Passing the Security Baton: CISO Succession Planning

Information security is now recognized as a vital business function and risk that must be managed proactively. The CISO role has risen in prominence to take on that responsibility at the C-suite level. But finding the right leader for that role just once isn’t the finish line.

The average tenure of a CISO is relatively short compared to other executive leaders. CISOs remain in their roles for an average of 18 months, according to The Enterprisers Project. Gartner predicts that nearly half of cybersecurity leaders will be moving onto to new positions by 2025.

Why are CISOs moving on so quickly? The answer, of course, varies depending on the individual and the organization, but challenges like limited budgets, constant threats, successful cyberattacks and evolving regulations create a lot of pressure.

“CISO burnout rate is high, and they're leaving at a frequent pace. And new regulations are going to accelerate that as more come down, more demands and more exposure comes down to the CISO,” Jay Pasteris, CIO and CISO of Blue Mantis, a digital technology services provider, tells InformationWeek.

If a CISO feels burnt out or unsupported in a role, he or she has the ability to look elsewhere. “CISO talent is in such high demand, and there's just so many opportunities in the marketplace. I think…that creates a different type of market where we see a lot of movement,” says Alyse Egol, principal, technology officers practice at management consulting company Korn Ferry.

Related:CISO Role Undergoes Evolution as Jobs Grow More Complex

What can organizations do to prepare their organizations for the potential departure of their CISOs? While hopefully less cutthroat and Machiavellian than HBO’s take in the show by the same name, the answer is planning for succession.  

When to Start Succession Planning

Succession planning is important for all C-suite roles, but for many organizations, it may be a new task. “It's still not done all that frequently, even at the very largest organizations,” says Anthony Nyberg, director of the Center for Executive Succession at the Darla Moore School of Business at the University of South Carolina.

While it is typical for C-suite officers to give longer notice before leaving, that isn’t always the case. “A couple of months ago, I worked [with] one of our clients. Their CISO was transitioning … and that individual was leaving in a couple of days,” says Lee Buttke, managing director and CISO of cybersecurity platform AgileBlue.

Starting on a succession plan as early as possible gives organizations more runway to prepared for the eventual departure of the CISO and identify potential successors. “I … believe that new CISOs that come into the role shouldn't wait a year to do this,” says Glenn de Gruy, senior partner with executive search firm Kingsley Gate. “They've got to start the succession planning ... I think within three to six months of taking on their new role.”

Related:6 Pain Points for CISOs and CIOs and What to Do About Them

With a plan in place, organizations can minimize the disruption that inevitably accompanies the departure of an executive leader. “If a CISO decides to leave or something happens to the CISO and you find yourself with the void, you have a strong transition plan in place that you can execute on,” explains Pasteris.

Who Is Involved in Succession Planning

The current CISO does have an important role to play in finding their successor, but they are not the only stakeholder. Who those stakeholders are can vary depending on the structure of an organization. For example, the CIO may have a say in enterprises in which the CISO reports up to that role. The CEO and the board are going to shape the goals of the organization and have a say in how any executive leader, including the CISO, can support those goals. Human resources leaders, such as a chief people officer, are also commonly involved in talent discussions.

Related:SolarWinds, CISO Targeted in SEC Lawsuit

De Gruy recommends that leadership raise the topic of succession planning during the interview process with potential CISOs. “Bring this topic up within the interview process and you get a better understanding from the candidate,” he says. “How open-minded are they to embrace this from very early in the process?”

As time goes on, continuing to foster a strong relationship between the CISO, other C-suite leaders and the board can make succession planning easier.

“Building those types of trust- and confidence-based relations, mature relationships with the other ELT [executive leadership team] members as well as having access to the board of directors … will help the process be more efficient and be more productive along the way,” says de Gruy.

How to Find a Successor

CISOs ideally have a blend of technical and business skills. Cybersecurity is a technical field, and CISOs are responsible for translating that technical information for the rest of the C-suite and the board. “They really need to understand how the business works, and they really need to understand what the exposure means from a business and financial perspective,” says Pasteris.

Organizations have two choices when they seek to find someone who can fill the CISO’s shoes. They can identify and develop internal talent, or they can look for external candidates.

Nyberg points out that there is rarely the perfect person just waiting in the wings to take over the role. But the succession planning team can identify promising candidates and focus on preparing them. “Start giving them training opportunities. Do they need greater experience managing people? Do they need some kind of international experience?” he says.

Egol points out that some organizations forget to invest in the leadership levels one or two steps below the CISO role, like deputy CISOs or directors. Organizations can develop clear career paths for people in more junior roles as a part of CISO succession planning. “You're also creating a higher level of loyalty by developing your own homegrown talent within a security program,” says Egol.

If an organization cannot identify anyone internally, it is time to consider how an external search will be executed. “We probably also want to be looking in the external market … who would be potential candidates that we could bring into the organization,” Nyberg adds. “The earlier we bring them in the more likely they are to fit with our … organizational culture.”

What Does the Transition Look Like

Two- to three-month notice can help organizations make a smoother transition between CISOs, but not all enterprises get that much time. But working with even a smaller amount of overlap can still be valuable.

“If you can, [have] either a virtual CISO in place to work with the existing CISO as part of the transition or, if you're going to hire another CISO, ideally, there can be a little overlap,” says Buttke.

During that time period, the departing CISOs can work closely with their successors to prepare them for the responsibilities of the role. For security leaders new to the C-suite, dealing with the board and finding themselves in a position where they shoulder the primary responsibility for making security decisions can be jarring.

“There's a certain loneliness there, but what the organization can do … is [give] that potential successor a lot more access to things like the board and helping them really see what's going on before they're actually in that role,” Nyberg explains.

Challenges Standing in the Way of Succession Planning

Even the best laid succession plans are not guaranteed to go off without a hitch. The demand for CISO talent and pressures inherent to the role can lead to the departure of not only CISOs but also the internal talent selected to replace them.

“Just [be] mindful of the timeline [for] the current CISO, as well as who's in line for succession and how that works in the realities of the market,” Egol cautions.

The relatively short tenure of CISOs and the rapidly evolving security landscape means that succession planning cannot be static. Leadership teams need to regularly evaluate their talent pool and their plan to keeping the CISO position filled. What kind of compensation package is going to be attractive in a market that is hungry for CISO talent? Does the enterprise have the kind of culture that prioritizes and supports cybersecurity?

Transparency is an important part of that culture, and it can give can give enterprise leadership a leg up when it comes to succession planning.

Pasteris reports to the CEO at Blue Mantis, and he has a good relationship with the company’s board. “It allows you to have this open dialogue where if I'm thinking of leaving and moving on to another opportunity or they're thinking of going in a different direction, we can have that conversation in an honest way,” he explains. “That is allows both parties to be successful. That way you can build a longer ramp to bringing somebody into the organization and getting them up to speed.”