Drama.
It’s something we often associate with TV shows and movies, but it has a sneaky way of infiltrating even the most professional environments, including cybersecurity. With recent events like the CrowdStrike IT outage causing global disruption and significant financial losses, and the controversial Palo Alto Networks-sponsored event at Black Hat USA, where models were presented as mannequins adorned in evening wear with lampshades obscuring their faces, it’s evident that the cybersecurity field is not immune to drama.
But why does this happen? And more importantly, how can we move beyond the blame and shame that often accompany these dramatic episodes?
Why Drama is Detrimental
Drama in cybersecurity often creates a cycle reminiscent of the Drama Triangle, conceived by psychiatrist Stephen Karpman, where individuals assume the roles of Victim, Persecutor, and Rescuer, perpetuating conflict rather than fostering collaborative solutions.
When individuals adopt the Victim role, they often feel powerless and may resist taking accountability for their actions, which can lead to a culture of blame and inaction.
Conversely, those in the Persecutor role tend to cast judgment on others, creating an environment filled with hostility and fear, while Rescuers/ Heroes, though seemingly supportive, may undermine others’ agency by stepping in too often.
Individuals caught in the Drama Triangle often oscillate between the roles of Victim, Persecutor, and Rescuer/Hero, leading to a cycle of unproductive interactions.
For instance, a person may initially position themselves as the Victim, feeling overwhelmed by challenges, but then switch to the Persecutor role when they blame others for their situation. This shifting creates a chaotic environment that hinders accountability and collaboration, perpetuating a cycle of dysfunction instead of fostering constructive dialogue and resolutions.
In cybersecurity, where collaboration and shared responsibility are crucial, the Drama Triangle stifles innovation and unity. This toxic dynamic creates barriers to effective communication, leading to misunderstandings and resentment among team members.
Be Wary of Rescuers and Heroes
In the aftermath of a dramatic event, there’s often a desire to find someone to blame and someone to save the day and alleviate anger. This leads to the emergence of Rescuers and Heroes in cyber – individuals who try to come in and “fix” things, whether they’re truly capable or not.
As leaders, it’s essential for us to be aware of this phenomenon and avoid falling into the trap of relying on these rescuers and “heroes.” Instead, we must acknowledge their limitations, and encourage open dialogue, empowerinig our teams to take ownership of their mistakes and work collaboratively towards finding solutions.
Considering Blame and Shame
As humans, it’s inevitable that we’ll screw up at points in our career, but by focusing solely on assigning blame and shaming we stifle growth and learning.
As leaders in cyber we must lead by example, and move away from this unhelpful approach. This requires us to put processes in place that minimise failures, and ensure that we’re building cultures that empower people to say,
“I screwed up, how can I and others around me learn from this, and make things right?”
We must foster environments where mistakes are seen as opportunities for improvement and learning, encouraging open dialogue and empowerment. We must build workplace cultures that are safe and empowering, and will support and challenge in equal doses.
The Just Culture is a good place to start to understand the principles of safety and empowerment, and how they can apply to us in cybersecurity.
Just Culture
According to David Marx, a leading expert on safety culture, “A just culture is one in which an organisation’s values are operationalised to support people who engage in adaptive behaviour making choices that are both judicious and accountable.”
In other words, it’s about creating a culture where employees feel comfortable admitting mistakes and taking ownership of them, without fear of punishment or retribution. This empowers them to learn from their errors and make necessary changes to prevent future occurrences.
Our Role as Leaders
As leaders, we play a crucial role in establishing a “just culture” within our organisations. To do so, we must communicate and model the values of accountability, transparency, and learning from mistakes. We must create environments of psychological safety, where employees feel comfortable speaking up and sharing their thoughts and concerns without fear of judgement or negative consequences.
Additionally, we must foster diversity of thought within teams so they can contribute to a more inclusive and just culture, as different perspectives help identify potential issues or areas for improvement that may have been overlooked by a homogenous group.
Make a Change
Both the recent failures at CrowdStrike and Black Hat USA serve as wake-up calls for us as cybersecurity leaders and a community to reassess our approach to not only handling mistakes and failures but judging them too.
Instead of dwelling on blame and shame, we must focus on creating a “just culture” that promotes learning, growth, and inclusivity.
By adopting these principles and values, we can build more cyber resilient and secure organisations for the future. If we don’t, then we won’t get the high performance from our cyber teams, the reporting on potential cyberattacks from our greatest cyber shield – our employees – and risks will increase.
To End
Drama and blame in cybersecurity are not just unproductive; they are harmful. They create an environment where people are afraid to take risks, admit mistakes, and learn from them. By shifting our focus from blame and shame to a “just culture,” we can foster environments where innovation and collaboration thrive.
It’s time to break the cycle. Let’s create cultures that empower our teams, value diversity of thought, and prioritise learning and growth. In doing so, we will not only enhance our cybersecurity efforts but also build stronger, more resilient organisations.
Let’s make this change together.
For a deeper understanding of how you can implement these principles in your organisation, consider reaching out to experts or joining forums where these topics are discussed. Your first step could be as simple as starting a conversation with your team about the importance of moving beyond blame and shame in cybersecurity.
To learn more about how to implement a culture that’s safe and empowers, read Just Culture, Balancing Safety and Accountability.
To learn more about women in cybersecurity and why a failure to attract and retain women is causing us to be less safe, read IN Security, and join the movement.
Now I want to hear from you…
Tell me about a time when you’ve seen the Drama Triangle or blame and shame dynamics play out in your organisation.
How did it impact the team and their ability to work together? What steps could have been taken to shift towards a “just culture”?
Share your thoughts and experiences in the comment box on LinkedIn with me – where the conversation is happening. Let’s be the change we want to see and continue the conversation so we can work towards building stronger, more resilient teams and organisations in cybersecurity.