April 24, 2017 By Scott Koegler 2 min read

The chief information security officer (CISO) position is among the most difficult roles to fill because the pool of qualified applicants is small and the job market is highly competitive. That’s why career succession planning is important for the enterprise and its staff.

Six Keys to Successful Succession Planning

Incumbent CISOs need to devote attention to their employees and the workforce marketplace if they intend to move on or even retire. Leaving your enterprise in untested and inexperienced hands should not be your legacy.

Here are six issues to consider while you plan for an orderly succession in the CISO seat.

1. Compensation Gaps

If there is a big difference between your compensation and that of your potential replacements, it may be a sign that your staff does not include a viable candidate. Look at your staff and their responsibilities, and consider how they have progressed in their careers. Are any of them positioning themselves to move up to the next level, but have not been recognized or given opportunities?

If the compensation gap is more than 15 percent, a potential in-house replacement is unlikely to move into your position with a comparable salary, essentially downgrading the job and invalidating your succession planning.

2. Range of Roles

Have your reports had experience across a range of functions within and beyond their security-related activities? As CISO, you understand that it’s important to have a broad view of the enterprise, the industry and the various functions that make the business successful. Your replacement needs to step into your role with a complete understanding as well. You can start prepping possible successors by assigning security staff temporarily to other business units.

3. Documentation

What areas within your control are not adequately documented? HR may have some documentation on various job functions, but you are responsible for updating them with specifics about skills and competencies. In addition, make sure the processes and controls you’ve implemented — and the considerations that lead to those decisions — are well documented so your replacement can understand the progressions and not have to start over from scratch.

4. Cross-Functional Cooperation

Does your team regularly work with other business units? In addition to formally loaning some of your staff to other units, you should encourage less formal interactions that lead to some level of personal contact with management-level staff. Your replacement should come into the job with existing relationships with their new peers.

5. Narrow Set of Choices

Is there more than one individual qualified to take your place? The cybersecurity job market is highly competitive. If you are grooming only one person to step into your role, it’s likely they will be qualified to fill someone else’s shoes as well. Prepare more than one candidate so that you have a plan B if you lose your most valuable player to another opportunity.

6. Visibility

Do your staff members get public credit for successful projects? If your name is the only one mentioned in relation to project launches, your staff will be nameless and your replacement will be seen in the same light as an outside hire. Make sure your staff members who are involved with high-profile projects are recognized for their contributions.

Bolster Your Legacy

Leaving your organization in cybersecurity shambles makes for a lousy legacy. Don’t leave your position in the hands of an unprepared apprentice. Instead, make the most of your management and mentoring skills while you’re able.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today