Articles

Succession Planning: The Importance of a CISO Deputy

By July 7, 2017 No Comments

By George Moraetes

Given today's unrelenting threat landscape, the chief information security officer (CISO) and his or her deputy CISO have arguably the toughest jobs on the organizational chart. Although it is a well-paid, respectable role, the CISO must be available to many different departments and remain savvy in all areas of cybersecurity due to the current IT skills shortage. Indeed, this professional's role is extremely stressful and demands standards of security that are almost impossible to deliver with 100 percent assurance.

The average security leader's tenure is a mere two years. The CISO can be dismissed for a wide variety of reasons, such as a neglected vulnerability, an insider attack or another type of data compromise. Furthermore, like any professional, a security leader may need to take temporary leave due to medical reasons or other unforeseen circumstances. To prepare for these events, organizations should appoint a deputy CISO and establish a clear succession plan to maintain smooth operations during a transition in security leadership.

Grooming the Deputy CISO

There is no question that high turnover rates constitute serious threats to organizations. Without a security leader, companies cannot withstand the continuing onslaught of cyberattacks. In many organizations, the CISO's main role is to keep the company out of hot water - and that means dealing with the constant barrage of threats and maintaining compliance. However, the role is much more ambiguous than that. Candidates for the CISO deputy position should be evaluated based on their ability to navigate this complexity and juggle the CISO's many responsibilities.

The CISO deputy must be able to:

  • Develop and cross-train future leaders in the department.
  • Ascertain the costs of developing future leaders.
  • Perform the security strategy consistently among all associates in the department.
  • Identify associates' skills, capitalize on their strengths and improve upon weaknesses.
  • Planning a CISO Succession Strategy

An effective CISO succession plan should include four key elements to ensure a seamless transfer of authority.

1. Stakeholder Engagement

The succession plan should be presented to executives and board members on an annual basis. It's critical to engage senior leadership in this process, and to empower the deputy CISO to develop the necessary skills and experience he or she needs to be successful. This succession plan must be a living document and part of the overall security program.

2. Evaluation of Internal Staff

Favoritism should never be a criterion, so it is wise to hire an outside firm to evaluate deputy CISO candidates within your department. A third-party assessment could unearth a diamond in the rough from several layers down on your organizational chart. At the very least, it would help executives gauge the depth of the company's talent pool.

3. Simulations and Stress Tests

Like any disaster recovery strategy, business continuity testing is an integral part of CISO succession plan. A security leader's planned vacation, for example, can be a great opportunity to test the deputy CISO's capabilities. However, impromptu, unannounced drills are also essential to develop an aspiring CISO's ability to work under pressure.

4. Elevate the Deputy CISO

It takes many years to become a well-rounded security leader, and the incoming CISO must never be left to sink or swim. Instead, all senior executives and staff members should support the new CISO as he or she transitions into the role. The organization should also make other leaders, mentors and coaches available to help the security team adjust. A rich feedback environment is crucial for developing the executive presence that is lacking in many candidates.

Passing the Baton

A CISO deputy must be prepared to take over when the CISO passes the baton. He or she should also be comfortable being held accountable for security. The leader must be ready, capable and confident to lead the security team in dealing with challenges such as the cybersecurity skills gap and the increasing sophistication of threats. More importantly, this individual must possess the executive presence required to work with senior executives and facilitate a smooth transition of authority in the security space.

Leave a Reply