Given the volume and complexity of security incidents, the need for a highly effective CISO is obvious and nearly universal among organizations. However, the crushing level of pressure associated with the role, combined with tempting external job offers, add up to a system where a CISO will either experience burnout after a certain length of time, or pivot to a more lucrative opportunity. In the wake of this reality, companies need to plan for their current CISO’s inevitable future departure.
Benefits of planning
Proactive CISO succession planning can benefit organizations in a variety of ways. From a financial perspective, proactive development of talent and identification of succession candidates can help save on recruiting expenses, which typically run at 25% of a given position’s annual salary. Further, a solid CISO succession plan significantly increases company stability.
7 best practices for CISO succession planning
While unyielding plans can impede company progress, no plan at all places an organization in a precarious position. Here’s how to start CISO succession planning without creating rigid structures or unnecessary strain.
1. Start early. Experts encourage CISOs to start succession planning within the first six months of acquiring a new role. After reviewing any succession plans that the previous CISO created, they should review succession plans for other executive roles in order to determine specific items that the CISO plan should include.
CISOs may see themselves as indispensable. Assisting with succession planning may make CISOs feel as though their own shelf-life is shortening. However, when starting a new role, many CISOs know the duration of time for which they intend to stay, and have goals for the next years in their careers.
2. Anticipate future requirements. Security succession planning requires anticipating what the future of the company’s security will look like. A succession plan will need to include information about existing infrastructure, planned infrastructure upgrades, and the implications of technological changes. After forecasting the future of its security programs, organizations should create structures to upskill the existing workforce, ensuring that talent can rise to future challenges.
3. Training tomorrow’s leaders. Look at the strengths and weaknesses of existing senior security talent, along with personalities, professional experiences and career goals as they relate to the emerging security landscape and enterprise requirements. Determine who would be the best person to handle a crisis. Assess who might best provide long-term stability. Offer leadership and management training that will set up future leaders for success as they assume higher-level responsibilities.
4. Bring in the board. Due to the fact that cyber security is of growing strategic importance, boards should insist on the development and maintenance of CISO succession plans. They should review plans to ensure that they align with overall business requirements and that they account for different CISO departure scenarios.
5. Prepare for planned departures. A CISO might retire, take on a new role internally, or choose to work with a different company, presenting your organization with several weeks’ or months’ worth of notice. In some cases, CISOs may also have understandings with an employer around meeting specific high-level goals and a subsequent departure. For example, some CISOs are hired to lead organizations through a data breach recovery, and once objectives are met, they move on.
When departures are planned, organizations can onboard a new CISO before the outgoing CISO has departed. Adequate notice enables the incoming CISO to shadow the outgoing CISO in order to gain a sense of the staff, the technology, the processes and the policies. This helps to reduce overall operational disruption.
6. Prepare for unplanned departures. CISO departures can also occur with mere hours’ worth of warning. From sudden terminations to personal crises, a CISO might depart for any of many unplanned reasons. In preparing for these types of events, ensure that security staff document key responsibilities and tasks. HR must maintain these files. On an annual basis, a CISO should review them.
Organizations should also cross-train cyber security staff in other roles. This assists with backup of individual positions. For example, in the event that the senior security architect suddenly becomes acting CISO, other colleagues may need to help shoulder the burden and know how to perform some tasks within the architect’s typical workload.
Create a backup plan for scenarios where a CISO’s sudden departure requires sudden rearrangement of in-house staff responsibilities. Could some security tasks temporarily see outsourcing to a third-party agency?
7. Regular succession plan review. CISOs, CEOs, and other relevant stakeholders should review succession plans at least once per year. Organizations may need to account for a changing technological landscape, mergers and acquisitions, shifting economic conditions, and security staff performance concerns.
Passing the baton
CISO turnover is bound to occur, no matter how strong your company culture or how much budget you alot for security infrastructure development. Research shows that only about half of US organizations have selected a CISO successor. In the EMEA region, only about a third of organizations have completed CISO succession planning.