An organisation’s attitudes to cybersecurity are almost as important as the steps taken to prevent such attacks. Regardless, when something does go wrong, blame culture tends to run rife. With rising fear of litigation, a human tendency to want to know who’s responsible and increased attacks across the board, business and security leaders must decide to foster a culture of free of blame – or not.
Mistakes happen, but when mixed with fear, shame and guilt, employees are faced with an important choice: to report or not to report. This decision, either way, is rooted in a company’s established values and ideology. As a 2022 Gigamon survey highlighted, 94% of IT and security leaders worldwide believe that blame culture could also be a deterrent to the speed of reporting an incident. But what is blame culture? And what toll does it have on our wellbeing?
Simply put, blame culture, according to researchers at the Oxford Review, is defined as an environment where people, or groups/teams of people, are frequently singled out and blamed, criticised and fault is apportioned for mistakes and errors. This tends to result in a situation where people are reluctant to accept responsibility for their actions and mistakes, because they are afraid of criticism and reprimands from their managers and leaders.
In cybersecurity, for example, if someone was to click on a phishing email and compromise a company’s data they may suffer harsh consequences like sacking or, for some professionals, a hefty fine. If a company has a policy that’s harsh on professionals when mistakes happen, employees may be less likely to own up when they do make mistakes, ultimately increasing risk for all. Equally, cybersecurity professionals themselves may feel obliged to work longer hours to make sure systems are secure to circumvent these risks leading to burnout, which, again, creates an unhealthy and unbalanced workplace culture. As a 2020 Nominet survey found, 95% of CISOs worked more than their contracted hours.
Renske Galema, Area Vice President Northern Europe at CyberArk, explains further: “When an employee makes a mistake resulting in a damaging data breach, organisations sometimes feel the need to blame them. While this blame culture may help businesses feel better in the short-term, it has a negative long-term impact on their cybersecurity posture – discouraging employees from reporting cyber mistakes and delaying the company’s ability to mitigate damage.”
Galema continues: “The blame culture misses the point. Rather than looking for someone to blame when a problem occurs, organisations must instead focus their efforts to keep their security programmes, especially their identity security, tight.”
Blame culture also carries significant risk to wellbeing, as Dr. Paras Patel, Chief Scientific Officer at The Zensory, told The IT Security Guru:
“Such environments [of blame] often lead to processes which do not offer constructive support or solutions and lead to individuals working in a self-preservative manner to avoid any shame or blame i.e., instead of learning from mistakes, employees may try to hide them, so they do not get punished. Nobody will take accountability for problems if they think they will be punished for doing so.”
“Such toxic environment and culture can have significant impact on wellbeing, including:
Psychological Distress: Constantly feeling blamed or shamed can lead to high levels of stress, anxiety, and depression. Individuals may develop feelings of worthlessness and inadequacy, damaging their self-esteem, having long term mental health and wellbeing implications
Fear of Failure: In an organisation that places blame and shame on mistakes, individuals could be hesitant to take chances or make choices out of concern that they’ll be singled out if anything goes wrong. This failure-related dread might hinder their ability to advance personally and professionally.
Breakdown in relationships: Blame and shame undermine teamwork and mutual respect among individuals and groups. People become reluctant to engage in open communication, information sharing, or productive teamwork when they experience continual criticism. This could lead to them feeling isolated at work with evidence showing that isolation can lead to negative impact on mental health and wellbeing.
Burnout: Being around guilt and shame for prolonged periods of time can cause chronic stress. The constant need to work in an environment where no mistakes can be made or where you must justify actions to place the blame elsewhere has a negative impact on individuals physical and mental health.”
Of course, a culture free of blame does not mean a culture free of responsibility.
Paul Baird, Chief Technical Security Officer EMEA at Qualys shares this sentiment: “Drawing a clear distinction between responsibility and blame is crucial for creating a healthy and productive organisational culture. Responsibility entails being accountable for one’s actions and decisions, acknowledging the consequences, and taking steps to rectify or improve situations. It’s a fundamental aspect of personal and professional growth, allowing individuals to learn from experiences and contribute positively to the organisation’s progress.”
Baird continues: “In some cases, organisations and leaders might misuse responsibility as a tool for blame. They might assign responsibilities with the intention of later using them to assign blame for failures, creating an environment of distrust and anxiety. This turns responsibility into a weapon rather than a constructive mechanism for fostering growth and accountability. A more constructive approach is to view responsibility as a character builder. When individuals are entrusted with responsibilities and provided with the opportunity to learn from both successes and failures, they develop resilience, problem-solving skills, and a sense of ownership.”
Dr. Paras Patel concludes: “Creating a positive culture where individuals feel comfortable owning up to mistakes has not only positive wellbeing effects for the individual, it can also have a positive impact on the organisations.”