When Forrester published research on toxic security team culture in 2020, we revealed that an unhappy security team can result in infighting, unhappiness, and aggression. Not only will this toxicity cultivate an unpleasant environment, it also has the potential to put your organization at risk.
Our 2023 research into burnout in cybersecurity called out that burnout is not only a human issue — it’s a cyber risk. What we didn’t know at the time was the extent to which toxic and burned-out teams result in more breaches.
Our latest research into security team toxicity, Security Team Toxicity Leads To More Breaches, shows that engaged, healthy, psychologically safe, and collaborative security teams experience fewer breaches. We now have tangible data to stop us from brushing human-centered issues, such as burnout and toxicity, under the “soft” skills carpet, choosing instead to focus on the known and familiar — technology. Security leaders should know that:
- Security teams whose members aren’t emotionally engaged with or attached to their work report nearly three times the internal incidents and slightly more external attacks than those who feel attached to their work.
- Security teams that suffer unacceptable levels of absenteeism — possibly due to burnout, heavier workloads, condensed resources, shorter timelines, and increasingly complex attacks — report more internal and external breaches at their organizations.
- Security teams that fear retribution if they raise issues that affect the organization’s risk posture may leave damaging issues unaddressed. Teams that lack this psychological safety report more breaches, including 3.5 times more internal incidents than the global average.
The health and culture of a team and its members is more than just a nebulous or benevolent idea to strive for — it has a direct impact on how effectively you can function and defend your organization. It’s time to redress the balance from tech to ensure that you foster a positive team culture and workplace environment. This isn’t just as a human issue — it’s a cyber risk imperative.
Forrester clients can schedule a guidance session or inquiry with me to discuss the risks associated with security team toxicity and how you can build a security team culture to be proud of.
This blog was written with the assistance of Research Associate, Chiara Bragato.