Five Ways to Steer Your Security Organization in a Toxic Environment Willie Sutton, the notorious bank robber, was once asked by reporter Mitch Ohnsta
Five Ways to Steer Your Security Organization in a Toxic Environment
Willie Sutton, the notorious bank robber, was once asked by reporter Mitch Ohnstad why he robbed banks. According to Ohnstad, he replied, “Because that’s where the money is.” Though that answer is very stark, it does provide us with an opportunity to learn an important lesson in security.
The well-known quote “write what you know” is a salient one. In the past, I have, unfortunately, been in multiple toxic environments and have learned how to navigate through them. Even in those types of environments, the security team must work to minimize risk and defend the organization from information security threats. Before we can discuss how to navigate a toxic environment, we must understand what creates one.
Causes of a toxic environment include, but are not limited to:
● Narcissistic leadership
● Withholding of information
You might ask the question: Why do people withhold information, gossip, lie, and manipulate? To channel Willie Sutton: Because it works. The unfortunate reality is that some people invest more time into those activities than they do into actually working. As a result, they can become quite masterful at painting a picture that simply isn’t true. They can then use this narrative to distract from their own poor performance and bad behavior.
It goes without saying that it can be very difficult for a well-intentioned and competent person to operate in such an environment. Most of the security professionals I know are hard-working, honest team players who choose productive, constructive work over toxic game-playing. Nonetheless, even in a toxic environment, team players must do their best to protect their respective organizations.
It is in this spirit that I present five ways to steer your security organization in a toxic environment:
1. See the signs: The first step in navigating a toxic environment is to realize that you are in one. Look carefully around the organization for the signs enumerated above. Does leadership take credit when things go right and blame others when things go wrong? Does trying to get answers to simple questions feel like an interrogation? Do people build inaccurate and untrue narratives based on little to no evidence? Do people covertly or overtly manipulate situations to advance their own personal goals? If the answer to any or all of these questions is yes, it’s time to accept the sobering news that you are in a toxic environment.
2. Document everything: I once worked for a manager who used to say, “if it isn’t written down, it didn’t happen.” When gossip, lies, and manipulation are present, everything needs to be in writing. Keep notes and minutes from meetings and conference calls and store them where they can be viewed and reviewed by everyone. If people agree to action items, send a follow-up email with the list of action items. If someone tells you something in passing, ensure it is recorded. If you see illicit behavior, document it. These are some of the ways in which you can prepare yourself to refute lies and continue to improve the security posture of the organization.
3. Stay on point: When dealing with liars and manipulators, it’s important to stay on point. When writing, on conference calls, and in meetings, stick to the facts that are relevant to the point you’re making. Any extraneous or unnecessary information only gives bad actors additional material to latch on to and further enables their lies and manipulation. This is easier said than done of course. As tempting as it is, stick to the facts and resist the temptation to sink to the adversary’s low level.
4. Don’t take the bait: When asked clear, simple, straightforward questions that they don’t want to answer, liars and manipulators will often go on the attack in response. Rather than answer your question, they’re banking on you taking the bait, getting distracted, and engaging with them on irrelevant points. Don’t give them that satisfaction or play into their games. Learn to identify what is bait, how to avoid it, and how to stay on topic. It’s the only way to make the progress you need to make in a toxic environment.
5. Have clear metrics: Although it is hard to argue with numbers and facts, some people will still try. Nonetheless, having clear, high quality metrics is an absolute requirement in a toxic environment. The best way to refute false narratives is with hard numbers. Invest the time required to identify, define, develop, calculate, and report metrics that will show both your performance and your contribution to risk reduction. Great metrics are, perhaps, the single best defense you can build for yourself to allow you to navigate and steer your security organization through a toxic environment.