Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

How to Steer Your Security Organization in a Toxic Environment

Five Ways to Steer Your Security Organization in a Toxic Environment

Five Ways to Steer Your Security Organization in a Toxic Environment

Willie Sutton, the notorious bank robber, was once asked by reporter Mitch Ohnstad why he robbed banks. According to Ohnstad, he replied, “Because that’s where the money is.” Though that answer is very stark, it does provide us with an opportunity to learn an important lesson in security.

The well-known quote “write what you know” is a salient one. In the past, I have, unfortunately, been in multiple toxic environments and have learned how to navigate through them. Even in those types of environments, the security team must work to minimize risk and defend the organization from information security threats. Before we can discuss how to navigate a toxic environment, we must understand what creates one.

Causes of a toxic environment include, but are not limited to:

● Narcissistic leadership

● Withholding of information

● Gossip

● Lies

● Manipulation

You might ask the question: Why do people withhold information, gossip, lie, and manipulate? To channel Willie Sutton: Because it works. The unfortunate reality is that some people invest more time into those activities than they do into actually working. As a result, they can become quite masterful at painting a picture that simply isn’t true. They can then use this narrative to distract from their own poor performance and bad behavior.

It goes without saying that it can be very difficult for a well-intentioned and competent person to operate in such an environment. Most of the security professionals I know are hard-working, honest team players who choose productive, constructive work over toxic game-playing. Nonetheless, even in a toxic environment, team players must do their best to protect their respective organizations.

It is in this spirit that I present five ways to steer your security organization in a toxic environment:

1. See the signs: The first step in navigating a toxic environment is to realize that you are in one. Look carefully around the organization for the signs enumerated above. Does leadership take credit when things go right and blame others when things go wrong? Does trying to get answers to simple questions feel like an interrogation? Do people build inaccurate and untrue narratives based on little to no evidence? Do people covertly or overtly manipulate situations to advance their own personal goals?  If the answer to any or all of these questions is yes, it’s time to accept the sobering news that you are in a toxic environment.

2. Document everything: I once worked for a manager who used to say, “if it isn’t written down, it didn’t happen.” When gossip, lies, and manipulation are present, everything needs to be in writing. Keep notes and minutes from meetings and conference calls and store them where they can be viewed and reviewed by everyone.  If people agree to action items, send a follow-up email with the list of action items.  If someone tells you something in passing, ensure it is recorded.  If you see illicit behavior, document it. These are some of the ways in which you can prepare yourself to refute lies and continue to improve the security posture of the organization.

3. Stay on point: When dealing with liars and manipulators, it’s important to stay on point.  When writing, on conference calls, and in meetings, stick to the facts that are relevant to the point you’re making. Any extraneous or unnecessary information only gives bad actors additional material to latch on to and further enables their lies and manipulation. This is easier said than done of course.  As tempting as it is, stick to the facts and resist the temptation to sink to the adversary’s low level.

4. Don’t take the bait: When asked clear, simple, straightforward questions that they don’t want to answer, liars and manipulators will often go on the attack in response. Rather than answer your question, they’re banking on you taking the bait, getting distracted, and engaging with them on irrelevant points.  Don’t give them that satisfaction or play into their games.  Learn to identify what is bait, how to avoid it, and how to stay on topic.  It’s the only way to make the progress you need to make in a toxic environment.

5. Have clear metrics: Although it is hard to argue with numbers and facts, some people will still try. Nonetheless, having clear, high quality metrics is an absolute requirement in a toxic environment. The best way to refute false narratives is with hard numbers. Invest the time required to identify, define, develop, calculate, and report metrics that will show both your performance and your contribution to risk reduction. Great metrics are, perhaps, the single best defense you can build for yourself to allow you to navigate and steer your security organization through a toxic environment.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee. 

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies