Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now
The concept of a safe and productive work environment is rooted in psychological safety, which McKinsey defines as: “Feeling safe to take interpersonal risks, to speak up, to disagree openly, to surface concerns without fear of negative repercussions or pressure to sugarcoat bad news.”
The reality of life as a security expert is that you’re regularly trauma-bonding with your team. You and your peers are constantly resolving high-stakes, heavy-collaboration, little-room-for-error incidents together, and this intense type of work is a core function of your day-to-day lives. If you don’t feel able to communicate comfortably with your team, you’re in trouble.
What that means for security leaders is that the working environment your security people are in is crucial: If your team is lacking in psychological safety, it can have serious repercussions on their ability to do their work.
Security is stressed and understaffed
One of the biggest challenges facing security teams is understaffing and under-resourcing. With the ever-evolving threat landscape and the constant barrage of cyberattacks, security professionals are often stretched thin, forced to juggle multiple responsibilities with limited resources. This chronic understaffing both increases the workload and stress levels of team members — and it’s also a breeding ground for burnout.
AI Scaling Hits Its Limits
Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:
- Turning energy into a strategic advantage
- Architecting efficient inference for real throughput gains
- Unlocking competitive ROI with sustainable AI systems
Secure your spot to stay ahead: https://bit.ly/4mwGngO
The nature of incident resolution in cybersecurity also exacerbates the stress levels within security teams. From false positive reports to full-blown system takedowns, the scope and complexity of incidents varies widely, placing immense pressure on security professionals to respond swiftly and effectively.
Organizations depend on their security teams to protect their assets and maintain the trust of their customers, adding an extra layer of pressure to an already stressful job. Even worse, security teams spend a lot of time telling coworkers things they don’t want to hear: For example, that they’re being attacked, they’ve been breached, their system has a fundamental flaw. We have to be carefully diplomatic to maintain good working relationships and it’s easy to push our peers away as we do our work.
Psychological safety can ensure that your people feel like they can trust each other when it comes to checking work, flagging errors and more. It can also help them stay calm and avoid burnout despite high-stakes situations.
Creating an environment of psychological safety for your security team
There are steps security leaders can take to promote psychological safety within their teams. Let’s cover a few.
Practice psychological safety even when there isn’t an incident
Creating a safe space outside of actual incident resolution is crucial for security teams to cultivate psychological safety. Doing this allows team members to make errors, practice failing and confront vulnerabilities openly, which prepares them to tackle significant challenges collaboratively — all without the added burden of a crisis in action. Practicing psychological safety at all times fosters interpersonal confidence and builds strong relationships among team members outside of incident response.
Communicate effectively
In high-pressure situations, brusqueness, passive-aggressiveness and many of the other patterns of communication we’ve all picked up over the years as we navigate corporate settings can be confusing and ultimately detrimental to the speed and quality of your incident resolution. If someone on your team (or other teams you are working with) is distracted by what they perceive to be hostile communication, then that can quickly become a performance issue.
As a security leader, you are responsible for overseeing incident response and managing security operations — and that means having to create a safe space for team members to express vulnerabilities, voice concerns and collaborate effectively. Clear, transparent communication ensures that team members understand their roles and responsibilities, reducing the likelihood of misunderstanding and miscommunication — in fact, I’ve seen a lot of potential conflict avoided through good communication practices over the course of my career.
Security leaders also need to take an active role in cultivating an environment where feedback is welcomed and constructive criticism is encouraged so that team members are empowered to learn from their mistakes. Without this type of environment, your team won’t be able to avoid repeat errors.
Broader teams are better teams
Your customers and users are not all the same, meaning they face different threats and require different approaches for solutions. If you’re in a broadly diverse environment — including demographics, educational background, and more — and know how to optimize that environment, your security team will know more, make fewer assumptions (and therefore mistakes), and think in the creative ways needed to keep businesses secure. You need diversity to take on the breadth of work required to run an effective security team–which also means having an effective DEI strategy in place.
This also goes hand in hand with effective communication: Just like with any other way that people can be jerks to each other, if one of your team members is constantly misgendering another, asking them to inappropriately take notes, or generally making them feel unsafe in other identity-based ways, it can be a negative and detrimental distraction for your team — not just for the victim, but also for the other team-members seeing it happen.
DEI best practices are crucial for effective operations on all teams — and especially helpful when it comes to easing the load and ensuring smooth operations within teams that regularly handle crisis scenarios.
Alleviate load where you can
Money can’t buy happiness, but it can buy you tools to manage your alert budget, and a better alert budget means less burnout for your security team. Invest in cybersecurity technology that creates a safety net for your team — whether that’s purchasing a product that reduces your signal to noise ratio for high-priority alerts, or one that can help your team assess risk, or both — make sure you’re using good technology that’s going to support your team’s goals.
You can also implement a “tapping out” system, so that employees who are burnt out don’t have to push through distress and can take breaks before they start to make mistakes. Tapping out ensures that team members can step out when needed and be seamlessly replaced — but it does require you to structure teams so that context is shared to maintain continuity in operations. For example, making sure that multiple people have context about certain systems means that one person can quickly hand off to another to take a break and avoid burnout.
Another form load that security teams often (but shouldn’t) bear is inappropriate backlash from other teams. Security can be stressful work — non-security teams are often surprised when an incident occurs, and in their panic they can get upset and take it out on the security folks who are trying to resolve the issue.
It’s the job of senior leaders on the team to make sure that this doesn’t happen (before incident: building good relationships, coaching security folks on effective communication) and that, if it does occur, that it doesn’t happen again (telling the offender that their behavior isn’t acceptable, following up to ensure consequences if it happens egregiously or again).
Stay compassionate
High-stakes work can often trigger fight or flight responses, panic and other stress-related reactions that can make people behave in abnormal ways. Make sure to remember that — even if you’re a seasoned security expert. Psychological safety in a security team to a certain extent depends on a leader’s ability to respond to and support their direct reports, and compassion is one of the best things you can offer your security team.
The security industry is about making the world a safer place — which means that, by nature, the job comes with a lack of safety. It’s your job as a security team leader to ensure that that lack of safety is limited to incidents and bad actors, not interpersonal dynamics.
Finally, if you’re looking for more ideas on how to build psychological safety in your security team across digital platforms, check out the resources available at Tall Poppy.
Lea Kissner is CISO of Lacework.
