to run it” . ,
Understaffed and underfunded departments can be expected to keep up with unrealistic expectations due to their failure to comprehend the demands of this work. CISOs are thus compelled to pressure their employees to perform beyond their capabilities and toxicity soon results.  ,
Siloed Security ,
Even when a cybersecurity team is given a fair amount of money and some degree of agency in an organization’s strategy for protecting its assets, their effectiveness is limited when it is entirely under their control. If an organization does not implement top-down practices such as multi-factor authentication and education on phishing scams, it regularly falls to the cyber team to clean up preventable messes. This may cause the focus to shift away from other proactive measures.  ,
When the organization is attempting to foster innovation and freedom, there are conflicts, Lee says. ” Security still has to do monitoring and restrict access” . ,
Siloes develop within cyber teams themselves, too. Different teams ‘ priorities might have very different objectives when they are focusing on compliance, risk assessment, and operations. If they are not in regular communication, those priorities cannot be reconciled. This creates even more conflict and inefficiency.  ,
Resources Versus Reality ,
The availability of both staff and funding can negatively affect a cybersecurity work environment. Even under the best management, tiny teams that are faced with significant defense tasks are likely to feel overwhelmed and underappreciated. Understaffed cyber teams are frequently the result of underfunding.  ,
Chloé Messdaghi, SustainCyber
Chloé Messdaghi, SustainCyber
” When you approach the board or the executive team, they’ll say” No, it’s not needed. We don’t need more funds,'” Messdaghi relates. They don’t comprehend the significance of security. They see it as setting money on fire” . ,
Despite the exponential rise in threats, one study found that cybersecurity budgets were only projected to increase by 11 % between 2023 and 2025, putting the burden on already stretched cybersecurity teams to make up the difference. These unrealistic expectations are likely to lead to employees being burned out.  ,
But that is not the whole picture: Burnout also comes from bad leadership. Burnout is not caused by your workload. It’s about leadership and a lack of communication”, Messdaghi argues.  ,
Toxic Personalities in Management ,
No matter what industry, toxicity descends from the top management to the youngest of the staff. This appears to be particularly true in cybersecurity. One of the worst traits of senior leadership seems to be apathy, which implies that they are completely uninterested in cybersecurity.  ,
This could lead to underfunding or band aid arrangements that make teams scramble to make up for lost revenue. These types of executives dismiss admonitions to implement password security procedures and phishing tests across the organizations, considering them to be meaningless exercises.  ,
When cyber teams do raise relevant issues with management, they may be dismissed or treated as irritations rather than people who are attempting to do their jobs. Additionally, when errors do occur, they are directly attributed to these understaffed and underfunded teams.  ,
Even if upper management is encouraging sound practices, cybersecurity team leaders themselves can contribute to toxic environments. Micromanaging employees, publicly or privately abusing them with demeaning or profane language and refusing to listen to their concerns can lead to disengagement, adversarial relationships and decreased performance.  ,
Research has identified such managers as ““, so involved with their own sense of importance in the organizational scheme that they feel entitled to these behaviors. Due to the small size of many cyber teams, their toxicity is not spread across many employees, and their few subordinates bear the brunt of their actions. This may affect their subordinates more directly.  ,
These behaviors may be made worse by the lack of skilled cybersecurity employees because they are still valuable even if they lack interpersonal skills and behave in an abusive manner.  ,
And some instances of leadership toxicity may be the result of managers not having the necessary training to perform their duties. “CISO burnout is extremely real”, Lee says. Many people are saying,” I’m never doing this job again,” according to the spokesperson. ‘”  ,
The consequences of a good manager’s departure from their position due to toxic behavior by their superiors can be devastating for the entire organization. ” They’ll take half the team with them”, Lee says.  ,
Toxic Tendencies in Cyber Teams ,
Even though executives and managers ‘ behaviors can be poisonous, some of the toxic behavior in cybersecurity workforces can be caused by the teams themselves.  ,
The so-called “,” where highly skilled employees work in incredibly high workloads, is a common toxic inclination. This can lead to resentments on both sides of the equation. The “hero” may dislike what they believe is an unfair burden, carrying the weight of salaried employees with little work. And other employees may resent the comparison to “heroes”, whose work ethic they feel unequipped to match. Some heroes may act bullies, feeling entitled to push other people out of their way to finish their work, and others may feel bullied themselves, forced to bear the consequences of their coworkers ‘ incompetence.  ,
Due to the history of competition in the sector, which started with early hackers, this personality type may be more prevalent in cybersecurity teams. Hierarchies based on achievements– such as medals– have been reinforced by the entry of ex-military members into the workforce.  ,
The prevalence of these personality types has, likely unintentionally, led organizations to feel comfortable with understaffed cybersecurity departments because the work does ultimately get done, even if it is only by a few people working under unsustainable pressures. However, it also leads to a single point of failure: When a hero finally blunders, the entire endeavor crashes out.  ,
Blaming and Shaming ,
Blaming individuals for security events is a hallmark of toxic cybersecurity culture. Events can frequently be attributed to a single action by an employee, but they are typically the result of a malfunctioning system that cannot be caused by just one person.  ,
The executives who don’t understand the cybersecurity landscape may find it more difficult to blame others for the zero-intrusion mindset that they have. Intrusions are a near inevitability, even in scrupulously maintained environments. Instead of praising those who are in charge of containing these events for their effective work, it will lead to resentment and anger.  ,
SANS Institute, Rob Lee
SANS Institute, Rob Lee
” There’s this assumption that someone did something wrong”, Lee says. There are no medals awarded for preventing the intrusion before it causes a devastating impact.
This type of behavior can have even further consequences. Employers who are aware of their mistakes or have been held accountable for their own mistakes are more likely to conceal errors than to bring them to the attention of their superiors, which is more likely to make a potential breach worse.  ,
According to Messdaghi,” there are always going to be people who are curious and want to work on improving themselves.” ” And then you’re going to have people who are going to blame others for their wrongdoings” . ,
Effects on Employees ,
Toxic cybersecurity environments can have substantial effects on the physical and mental health of employees. Stress and anxiety are prevalent, with some cases resulting in suicidality or other more severe effects. of the industry found that over half of respondents had been prescribed medication for their mental health. According to Forrester’s research, conflicts, infighting, and bullying can become more frequent in a vicious feedback loop.  ,
These things can lead to apathy toward the job, leaving the team, and eventual industry resurgence. Nearly half of cyber leaders are expected to change jobs this year according to a . Additionally, unflawed performance expectations increase staffing issues. There may be little interest in entry level employees due to their perceived lack of skills even as more experienced staff head for the door.  ,
And stress is only growing– 66 % of cybersecurity professionals said their job was more stressful than it was five years ago according to a .  ,
Risks Created by Toxicity ,
According to a study by Bridewell, 64 % of respondents to a of cybersecurity professionals working in the national security infrastructure experienced declines in productivity as a result of stress.  ,
The toxic cybersecurity workplaces ‘ apathy, annoyance, stress, and eventual burnout create prime conditions for breaches. Errors increase. Team members lose more and more time fighting for organizations that don’t give a damn about their well-being. Rapid turnover ensues, decreasing team stability and the institutional knowledge that comes with it.  ,
A 2024 found that teams who were emotionally disengaged from their work experienced almost three times as many internal incidents. And nearly four times as many internal incidents were experienced by those who feared retribution for errors. These conditions exacerbated the risk of external attacks as well.  ,
Fixing the Problem ,
Not least of all because the term is vague, it’s difficult to address toxicity in cybersecurity. Distinguishing toxicity from acceptable workplace pressures is highly subjective.  ,
CISOs and IT leaders can institute a number of practices to ensure that cyber teams are getting the resources and support they need. Regular meetings with superiors, anonymous surveys, and open discussions can produce useful feedback, and if it is put into practice, it can lead to more favorable and productive conditions.  ,
Even the best cyber managers can only take on unrealistic pressures and organizational failures, which can put a lot of pressure on themselves. If resources and time are not allocated appropriately, toxicity is likely to fester despite the best efforts of everyone involved.  ,
” People who are open and good communicators– these are the best qualities I see”, Messdaghi says. They don’t need to be particularly technical, they don’t. They just need to just be there to support the employees and get them what they need” . ,