5 signs your security culture is toxic (and 5 ways to fix it)

If a company’s culture is the heart and soul of an organization, then its security culture is its omnipresent guardian.

More than just policies and procedures put in place, a company’s security culture is that “social” operating system that influences and guides employees to integrate security awareness and behaviors into their daily lives. When the security culture starts to break down, whether inside the security team itself or between the security team and the rest of the organization, it can lead to a toxic environment of lax cyber practices, cynicism and finger-pointing.

Industry leaders offer five tell-tale signs that your security culture is toxic, and how to get the security culture you want.

5 signs of a toxic security culture

They’re playing the blame game

When a significant incident happens, the focus in a toxic environment immediately goes to who’s to blame, says Rob Clyde, ISACA board director and past chair who has been involved with ISACA’s annual Cybersecurity Culture Report, due out this fall. The organization looks for a scapegoat – someone to fire. “Look at the average tenure of the leadership. If it’s less than three years, that’s a likely warning sign,” he says.

The average tenure of a CISO is less than three years, according to a 2019 survey of 408 CISOs by Nominet. Nearly a third of respondents (30%) say it’s less than two years. “You end up with an organization in a constant state of flux,” Clyde says.

Cynicism grows

Cynicism is the easiest toxic behavior to spot, says Karen Worstell, CEO of W Risk Group and founder of MOJO Maker for Women in Tech. “When you hear people talk about management or life in a cynical way – that’s red flags all over the field. It shows there’s stress and distress, and that there’s a sense that people feel like they don’t have any kind of agency over affecting the outcome for what they’re made accountable for. When people don’t have a way to manage that and contain it, then it starts to overcome people’s perspective.”

Presenteeism, or doing just enough to get by, also indicates that a security environment is toxic, and follow-through and attention to detail start to fail, she says.

Internal vulnerabilities increase

When the security culture starts to go awry, metrics will show tell-tale signs, such as an increase in internal vulnerabilities, says Wesley Simpson, chief operating officer of (ISC)². “We know that 20% of breaches happen within the organization and come from the employees. Are you seeing, month over month, more employee-centered vulnerabilities coming from within the organization than normal?” That could be a sign that employees are either uninformed or simply don’t care about proper security hygiene, Simpson says. Higher attrition rates and turnover also point to dissatisfaction on the job.

The answer is usually “no”

If the first answer out of the CISO’s team’s mouth is “no,” it’s a toxic environment, says Kevin Richards, global head of cyber risk consulting at Marsh LLC. When rebuked, people find ways to circumvent the security department, which creates myriad unknown security risks.

He points to the case of an ad agency CISO who acquiesced to clients who wanted to run 15 to 20 cloud environments for each client project because the client didn’t want to deal with its own internal security team. “It’s easier for them to just give [the ad agency] the base data and do it themselves,” he says.

For most employees, “they’ve been told no so many times that they find a different way to do it,” Richards says. “How many people have spun up their own collaboration capabilities because it was too hard to do it ‘the right way’ within their own company?  They’re not trying to be malicious or to add risk to the company, they’re just trying to do their job.”

The security organization is siloed

When the security organization is too insular and focused on security in a silo, it isn’t encouraged to drive relationships and network more broadly across the organization, says Emily Mossburg, principal in Deloitte & Touche LLP, where she is the advisory and implementation services leader for Deloitte Cyber.

“It creates boundaries between security and the rest of the organization and stifles thinking,” Mossburg says. “Sometimes there’s fear about a loss of power and the fate of the security organization as pressures come from across the organization, so the tendency is to be insular and to control the information. But being insular creates a toxic environment. It’s almost like the cyber team against the rest of the organization.”

How to get the security culture you want

Real culture change can take years to accomplish, but there are several steps that can be taken now to begin putting a derailed cybersecurity culture back on track.

Help the security team take perspective

Inside the security team, leaders should learn how to take a situation that looks impossible or never-ending and “look at it from other angles to see what creative things we can do about it,” Worstell says. “Focus on what’s within our sphere of control. How can we reframe this into another perspective that doesn’t put the burden all on the individual?” 

Find ways to say “yes”

Security leaders should actively help the organization find ways to do their jobs better within the construct of security guidelines. More often than not, employees will follow those suggestions if they understand why it makes the company more secure, Richards says.

Take conferencing services, for example. There are 12 to 15 conference bridge services out there, so why must they go with the company’s chosen service? “It might seem benign to the average user, but when we’re sharing project data or confidential information, if that gets out inappropriately or if something goes wrong at a highly regulated company, we’re screwed,” Richards says. “It’s not uncommon for users not to understand all the ramifications of using one or the other, but that’s the job of the CISO to think through all those things” and provide education and options, he says.

Have a cybersecurity culture management plan

In 2018, 42% of organizations did not have an outlined cybersecurity culture management plan or policy that describes security objectives, education and employees’ personal responsibility, according to a survey of 4,800 business and technology professionals by ISACA. It’s the first step toward a cybersecurity culture, Clyde says.

Dedicate funds for cybersecurity training and tools

Organizations that report a significant gap between their current and desired cybersecurity culture spend just 19% of their annual cybersecurity budget on training and tools, while organizations that believe their cybersecurity culture is where it is supposed to be are spending more than twice as much (43%).

“The best thing you can do to improve your culture is invest in your people,” Clyde says. “We need to resist the temptation to add more staff (to address cybersecurity problems) instead of investing in the people we have.” 

Renew relationships with the business

Security leaders need to be more open, more networked, and more transparent with the rest of the organization to create a proactive rather than reactive security culture, Mossburg says. When they do, “they’re going to meet their mission more easily.”