“Toxic workplaces” have been a prevailing theme in the zeitgeist for decades — the phrase was first used in a 1989 nursing leadership guide. Discussion of workplace dissatisfaction reached a fever pitch with the advent of social media. Disgruntled workers took to the web, sharing their experiences of abusive managers, unrealistic expectations, grueling hours — and a plethora of more minor complaints as well.
Thus, it might be argued, the meaning of the term has been diluted. Surely, there are differences between being regularly berated by a supervisor for insignificant infractions or refusals to acknowledge an employee’s personal commitments and the occasional request for overtime or expectations of inconvenient social conventions.
Even if the intended meaning has drifted, the discourse on workplace toxicity has identified a range of prevailing tendencies that have severe consequences both for employees and the organizations they work for. Cybersecurity is no exception — and toxicity appears to be particularly pernicious in this profession for a variety of reasons.
It is likely exacerbated by the cybersecurity shortage — small teams are expected to carry heavy workloads, and their managers bear the brunt of the consequences for any failures that occur. This zero-failure mentality results from a siloed structure in which cybersecurity professionals are isolated from other parts of an organization and expected to carry the entire burden of protection from attacks without any assistance. Individuals are blamed for events that in reality result from institutional failures — and those failures are never addressed.
This is exacerbated by a general lack of people skills among managers and poorly executed communication. These factors lead to a bullying managerial culture, demoralized staff, burnout, high turnover rates — and ultimately, a greater likelihood of breaches.
Here, InformationWeek looks at the factors contributing to toxic cybersecurity environments and the steps that CISOs and other IT leaders should take to correct them, with insights from Rob Lee, chief of research at cybersecurity training company SANS Institute; and Chloé Messdaghi, founder of responsible AI and cybersecurity consultancy SustainCyber.
Tech Over People
One of the first organizational mistakes that can lead to toxicity in the cybersecurity workforce in an emphasis on packaged solutions. Slick marketing and fast-talking salespeople can easily lead anxious executives to purchase supposedly comprehensive cybersecurity packages that offer assurances of protection from outside attackers with very little work or additional investment. But even the most well-designed package requires maintenance by cybersecurity professionals.
“Ninety percent of the cybersecurity market is product based,” Lee says. “You can have an amazing Boeing strike fighter, but you still need a pilot to run it.”
The failure to understand the demands of this work can lead to underfunded and understaffed departments expected to keep up with unrealistic expectations. CISOs are thus compelled to pressure their employees to perform beyond their capabilities and toxicity soon results.
Siloed Security
Even in cases where cybersecurity teams are reasonably funded and given a degree of agency in an organization’s approach to protecting its assets, their efficacy is limited when the entire burden falls to them. If an organization does not implement top-down practices such as multi-factor authentication and education on phishing scams, it regularly falls to the cyber team to clean up preventable messes. This can shift focus from other proactive measures.
“There are conflicts when the organization is trying to enable innovation and freedom,” Lee says. “Security still has to do monitoring and restrict access.”
Siloes develop within cyber teams themselves, too. Teams focused on compliance, risk assessment, and operations may have very different priorities. If they are not in regular communication, those priorities cannot be reconciled. This leads to further conflict and inefficiency.
Resources Versus Reality
The availability of both staff and funding can negatively affect a cybersecurity work environment. Tiny teams faced with massive defense tasks are likely to feel overburdened and underappreciated, even under the best management. Understaffed cyber teams are frequently the result of underfunding.
Chloé Messdaghi, SustainCyber
Chloé Messdaghi, SustainCyber
“When you go to like the board or the executive team, they’ll say ‘No, it’s not needed. We don’t need more funds,’” Messdaghi relates. “They don’t understand why security is important. They see it as setting money on fire.”
One study found that cybersecurity budgets were only expected to increase by 11% from 2023 to 2025 despite the exponential rise in threats, putting the onus on already strained cybersecurity teams to make up the difference. These unrealistic expectations are likely to lead to employees being burned out.
But that is not the whole picture: Burnout also comes from bad leadership. “Burnout is not caused by the amount of work you have. It’s about leadership and a lack of communication,” Messdaghi argues.
Toxic Personalities in Management
Toxicity trickles down — from management to the most junior of employees, no matter the industry. This appears to be particularly true in cybersecurity. One of the worst traits in upper management appears to be apathy — simply not caring much about cybersecurity at all.
This can lead directly to underfunding or band aid solutions that leave teams scrambling to compensate. These types of executives dismiss admonitions to implement password security procedures and phishing tests across the organizations, considering them to be meaningless exercises.
When cyber teams do raise relevant issues with management, they may be dismissed or treated as irritations rather than people who are attempting to do their jobs. Further, when errors do occur, they are pinned squarely on these underfunded and understaffed teams.
Cybersecurity team leaders themselves can contribute to toxic environments, even if upper management is supporting solid practices. Micromanaging employees, publicly or privately abusing them with demeaning or profane language and refusing to listen to their concerns can lead to disengagement, adversarial relationships and decreased performance.
Research has identified such managers as “petty tyrants,” so involved with their own sense of importance in the organizational scheme that they feel entitled to these behaviors. Their behaviors may more directly affect their subordinates due to the small size of many cyber teams — their toxicity is not diffused across many employees and their handful of subordinates bear the brunt.
These behaviors may be further exacerbated by the shortage of skilled cybersecurity employees — someone who is able to manage a team on a technical level remains valuable even if they lack people skills and do so in an abusive fashion.
And some leadership toxicity may simply be the result of managers not being enabled to do their jobs. “CISO burnout is extremely real,” Lee says. “There are a lot of people saying, ‘I’m never doing this job again.’”
When good managers leave due to toxicity from their superiors, the effects can be devastating for the entire organization. “They’ll take half the team with them,” Lee says.
Toxic Tendencies in Cyber Teams
As poisonous as the behaviors of executives and managers can be, some of the toxicity in cybersecurity workforces can come from within the teams themselves.
A prevailing toxic tendency is the so-called “hero complex” — highly skilled employees shoulder enormous workloads. This can lead to resentments on both sides of the equation. The “hero” may resent what they perceive to be an unfair burden, carrying the weight of less-invested employees. And other employees may resent the comparison to “heroes,” whose work ethic they feel unequipped to match. Some heroes may become bullies, feeling entitled to push others out of their way in an effort to get their work done, and others may feel bullied themselves, forced to shoulder the consequences of the incompetence of their colleagues.
This personality type may be prevalent in cybersecurity teams due to the history of competition in the industry, beginning with early hackers. Hierarchies based on achievements — such as medals — have been reinforced by the entry of ex-military members into the workforce.
The prevalence of these personality types has, likely unintentionally, led organizations to feel comfortable with understaffed cybersecurity departments because the work does ultimately get done, even if it is only by a few people working under unsustainable pressures. But it also creates single points of failure: When one hero finally slips up, the whole enterprise comes crashing down.
Blaming and Shaming
Blaming individuals for security events is a hallmark of toxic cybersecurity culture. While events can often be traced to a single action by an employee, those actions are typically the result of a defective system that cannot be attributed to one person.
The zero-intrusion mindset that prevails among executives who do not understand the cybersecurity landscape can exacerbate the blame game. Intrusions are a near inevitability, even in scrupulously maintained environments. Coming down on the people who are responsible for containing these events rather than congratulating their effective work at containing them is going to result in resentment and anger.
.jpg?width=700&auto=webp&quality=80&disable=upscale "Rob-Lee_(002).jpg")
Rob Lee, SANS Institute
Rob Lee, SANS Institute
“There’s this assumption that someone did something wrong,” Lee says. “There are no medals awarded for stopping the intrusion before it does something devastating.”
This type of behavior can have even further consequences. Employees who know they will be excoriated if they make a mistake or have been faulted for the mistakes of others are likely to conceal an error rather than bring to the attention of their superiors, which is likely to make a potential breach even worse.
“There are always going to be people who are curious and want to work on improving themselves,” Messdaghi observes. “And then you’re going to have people who are going to blame others for their wrongdoings.”
Effects on Employees
Toxic cybersecurity environments can have substantial effects on the physical and mental health of employees. Stress and anxiety are common, in some cases leading to more severe consequences such as suicidality. One study of the industry found that over half of respondents had been prescribed medication for their mental health. Conflicts, infighting and bullying can increase in a vicious feedback loop according to research by Forrester.
These factors can result in apathy toward the job, leaving the team and eventual exit from the industry entirely. Nearly half of cyber leaders are expected to change jobs this year according to a 2023 Gartner report. Simultaneously, unrealistic performance expectations lead to further staffing problems. There may be little interest in entry level employees due to their perceived lack of skills even as more experienced staff head for the door.
And stress is only growing — 66% of cybersecurity professionals said their job was more stressful than it was five years ago according to a 2024 survey.
Risks Created by Toxicity
According to a study by Bridewell, 64% of respondents to a survey of cybersecurity professionals working in national security infrastructure saw declines in productivity due to stress.
The apathy, annoyance, stress, and eventual burnout that result from toxic cybersecurity workplaces create prime conditions for breaches. Errors increase. Team members become less invested in protecting organizations that do not care about their well-being. Rapid turnover ensues, decreasing team stability and the institutional knowledge that comes with it.
A 2024 Forrester report found that teams who were emotionally disengaged from their work experienced almost three times as many internal incidents. And those that lived in fear of retribution for errors experienced nearly four times as many internal incidents. These conditions exacerbated the risk of external attacks as well.
Fixing the Problem
Addressing toxicity in cybersecurity is a tricky proposition — not least due to the vagueness of the term. Distinguishing toxicity from acceptable workplace pressures is highly subjective.
CISOs and IT leaders can institute a number of practices to ensure that cyber teams are getting the resources and support they need. Regular meetings with superiors, anonymous surveys and open conversations can elicit useful feedback — and if that feedback is actually implemented, it can create more positive and productive conditions.
Even the best cyber managers can only do so much to address unrealistic pressures and failures across the organization that result in risk. If resources and time are not allocated appropriately, toxicity is likely to fester despite the best efforts of everyone involved.
“People who are open and good communicators — these are the best qualities I see,” Messdaghi says. “They don’t need to be super technical. They just need to just be there to support the employees and get them what they need.”