Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

How to Steer Your Security Organization in a Toxic Environment

Five Ways to Steer Your Security Organization in a Toxic Environment

Five Ways to Steer Your Security Organization in a Toxic Environment

Willie Sutton, the notorious bank robber, was once asked by reporter Mitch Ohnstad why he robbed banks. According to Ohnstad, he replied, “Because that’s where the money is.” Though that answer is very stark, it does provide us with an opportunity to learn an important lesson in security.

The well-known quote “write what you know” is a salient one. In the past, I have, unfortunately, been in multiple toxic environments and have learned how to navigate through them. Even in those types of environments, the security team must work to minimize risk and defend the organization from information security threats. Before we can discuss how to navigate a toxic environment, we must understand what creates one.

Causes of a toxic environment include, but are not limited to:

● Narcissistic leadership

● Withholding of information

● Gossip

● Lies

Advertisement. Scroll to continue reading.

● Manipulation

You might ask the question: Why do people withhold information, gossip, lie, and manipulate? To channel Willie Sutton: Because it works. The unfortunate reality is that some people invest more time into those activities than they do into actually working. As a result, they can become quite masterful at painting a picture that simply isn’t true. They can then use this narrative to distract from their own poor performance and bad behavior.

It goes without saying that it can be very difficult for a well-intentioned and competent person to operate in such an environment. Most of the security professionals I know are hard-working, honest team players who choose productive, constructive work over toxic game-playing. Nonetheless, even in a toxic environment, team players must do their best to protect their respective organizations.

It is in this spirit that I present five ways to steer your security organization in a toxic environment:

1. See the signs: The first step in navigating a toxic environment is to realize that you are in one. Look carefully around the organization for the signs enumerated above. Does leadership take credit when things go right and blame others when things go wrong? Does trying to get answers to simple questions feel like an interrogation? Do people build inaccurate and untrue narratives based on little to no evidence? Do people covertly or overtly manipulate situations to advance their own personal goals?  If the answer to any or all of these questions is yes, it’s time to accept the sobering news that you are in a toxic environment.

2. Document everything: I once worked for a manager who used to say, “if it isn’t written down, it didn’t happen.” When gossip, lies, and manipulation are present, everything needs to be in writing. Keep notes and minutes from meetings and conference calls and store them where they can be viewed and reviewed by everyone.  If people agree to action items, send a follow-up email with the list of action items.  If someone tells you something in passing, ensure it is recorded.  If you see illicit behavior, document it. These are some of the ways in which you can prepare yourself to refute lies and continue to improve the security posture of the organization.

3. Stay on point: When dealing with liars and manipulators, it’s important to stay on point.  When writing, on conference calls, and in meetings, stick to the facts that are relevant to the point you’re making. Any extraneous or unnecessary information only gives bad actors additional material to latch on to and further enables their lies and manipulation. This is easier said than done of course.  As tempting as it is, stick to the facts and resist the temptation to sink to the adversary’s low level.

4. Don’t take the bait: When asked clear, simple, straightforward questions that they don’t want to answer, liars and manipulators will often go on the attack in response. Rather than answer your question, they’re banking on you taking the bait, getting distracted, and engaging with them on irrelevant points.  Don’t give them that satisfaction or play into their games.  Learn to identify what is bait, how to avoid it, and how to stay on topic.  It’s the only way to make the progress you need to make in a toxic environment.

5. Have clear metrics: Although it is hard to argue with numbers and facts, some people will still try. Nonetheless, having clear, high quality metrics is an absolute requirement in a toxic environment. The best way to refute false narratives is with hard numbers. Invest the time required to identify, define, develop, calculate, and report metrics that will show both your performance and your contribution to risk reduction. Great metrics are, perhaps, the single best defense you can build for yourself to allow you to navigate and steer your security organization through a toxic environment.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem