Let’s talk about presenteeism.
Simply put, presenteeism is when an employee is constantly showing up at work, despite being unwell. In today’s hybrid world, this could mean either physically showing up at the office or logging on at home. As well as accounting for showing up when you’re physically or mentally unwell, symptoms also include not taking holidays, being ‘contactable’ outside of work hours, and so much more. In the long run, presenteeism isn’t good for organisations – or their security postures.
Presenteeism and Cybersecurity: How to Recognise Symptoms When They’ve Become Part of the Job
Many cybersecurity professionals wouldn’t think twice about showing up to work when they were feeling under the weather. Many of the symptoms of presenteeism (showing up regardless, answering phone calls outside of work, being contactable 24/7/365 etc.) have become in and of themselves part and parcel of the role of a cybersecurity professional. Adversaries don’t stop and neither do the people who protect them.
Andy Robertson, Head of Enterprise and Cybersecurity Business, Fujitsu UK&I, further explains the toll that responsibility takes on cybersecurity professionals: “There can be a feeling that there is always another storm brewing that will need to be addressed, and that can be really taxing on the mental health of workers.”
“The confidentiality of the role adds challenges, too: people can’t always go home and debrief with their loved ones about their day without worrying that they will let something slip. So even if they have a support network around them, they can’t always use it.”
We all know the statistics. Cybersecurity professionals are burnout, overwhelmed, and vastly under resourced/funded/staffed. We are also aware of the ever increasing skills gap and talent acquisition and retention crisis. All of these systemic problems put a strain on the industry, forcing many to feel responsible for showing up.
The impact of presenteeism isn’t good for anyone. For the individual, long-term illnesses can develop and burnout can hit pretty quickly. For organisation’s there’s often a significant productivity loss. But where does presenteeism leave an organisation’s security posture?
How Presenteeism Impacts Security Postures
Robertson continues: “A good security posture needs three elements – people, processes, and technology – and when the people factor takes a hit, so does overall security.”
Paul Baird, Chief Technical Security Officer, Qualys, adds: “From a security perspective, [presenteeism] is a significant risk because it can lead to less care being taken or more mistakes creeping into work when, at the same time, someone feels they have to work harder and harder in order to keep up. It becomes a self-fulfilling prophecy, and that increases the risk of a mistake over time.”
Evidently, when an employee is under significant stress they cannot perform at their best, which can lead to mistakes. In the realm of cybersecurity, mistakes can be costly in a number of ways, from financially to reputationally. If employees are showing up when they shouldn’t, it’s possible that they become accidental threats themselves.
But it can be hard to know when to not show up, especially with evolving threats, the cost-of-living crisis making stable jobs critical and many organisations being already short staffed. So how can organisation’s support employees who feel the need to show up when they really shouldn’t?
How can organisations stop presenteeism in the first place?
Baird suggests that embracing new technologies may be one way to ease the burden of ever-evolving threats on cybersecurity professionals: “With so many technical eyes watching and so many security alerts being generated, allowing AI and automation to take that noise away from security teams will relieve the pressure.”
According to Ciaran Luttrell, Senior Director, EMEA SOC Operations, eSentire, another way to reduce burnout and presenteeism in employees is to, as organisations, have processes in place to make employees feel like they can take time off: “To manage this kind of pressure, it is essential to let your team know that they can take time away rather than feeling they need to be there for every event – you should have backup people and processes in place to cover, and full handover processes that can ensure everyone is up to speed. Likewise, you should also have battle hardened operating procedures for managing personnel and ensuring their needs are always a priority.”
Succinctly, Luttrell says: “Avoiding presenteeism is about making it clear that security is a marathon, not a sprint.”
As with most things in the sphere of wellbeing and cybersecurity, this change must come from the top down. In a similar way to the approach to blame culture, business leaders must take a proactive stance on battling issues like presenteeism in the workplace. Cliché as it may be, prevention is, as always, better than cure.