Key Indicators of a Great Cybersecurity “Culture”

Key Indicators of a Great Cybersecurity “Culture”

Hey, “Unnamed IT Guy” at Equifax. I feel your pain. I’ve experienced the “throat to choke” culture. So have a lot of other groups, I imagine, who have been in the news due to security breaches. The scenario goes something like this: The IT team has raised alarms for some time about lack of resources, and their concerns go unanswered year after year. A breach happens. And the IT team gets thrown under the bus. It seems to go with the territory, but that doesn’t make it any better. There are three important points to remember:

  1. It is not about you.
  2. Many companies are not like that.
  3. You do not have to put up with this.

Reports vary, but cybersecurity positions are going unfilled. Some say 50% of cybersecurity jobs in the US are open. I see dozens of job openings daily. There are multiple factors involved in this: some firms have such a poor cybersecurity culture that they can’t attract good cyber talent, and some firms ask for talent that frankly doesn’t exist so openings go unfilled for months. The other factor is that a lot of people are dropping out of the cybersecurity field. After testimony like Richard Smith’s, it is not hard to see why. Passion for what you do only goes so far – and it is not an antidote to burnout in an unsupportive work environment. When management throws you under the bus, it is time to look elsewhere.

So, polish up that resume Unnamed IT Pro. There are people who want you and NEED you. With the right skills, you can afford to be selective, and you should be. Because great IT professionals who understand cybersecurity are needed now more than ever to be securing our infrastructure, our corporations, and our public sector.

According to, top demand is for Cyber Security Engineer, Cyber Security Analyst, Network Engineer/Architect, Cyber Security Manager/Administrator, Software Developer/Engineer, Systems Engineer, Systems Administrator, IT Auditor, and Vulnerability Analyst/Penetration Tester.

Here are a few suggestions to help you land in a company with a boss for whom you’ll love working:

  • Recognize that company culture is a complex web of sub-cultures that can work both “for” and “against” the company. You’ll be hiring into a subculture. You want a boss who can describe how the web of sub-cultures works and is navigated successfully, particularly if you are in a cybersecurity role.
  • Watch for organizational silos because they impair cybersecurity problem-solving that inherently crosses boundaries. A great benchmark for understanding how well a company navigates boundaries and subcultures to solve problems is identity and access management. It should work seamlessly across business units, HR, and IT.
  • Is there a stratified power structure that influences how people speak to one another? I still remember my favorite job – when the Director of Research and Technology would pop his head in my office to make sure his understanding of a particular security protocol was accurate. His presence and his genuine interest spoke more about organizational culture than a set of value statements on the wall. Can you openly speak with others in the company without concern of “going around” your boss?
  • Do people care about themselves AND the organization? Once I had a very promising individual inform me as the CISO that he had decided that the most important thing he could do for his career was to “look out for Number 1 and be incredibly selfish about it.” That’s a symptom of an enterprise power structure that holds people back.
  • Your boss should create a sense of purpose and constant growth in your role that make you eager for Monday morning.
  • Finally, ask to discuss, if not read, the incident response plan if it is pertinent to your prospective position. It should have well-defined timelines, process flows, and roles. If they tell you that they are hiring you to create this for them, be sure you feel strongly that the web of subcultures supports not only the design but also the implementation of a process that crosses boundaries throughout the organization.

Good luck. Keep your eyes looking forward. Don’t let that Skeptic in your head make you believe this is about you. Pick wisely and your next IT job is going to be awesome.