Integrity violation: toxic workplaces in infosec
In the realm of cybersecurity, workplaces can be surprisingly unsafe, with a higher turnover of CISOs and alarming rates of misconduct. This talk explores the mechanisms behind this paradox, examining organizational dynamics, the pressures on CISOs, and the emergence of toxic behaviors. By analyzing real-world some very personal examples, we will uncover the root causes of these issues and provide practical solutions to foster a safer, more resilient cybersecurity culture.
Cybersecurity is a field where pressure is constant, and mistakes can have severe consequences. Yet, for many cybersecurity professionals, the greatest threats do not come from external attackers but from within their own organizations. In one striking example, a security researcher discovered severe vulnerabilities in a widely used product, only to be dismissed as "overreacting" by management—a classic case of gaslighting. At Equifax, a CISO faced public blame for a devastating breach, despite years of underfunding and ignored warnings about outdated software. In another case, security engineers at SolarWinds raised concerns about critical vulnerabilities that were ignored—vulnerabilities that were later exploited in a massive supply chain attack affecting thousands of organizations.
These toxic dynamics are not just isolated incidents; they are symptoms of a broader problem in the way organizations perceive and manage cybersecurity. Security is often seen as a cost center—a department that creates problems rather than solving them. This mindset fuels blame-shifting, where CISOs become scapegoats after breaches they lacked the power to prevent. Even worse, security professionals who try to escalate serious risks are sometimes ignored, marginalized, or even retaliated against. A report by (ISC)² found that 60% of cybersecurity professionals have experienced burnout, and nearly one-third have left jobs due to toxic work environments. Such conditions not only harm individuals but also weaken an organization’s overall security posture.
But it doesn’t have to be this way. This talk explores how more mature industries have learned to overcome similar toxic dynamics. What can we learn from those experiences? By drawing on these examples, this talk will identify practical steps to transform cybersecurity into a healthier, more resilient field where burning people is no longer the net result of dealing with security.
Licensed to the public under https://creativecommons.org/licenses/by/4.0/