Watch out for those quiet quitters

Let’s start with some numbers. A LinkedIn survey of Middle East employees, conducted in the first half of 2022, showed 70 per cent were willing to quit because of a lack of flexibility. This general air of restiveness has been around for a while. In 2021 in the UAE, an insurance industry poll of workers across sectors revealed 68 per cent of them to be stressed from work, which was significantly up on the previous year’s figure of 58 per cent.

The previous year’s study was based on data from just before the pandemic, so it is fair to say that Covid did not cause the stress, but it seems to have intensified it and got people talking about it. Some of those people will quit outright. Others may stay and engage in what has become known as quiet quitting. Regional firms must be agile and innovative to find their place in the digital economy. If even a portion of the workforce is unmotivated, transformation programmes simply will not work.

Nowhere is the stress of the modern daily grind more prevalent than in cybersecurity teams. And for them, just showing up is not enough. They must do battle with a rapidly evolving threat landscape populated with highly motivated attackers. Meanwhile, the corporate world coins a term that conveys laziness, ingratitude, or some measure of inconvenience to the business, without ever considering what is behind it.

Employees have goals too

Employees have always wanted more work-life balance. What has changed is that Covid lockdowns forced employers to experiment with remote work. And the sky did not fall. Now, an expectation hangs in the air that all organisations must offer hybrid workplaces. Employees are starting to say to businesses, in ways subtle and explicit, “You are not the only ones with goals”.

Security professionals respond to alerts, they track vulnerabilities, they triage risk. Missteps are the subject of full-blown inquiries while successes go all but unsung. Burnout is an obvious subsequent link in this chain, as is either resignation or quiet quitting. Studies point to a global cybersecurity skills gap of considerably more than three million, amid an ocean of polls in which the rare talent that we have complains of being overworked.

So, the choices ahead of us are plain. First, become a painful headline as we are hit with ransomware (or some other incident), or build a robust security posture. Assuming, we choose the latter, we must find a way to keep existing talent and develop new talent. Instead of dismissing the desire to work only the contracted hours with sentiments such as “not a team player”, we must work with our people to help them manage their time more effectively.

Switching off

We need to remember that we are locked into a choice. If we do not allow security professionals to switch off for sufficient periods, they may leave the company or even the field. Employees are much, much more than just their role. That is how they see themselves. Organisations that want to attract and retain the right talent must show that they also see employees that way.

First, get the metrics right. Ensure work is distributed evenly, and if you see someone pulling more weight than others, get curious. Is this because of their work ethics, or was it made necessary by an ill-designed workflow? Second, automate. Take the burden off the security team’s shoulders and free up time to concentrate on more challenging tasks.

Ensure the right leader with the right soft skills is in place to ensure that when highflyers are identified that others are not demoralised by their progression. And ensure that the leader is capable of distinguishing a colleague who is suffering outside their professional life from one who is lazy within it.

More than their roles

A welcoming, nurturing atmosphere creates a productive, committed team. But to have a leader that can exercise daily judgement that treats people as individuals who are more than just their roles takes commitment and practice from the leader. They must have regular team and one-on-one meetings where they encourage open communication. And if necessary, leaders should be trained in emotional intelligence so they can notice the cues that allow timely action.

Unfortunately, not all organisations will take the compassionate approach to quiet quitting that is described here. Some business units may have decided they can automate and show employees they are replaceable. This constitutes a passive-aggressive move to put the moving-forward ball in the workforce’s court. For cybersecurity, where there is an unavoidable need for human ingenuity coupled with a genuine shortage of talent, the “call their bluff” gambit will backfire. It is simply too big a risk. Meeting employees halfway is the only way.

Paul Baird is the chief technical security officer at Qualys

Read: How cybersecurity can be a powerful shield against threat actors