Quiet quitting and security - why you should pay just enough attention - Image by Andrew Martin from Pixabay Quiet quitting is one of those trendy discussions in the workplace that seem to come up frequently. It describes how employees can put in enough effort to fulfil their roles, but they do not commit to overtime or extra responsibilities that are not officially part of their job description. If you run an IT security department, this approach might seem impossible to square against your needs. After all, IT security relies on constant vigilance and attention. How can you have someone that does not put in that effort on your team?

However, there are lessons we can learn from the discussions around quiet quitting that can improve your results over time.

The wrong term

Firstly, I’ll state for the record that I hate the term quiet quitting. It is biased against employees from the start. Rather than being about employees and more work-life balance, it’s pitched as a threat to businesses. Employees who deliver on their work requirements should not be described as ‘quitting’ when they establish the right boundaries for themselves and their roles.

This ‘always on’ mindset can be hugely detrimental to your team, especially when you are working around complex and potentially destructive attacks on your business. IT security analysts have enough pressure dealing with alerts, tracking vulnerabilities, and prioritising potential risks. Too many security professionals are locked into being the hero to their companies, where their actions are needed to constantly save the day.

This constant pressure to deliver can easily lead to burnout. The staff we have are under huge amounts of pressure – according to the CIISec State of the Profession report for 2021/2022, around 32% of IT security professionals are kept up at night with job stress. It’s also not easy to find recruits to join the team, let alone replacements if people leave – ISC2 found that there are 3.4 million open roles for security professionals, and 70% of IT security professionals said they are overworked. In short, we need to protect the people we already have, and develop new sources of talent to expand teams alongside them.

In these circumstances, you should not think negatively about those that only want to work for the duration of their shift. Instead, you should actively encourage your team to manage their time and commitment levels more effectively, including more time for themselves. Alongside this, you should apply the same approach to yourself.

Help your team and avoid burnout

Encouraging your staff to switch off outside work might seem counterproductive. After all, you need them to fulfil their requirements and track potential risks. But at the same time, relying too much on your team putting in extra hours will lead to those staff members leaving the company or even the profession. Instead, it is essential to get the balance right between commitment to their role and their own needs outside work.

To manage this, there are several areas where you can make changes. The first step is to look at how work is spread across your team and how you manage this spread over time.

An equal share of the effort

Making sure that all of your team feel that they are being treated equally is essential to their mental health and ability to manage their workloads. At the same time, if you are finding that members of the team are picking up more tasks or carrying out more work compared to others, then investigate whether this is due to better work practices or whether you might be tracking the wrong metrics.

Alongside looking at your team’s workloads, you should consolidate and automate your operations where you can. IT teams like to automate their tasks and be more efficient, so encourage your team to share their scripts and approaches and pass on their knowledge. This helps everyone benefit.

Work can and should vary

You might find that some staff want to specialise or concentrate on specific areas where they have more experience or skills. This can be a great way to make the most of the talent at your disposal. However, it is important to ensure that the whole team understands what is happening. At the same time, you may want to avoid certain tasks being seen as rewards or of higher value than others.

To get this right, look at how to get the best mix in place. For example, you may find some employees are better at certain tasks and enjoy them more. However, you should also look out for where employees might try to cherry-pick tasks that are easier for themselves, leaving others to pick up the slack. Your goal should be to ensure that everyone is able to contribute based on their skills, capacity and workload, and this should evolve over time.

Keep the focus on what matters

Based on your work audit, identify staff members handling more than their fair share. These signals can show up if any one person is suffering and needs help. Just as importantly, it can show the impact on the rest of the team. This should also help you spot team members suffering in silence.

Quiet quitting involves employees only putting in the effort that their contract requires. Encouraging your team to step away from their work outside their contracted hours will help them focus when needed. It also means that if you ever need to ask someone to work extra time, then they will be more willing to step in. For security professionals, paying attention to themselves and their interests will help them re-energise and prevent burnout.

Watch out for signals of burnout

Understanding personalities and people is an important part of any security lead role. For example:

  • Have you seen any trends in behaviour that are out of the ordinary, like someone who is normally gregarious falling silent?
  • If you work together in the same physical location, has their approach in the office changed?
  • If you are all working remotely, are they forthcoming on calls or less chatty than usual on messaging apps?

These changes can be signs of someone who is having more problems. However, they can be very difficult to pick up on from Zoom calls and online chats and provide help before problems become bigger and affect other team members.

Build your emotional intelligence

You should have one-to-one sessions with your peers and your team regularly. Find out their personal circumstances and check how things are going. You must develop your emotional intelligence skills to help spot any changes.

Looking ahead

Today, the economic situation has meant that quiet quitting is now less likely. The likes of Intel, Oracle, Snap, Twitter and others have all reduced their headcounts, while other Big Tech firms have made noises about carefully managing their spend. Employees are worried about their positions, and so they may go back to putting in extra hours. For security, this might be counterproductive.

The volume of attacks on IT is not going down. Looking at your approach is essential if your team is going to be effective and successful over time. You want your team to be committed, so you should commit back to them too. However much you dislike the name, the quiet quitting trend should provide a chance to have those discussions.

Qualys logo

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions with over 19,000 active customers in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance, and protection for IT systems and web applications across on premises, endpoints, cloud, containers, and mobile environments. Founded in 1999 as one of the first SaaS security companies, Qualys has established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform, and managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, HCL Technologies, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance. For more information, please visit www.qualys.com.


Please enter your comment!
Please enter your name here