The hidden dangers of a toxic cybersecurity workplace

In this Help Net Security interview, Rob Lee, Chief of Research and Head of Faculty at SANS Institute, discusses what a toxic environment looks like and how professionals can recognize red flags such as high turnover, burnout, and a pervasive fear of mistakes. Addressing these issues early is key to maintaining a healthy and effective team.

Can you describe what a “toxic cybersecurity environment” looks like? What are some of the red flags professionals should watch for?

A toxic cybersecurity environment is one where individuals feel undervalued, unsupported, or even actively undermined in their roles. This often manifests as poor communication, lack of trust among team members, micromanagement, and an excessive blame culture. In these settings, collaboration suffers, leading to siloed teams and increased inefficiency.

Red flags to watch for include high turnover rates, burnout among team members, unrealistic expectations without adequate resources, and a pervasive sense of fear or frustration. If professionals notice an environment where mistakes are harshly penalized rather than treated as learning opportunities, or where leaders fail to listen to concerns, these are clear indicators of toxicity.

A particularly toxic hallmark in cybersecurity is the “blame game” for incidents, even when they are successfully detected and eradicated. Professionals who detect and interdict bad actors should be celebrated for doing their jobs well, but in some environments, they are unfairly criticized due to a zero-intrusion mindset. This mindset can lead to blaming the very heroes who stop the bad guys instead of recognizing their efforts with appropriate acknowledgment or rewards.

A healthy environment fosters appreciation and medals for those who excel at defending their organizations from threats, rather than focusing on unrealistic ideals of perfection.

What are the most common consequences of a toxic culture on cybersecurity professionals’ mental health and performance?

The consequences of a toxic culture can be severe for both individuals and organizations. For professionals, chronic stress, anxiety, and burnout are common outcomes. These issues not only impact mental health but also physical health, leading to conditions like insomnia and hypertension.

Performance suffers as well, as individuals become disengaged and less creative in solving complex problems. From an organizational perspective, a toxic culture often leads to increased errors, missed threats, decreased productivity, and higher turnover rates. It’s important to remember that cybersecurity is a high-pressure field to begin with—a toxic environment exacerbates the inherent challenges, making it difficult for teams to function effectively.

Do you see specific roles (e.g., SOC analysts, CISOs) more vulnerable to toxic environments than others? Why?

Certain roles in cybersecurity are more vulnerable to toxic environments due to the nature of their responsibilities and visibility within the organization. SOC analysts, for instance, are often on the frontlines, dealing with high-pressure situations like incident response and threat mitigation. The expectation to always be “on” can lead to burnout, especially in a culture that prioritizes output over well-being.

Similarly, CISOs face unique challenges as they balance technical, strategic, and political pressures. They’re often caught between managing expectations from the C-suite and addressing operational realities. CISO burnout is very real, driven in part by the immense liability and scrutiny associated with the role. The constant pressure, combined with the growing complexity of threats, leads many CISOs to leave their positions, with some even vowing, “never again will I do this job.” This trend is tragic, as organizations lose experienced leaders who play a critical role in shaping cybersecurity strategies.

Both SOC analysts and CISOs are particularly vulnerable in environments that lack clear communication, adequate resources, and support systems.

What actionable steps can leaders take to identify and eliminate toxic elements in their organizations?

Leaders play a crucial role in fostering a positive culture and must take proactive steps to address toxicity. They should prioritize open communication and actively solicit feedback from their teams on a regular basis. Anonymous surveys, one-on-one meetings, and team discussions can help identify pain points. They should also invest in training for both leadership and team members to foster emotional intelligence, conflict resolution, and collaboration skills.

Recognizing and rewarding contributions—not just outcomes—also goes a long way in building trust. Leaders must model healthy behavior by promoting work-life balance and demonstrating accountability. It’s important to create a culture where individuals feel safe to voice concerns without fear of retaliation.

What advice would you give a cybersecurity professional considering leaving the industry due to toxicity or burnout? Is there hope for improvement?

To cybersecurity professionals facing toxicity or burnout, my first piece of advice is to prioritize your well-being. Recognize that seeking a healthier environment—or even taking a temporary step back—is not a failure but a necessary act of self-care. I also encourage professionals to connect with mentors or peers who can provide guidance and support during difficult times.

It’s worth noting that the industry as a whole is increasingly recognizing the importance of mental health and positive work cultures. Many organizations are making concerted efforts to improve their environments through initiatives like wellness programs, mentorship opportunities, and better leadership training. Staying connected to a network of like-minded professionals and seeking organizations that align with your values can make all the difference in rediscovering your passion for the field.