metamorworks - stock.adobe.com
With the frequency and severity of security incidents continuing to escalate across all areas of business, the need for a great chief information security officer is universal among enterprises. But the enormous pressure of this role, combined with overwhelming demand for qualified candidates, creates a high probability a CISO will either burn out or leave for a more lucrative opportunity at another organization sooner rather than later. With this in mind, it is essential companies plan for their existing CISOs' inevitable departures.
The good news is proactive CISO succession planning has many possible benefits, including the following:
Failing to plan is planning to fail. That means all CISOs, in every type of organization and environment, should help strategically prepare employers for their eventual departures and replacements.
As a CISO, neglecting succession planning and treating oneself as indispensable may seem like a recipe for job security, but it's a recipe for professional stagnation, at best. Given the stress implicit in the position, the top cybersecurity role typically has a shelf life. From early in their tenures, smart CISOs, therefore, have ideas of the following:
CEOs, board members and other executive stakeholders should also ensure measures are in place to create a relatively smooth CISO succession, if and when one becomes necessary. Consider these seven best practices.
Ideally, CISOs should initiate succession planning within the first six months of acquiring a new role, beginning with a review of any succession plan the previous CISO established. Next, they should review any succession plans that exist for other executive roles to help identify organization-specific items the security program's plan should include.
Security, like technology, is constantly evolving. CISO succession planning requires anticipating what the security environment will look like in the future and preparing accordingly. While no one can predict exactly what will occur tomorrow, it is possible to make an informed assessment of what security issues are likely to arise or linger based on the following:
For example, since the COVID-19 pandemic started, enterprises have seen an increase in remote work, SaaS and cloud computing. CISOs should, therefore, ask themselves the following:
After forecasting future security requirements, develop a training program to ensure staff members have the skills necessary to rise to tomorrow's challenges.
Assess strengths and weaknesses of existing senior security talent, as well as their personalities, professional experiences and career goals, within the context of the anticipated security landscape and enterprise needs. Consider who would best handle an initial crisis, for example, and who might effectively provide long-term stability. Incorporate leadership and management training that will position these future leaders to confidently assume new responsibilities as necessary.
These up-and-coming security leaders likely have their own thoughts about emerging trends and threats, so actively include them in future-proofing discussions. Incorporate their ideas into training and planning to give them a sense of ownership in the process, which increases the likelihood of succession success.
Because the top cybersecurity job is of increasing strategic importance to most companies, boards should require the development and maintenance of CISO succession plans. They should also review and approve those plans to ensure they do the following:
Planned departures include retirements and lateral, internal moves, such as from CISO to chief risk officer. In certain cases, CISOs may also have understandings with their employers that they will leave to pursue external opportunities once they have met specific high-level goals. Some security leaders, for example, specialize in guiding organizations through data breach recovery and then move on once they have succeeded.
With significant notice -- at least three months -- companies may have the luxury of onboarding a new CISO before the outgoing one has left. This could mean promoting a current employee or bringing in an outside hire. With enough notice, an incoming CISO can shadow the outgoing CISO to learn about existing staff, policies and processes, resulting in minimal operational and cultural disruptions.
Unfortunately, CISO departures can also happen with little warning. Illness, death, sudden terminations and resignations, personal crises, imprisonment and major security events can all send an organization into upheaval at a moment's notice.
To prepare for such unforeseen events, ensure every security role has documentation describing its key responsibilities and tasks. HR should maintain these files, and the CISO should review them annually in case replacement personnel need to refer to them as training guides.
Security staff members will ideally also have cross-training in other roles, which is especially important for backing up single-person positions. If a senior security architect must suddenly become acting CISO, for example, other colleagues may need to shoulder some of the architect's typical workload.
Consider making a backup plan in case a sudden CISO departure requires in-house staff to pinch-hit, leaving them unavailable to handle their usual responsibilities. This might mean outsourcing some security tasks to third-party providers or identifying staffing companies with expertise in sourcing temporary or permanent talent with key skills.
CISOs, CEOs, boards and other relevant executive stakeholders should revisit succession plans at least annually. The following are among the major changes within an enterprise that should trigger a review:
One thing is certain: Change will happen. Organizations that take active measures to shape the future, rather than just reacting to it, will be in a better position to succeed. CISO succession planning can help companies make sure they are prepared for the inevitable, when it occurs.
With its rebranded Explore conference, VMware made it clear its focus is on supporting customers' multi-cloud and edge computing ...
Steps in DNS server troubleshooting include checking the DNS status, looking at zone configurations and evaluating logs. Follow ...
'Emerging Green Technologies' details how technology is a flexible tool organizations can use to make business operations more ...
Numerous organizations wrote to the Federal Trade Commission Friday, raising data privacy and competition concerns about Amazon's...
High-profile lawsuits and the potential for new FTC data privacy rules should be a warning to businesses to ensure that internal ...
The Inflation Reduction Act increases incentives for clean energy, but there is concern that it doesn't address existing ...
A factory reset may be necessary when a device has performance issues or is set to go to a new user. IT can execute this process ...
Businesses have delayed and reduced their desktop and laptop orders from HP and Dell, executives reported. The PC market has ...
The shift to Chromium has improved several aspects of Microsoft's Edge browser -- from privacy settings to reliability.
AWS Glue and Azure Data Factory have key differences despite being similar services. Learn which best suits your organization's ...
Multi-cloud and cloud-native strategies emerged as major themes at VMware Explore 2022. Explore key announcements from the ...
AWS WAF focuses on Layer 7 protection, while Shield protects against DDoS attacks. Firewall Manager manages the protection. Learn...
East Sussex-based altnet spreads its wings across coastal regions of southern England with fibre offer into two neighbouring ...
Study from customer experience technology provider shows lack of transparency is cited as the most consistent quality failure of ...
After heading home and discovering that his country had been invaded, Konstantin Klyagin was forced to make life-changing family ...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info