Co-Author: Jinan Budge is principal analyst serving Security & Risk professionals at Forrester
As soon as I caught wind that my brilliant colleague Heidi Shey was writing a report on retaining cybersecurity talent, I knew I wanted to collaborate. Specifically, I wanted to bring to the table the importance of a healthy culture that compels your top talent to stay. While remuneration is important in attracting talent, its impact on retaining that talent becomes limited over time. This means you need to create an environment that compels your staff to stay by moving beyond financial rewards, making work-life flexibility a priority, and cultivating a strong team culture. You’ll find advice on how to develop and retain cybersecurity talent in our latest research.
As Heidi and I dug deeper into ways to cultivate a strong team culture, we realized that we also needed to address the topic of toxicity within security teams. A toxic team culture causes the team to lose steam on critical cybersecurity projects. What does a toxic culture look like in practice? A team rife with infighting, unhappiness, and aggression between team members.
Identifying the Causes of Toxicity
I posted a LinkedIn post asking about the causes of toxicity. The discussion in this post sadly revealed that many of us are experts on the subject. We received and analyzed 200 contributions from 76 different people. I wanted to give a voice to this issue, and this can be found in our latest research, “Fix Toxic Security Culture Before It Kills Your Innovation” (available to Forrester clients). We analyzed the top 10 causes of toxicity for security teams. Below is a work cloud of the most common causes of toxicity found within the responses.
Address Toxic Culture Head On
What does this mean? As a CISO or security leader, you must address toxic culture head on and eliminate the source to not only retain security talent but also to create an attractive environment for team members, maintain your team’s reputation, alleviate risks to your organization, and encourage innovation. To address toxicity, our research showed that you need to:
Acknowledge that toxicity exists and deal with it directly. Tempting as it is to bury your head in the sand and hope that the problem will go away, don’t do it. Instead, create an environment where you have an honest relationship with your team and listen to them. Use these relationships to identify the causes of toxicity — they could be occurring because an employee is having a horrible family situation, in which case you’ll need to offer counseling. Or your employee may be suffering from the “hero complex,” which requires an entirely different strategy on your part.
Fix the hero complex as soon as you spot it. Unfortunately, this is a common problem in security teams. Our interviewees described teams rife with individuals who talk and act as if they are invincible, know everything, or are misunderstood geniuses. These individuals can be identified as early as the interview process, but if you miss it, call it out immediately, offer ways for them to correct it, and be prepared to act if they don’t.
Take personal responsibility for toxicity, as empathy and people leadership are your No. 1 priorities. When we asked people what the top causes for toxicity in security were, many of the top 10 causes were related to frustration with leaders. Respondents noted: 1) the lack of organizational support for security; 2) low leadership maturity of their CISO; 3) lack of role clarity; 4) poor communication skills; 5) lack of security strategy; and 6) the inability of leaders to create team buy-in.
Make the case for investing in yourself and people management. You have a central role in motivating and cultivating meaningful work for your team, which in turn drives retention. Seek executive coaching for yourself and your team on how to build mental toughness by first understanding your own performance as well as your workplace behaviors, motivation, and environment.
Above all, make empathy one of your leadership superpowers! As a leader in security, as in any leadership position, people don’t care how much you know until they know how much you care. You will need to consistently demonstrate empathy and leadership and compassion for your people to create an environment where they thrive.