By George Moraetes
Given today’s unrelenting threat landscape, the chief information security officer (CISO) and his or her deputy CISO have arguably the toughest jobs on the organizational chart. Although it is a well-paid, respectable role, the CISO must be available to many different departments and remain savvy in all areas of cybersecurity due to the current IT skills shortage. Indeed, this professional’s role is extremely stressful and demands standards of security that are nearly impossible to deliver with 100 percent assurance.
The average security leader’s tenure is a mere two years. The CISO can be dismissed for a wide variety of reasons, such as an overlooked vulnerability, an insider attack or another type of data compromise. Furthermore, like any professional, a security leader may need to take temporary leave due to medical reasons or other unforeseen circumstances. To prepare for these events, organizations should appoint a deputy CISO and establish a clear succession plan to maintain smooth operations during a transition in security leadership.
Grooming the Deputy CISO
There is no question that high turnover rates constitute grave threats to organizations. Without a security leader, companies cannot withstand the continuous onslaught of cyberattacks. In many organizations, the CISO’s main role is to keep the company out of hot water — and that means dealing with the constant barrage of threats and maintaining compliance. However, the role is much more ambiguous than that. Candidates for the deputy CISO position should be evaluated based on their ability to navigate this complexity and juggle the CISO’s many responsibilities.
A deputy CISO must be able to:
- Develop and cross-train future leaders in the department.
- Ascertain the costs of developing future leaders.
- Execute the security strategy consistently among all associates in the department.
- Identify associates’ skills, capitalize on their strengths and improve upon weaknesses.
- Planning a CISO Succession Strategy
An effective CISO succession plan should include four key elements to ensure a seamless transfer of authority.
1. Stakeholder Engagement
The succession plan should be presented to executives and board members on an annual basis. It’s critical to engage senior leadership in this process, and to empower the deputy CISO to develop the necessary skills and experience he or she need to be successful. This succession plan must be a living document and part of the overall security program.
2. Evaluation of Internal Staff
Favoritism should never be a criterion, so it is wise to hire an outside firm to evaluate deputy CISO candidates within your department. A third-party assessment could unearth a diamond in the rough from several layers down on your organizational chart. At the very least, it would help executives gauge the depth of the company’s talent pool.
3. Simulations and Stress Tests
Like any disaster recovery strategy, business continuity testing is an integral part a CISO succession plan. A security leader’s planned vacation, for example, can be a great opportunity to test the deputy CISO’s capabilities. However, impromptu, unannounced drills are also essential to develop an aspiring CISO’s ability to work under pressure.
4. Elevate the Deputy CISO
It takes many years to become a well-rounded security leader, and the incoming CISO must never be left to sink or swim. Instead, all senior executives and staff members should support the new CISO as he or she transitions into the role. The organization should also make other leaders, mentors and coaches available to help the security team adjust. A rich feedback environment is crucial to develop the executive presence that is lacking in many candidates.
Passing the Baton
A deputy CISO must be prepared to take over when the CISO passes the baton. He or she should also be comfortable being held accountable for security. The leader must be ready, capable and confident to lead the security team in dealing with challenges such as the cybersecurity skills gap and the increasing sophistication of threats. More importantly, this individual must possess the executive presence required to work with senior executives and facilitate a smooth transition of authority in the security space.