It wasn’t just one thing that made Keith, a 40-something cybersecurity pro in New York City, quit his job — there was no single straw that broke the proverbial camel’s back.
“It was really the micromanaging, to some degree. And the cursing, the profanity being used in a corporate office environment,” recalls Keith (a pseudonym to protect his identity), who’s been working in the industry for more than 10 years.
He’s describing his former CISO, who nitpicked everything so relentlessly that Keith quadruple-checked every email before hitting send. As for the profanity?
“Verbally degrading people, talking down [to them] like: ‘What the f— are you doing?’ It was just uncalled for,” says Keith. This wasn’t the odd curse word muttered out of general frustration; this was swearing directed at individual team members, “like saying you’re the cause, you’re the reason,” Keith says.
Keith, a deputy director, tried harder. When he expressed a desire to learn something new, his CISO snapped “Why are you wasting your time?” This boss was also divisive, assigning secret projects to some teammates while keeping others in the dark. “It’s like we’re part of the same team [but] then you feel siloed. Everyone felt siloed,” Keith remembers.
Why is cybersecurity particularly prone to having toxic bosses?
Though horrible bosses exist in every industry (hence the $209-million global box office haul for the movie “Horrible Bosses”), cybersecurity has a particular problem with toxic work culture, according to Jinan Budge, a principal analyst at Forrester Research based in Sydney, Australia. Besides witnessing profanity, tears, and “chairs being thrown around the room” during her own 25-year cyber career, Budge has covered the topic of toxic cyberculture extensively for Forrester. Based on her research (including analysis of more than 200 responses from 75 cyber professionals), she attributes this pervasiveness to several causes.
Cybersecurity is still a relatively new profession that has battled to be heard and respected, she says, driving some cyber pros to feel insecure and overcompensate with arrogant, “messiah complex” antics. She says security is often viewed within the business as “a tax”, which chips away at the morale of cyber teams and their leaders.
In addition, she says cybersecurity teams are much smaller than those in other fields, and therefore work more closely with their leaders, so they bear the brunt of their CISO’s frustrations more directly and immediately. “And in cybersecurity,” Budge adds, “emotional literacy is not something that we prioritize. Leadership skills are not something we prioritize. Technical skills, sure. But people [skills]? What’s that?”
Toxic leadership alienates and discourages talent
The ultimate price of inappropriate behavior in a leader is to discourage talent and reduce efficiency, experts say.
Various studies have documented the negative impact of workplace incivility on productivity, recruitment, and retention. In a 2022 survey of 1,027 cybersecurity pros in the US and Europe, just over 60% said their stress levels had risen over the previous year and that their poor mental health affected their ability to get work done.
Another 2022 study by MIT Sloan (on several industries, not cyber specifically) concluded that “a toxic culture is the strongest predictor of a negative Glassdoor review [and] … the best predictor of a company experiencing higher employee attrition than its industry overall.”
Keith eventually became a casualty. The behavior of his boss, which he found at times “deceitful” and “scary,” ground him down: “It was belittling. As much effort and time as you put into all the work, it was never enough.”
Keith was consumed with work stress, even at home with his wife and young kids. “I had the worst health. I was kind of depressed. I was experiencing things that I’ve never experienced before,” he says. When a family member had a serious unrelated health issue, Keith took a paid medical leave from work as an excuse “just to not be there,” he admits.
At his breaking point, Keith left the company in 2023. He made sure to land another cybersecurity job first, which he currently loves. The most valuable thing he took away from the experience was the realization he’d rather take a 20% or 30% pay cut than work for that type of executive again.
Do some bosses support bad behavior?
Though most CISOs treat their employees fairly, CISOs are human beings — with all the frailties, quirks, and imperfections of the human condition. But CISOs behaving badly expose their own organizations to huge risks.
Geoff Hancock was so disturbed by what he heard from some fellow CISOs in September 2023 that he felt compelled to address it on LinkedIn. A cybersecurity veteran of nearly 30 years, Hancock had just attended several meetings with other cybersecurity and business executives in his role as deputy CEO and global CISO at Pennsylvania-based Access Point Consulting.
“One issue we spent time on was good versus bad leadership,” Hancock wrote days later on LinkedIn. “I was surprised that several experienced executives supported using bad behavior to get things done. As a leader, I can’t support bad behavior for any reason (toxic leadership). Maybe I’m just old-fashioned. Or as I was told, ‘maybe you’re not accepting the realities of today,’ whatever that means.”
Hancock tells CSO that some of the behaviors sanctioned by those CISOs included stealing employees’ ideas and presenting them as their own, manipulating situations to make certain people look better than others, lying about others’ reputations or behaviors, and “being the gatekeeper of all decisions.”
Toxic CISOs are a security risk
Given the perilous environment of security today — the ruthless hackers, AI-based threats, legislative compliance changes, and mounting liability concerns — it’s easy to see why some CISOs might occasionally lose their cool on the job, as Hancock can attest. “In cyber, [there’s] regulatory, I’m dealing with legal folks and FBI, maybe I’m dealing with a breach. There are so many different things that a CISO can go through in a week,” he says.
Those who constantly denigrate their staff are actually exposing their organizations to tremendous risk, Budge argues. “When people are so busy fighting and crying and bitching about each other, the work is not getting done. And that work is cybersecurity for the organization … so, for me this toxicity is quite a significant cyber risk. It also affects our ability to attract and retain talent, which is so desperately needed in cybersecurity,” she says.
How not to be a toxic CISO
One of the thorniest challenges of a toxic CISO is that the person causing the problem is also the one in charge, making them susceptible to blind spots about their own behavior. Nicole L. Turner, a specialist in workplace culture and leadership coaching, got a close-up look at this type of myopia when a top exec (in a non-security role) recently hired her to deliver leadership training to the department heads at his company.
“He felt like they needed training because he could tell some things were going on with them, that they were burned out and overwhelmed. But as I’m training them, I notice these sidebar conversations [among his staff] that he was the problem, more so than the work itself. It was just such an ironic thing and he didn’t know,” recounts Turner, owner and chief culture officer at Nicole L. Turner Consulting in Washington, D.C.
There’s also some truth to the adage that it’s lonely at the top, especially in a hypercompetitive corporate environment. “[CISOs] have nowhere to go for their emotional outlet,” Turner says. “Because they’re executives, they don’t feel comfortable going to their peers when they’re struggling or when they’re having pain points because they often don’t know who they can trust. And they can’t come to the [CEO] because they think ‘that’s going to be a ding on my performance.’”
Turner sees toxic CISOs as symptomatic of a wider problem across all industries: organizations promoting people with expertise in one specific domain to executive positions, without ensuring they possess broader leadership skills like communication and emotional intelligence.
“It’s more about empowering, inspiring and motivating your employees. But organizations don’t look at leadership that way and they don’t develop their leaders that way,” Turner notes.
Enterprises should provide CISOs with human skills
Turner says organizations can provide CISOs with tools to acquire or sharpen those skills, such as leadership training, executive coaching, mentorship opportunities, and 360-degree review processes conducted either internally or by a third party. In the latter exercise, CISOs receive anonymous (and thus, presumably more honest) feedback on their management style from a multilevel spectrum of their employees, peers, and superiors.
To avoid becoming toxic amid the ever-changing demands of their jobs, Turner says CISOs should focus on self-awareness to recognize whether they’re falling into negative patterns. That means developing self-regulation (i.e., being mindful of their words and actions) and practicing empathy by “being aware of what’s going on with [their] team” instead of just their own interests and concerns.
Mentors from similar executive roles can often hold up a mirror to CISOs by giving them honest feedback and perspectives they might not get elsewhere, while also providing the ‘I’ve been there, too’ empathy they need, Turner adds.
To nip future toxic CISOs in the bud, she advises companies to consider succession planning that offers the same leadership development tools to their most promising internal management candidates.
That brings us full circle to Keith, who ultimately left his job and his company due to a toxic CISO. Looking back on what he endured, he says that harrowing experience paradoxically helped him understand how to be a better boss at his new job.
“Right now, I have teams with individuals who are young and this is their first job. And they’ve reached out to me and said that I understand them, and I talk to them. So, I learned what not to be from all of this.”