Our research in 2020 dissected the causes of toxicity in cybersecurity and outlined that, in a practical sense, a toxic culture in cybersecurity looks like a team rife with infighting, unhappiness, and aggression between team members. Not only will this cultivate an unpleasant environment, but it also has the potential to ruin your security team’s reputation, undermine your team’s integrity, and put your organization at risk.
As it turns out, toxicity is a significant issue impacting talent attraction and retention, both of which are significant issues in cybersecurity. In 2022, research by MIT Sloan Management Review examined aspects of culture and other topics that employees frequently discussed in Glassdoor reviews. The research found that the single best predictor for employee turnover was a toxic culture. In fact, according to the research, “A toxic corporate culture was 10 times more predictive of attrition than compensation during the first six months of the Great Resignation.” Researchers defined the five attributes of a culture that make it toxic: “The Toxic 5” — environments that are exclusionary, disrespectful, unethical, cutthroat, and abusive.
But what makes a good culture? How do we obtain it? And how does it benefit us? We talk about team culture in security a lot. We know that it matters. But so few of us know how to measure culture, let alone how to change culture. We speak of team culture in vague and, frankly, incorrect terms — it’s a “good, or bad, culture.” We want to hire people who “fit in” to our culture. And we find it very difficult to understand the impact of culture, believing instead that it’s this fluffy, feel-good, and optional concept. I’m not judging — far from it: I’ve been there!
Cue my colleagues Angelina Gennis and James McQuivey’s research, Introducing Forrester’s Culture Energy Model, which represents four dimensions of organizational culture: adaptability, purposefulness, commitment, and motivation. The idea is that, the higher an organization scores on these dimensions, the more culture modes it can embrace, enabling more satisfying employee and organization outcomes. I am thrilled to announce that we were able to use this excellent research to showcase The State Of Security And Risk Culture Energy (Forrester client access only). Here is what we learned:
- Security and risk teams are more motivated and purpose-driven than others. As a 25-year cybersecurity veteran, this totally checks out for me. Almost everyone I know in our industry is mission- and purpose-driven. They took on this job to protect others!
- Security and risk teams are closer to their leaders in culture energy than other professions. In most professions, leaders generally experience a better culture energy. They get paid more, delegate, and enjoy more visibility — what’s not to love? It’s a bit different for security and risk (S&R). S&R teams are relatively small, meaning that the leaders are close to the real work. Teams benefit from the hands-on approach, which explains the smaller gap in culture energy.
- Being in the office, versus working from home, affects culture energy levels. Only nine of 18 homeworkers are adaptable, a dimension that’s increased with great alignment and collaboration with the business and that may benefit from being in an office. Working from home doesn’t impact commitment, motivation, or purpose; 14 of 18 security homeworkers are committed and motivated, and 15 of 18 are purpose-driven.
- Future fit organizations with high IT maturity have more energized, innovative S&R teams. Customer-obsessed organizations have a future fit technology strategy that enables adaptivity, creativity, and resilience. S&R teams in those organizations feel emotionally connected to their work — they are energized and unlikely to leave, and they trust their teammates more.
Now that we know this, my task over the next 12 months is to work out how we get past toxic and other negative cultural settings — the set of behaviors, norms, rituals, and artifacts that have emerged over the prior years — and evolve into a culture high in culture energy. Stay tuned for this work!
We’re excited to announce that we’re accepting entries for The Security & Risk Enterprise Leadership Award! This is an excellent opportunity to showcase how your organization builds trust and gain recognition for your efforts. We can’t wait to see how you have transformed security, privacy, and risk management to drive trusted relationships with customers, employees, and partners to fuel your organization’s long-term success.
The deadline for submissions is Friday, August 11. To view complete award nomination criteria and submit an entry, visit here.