April 24, 2017 By Scott Koegler 2 min read

The chief information security officer (CISO) position is among the most difficult roles to fill because the pool of qualified applicants is small and the job market is highly competitive. That’s why career succession planning is important for the enterprise and its staff.

Six Keys to Successful Succession Planning

Incumbent CISOs need to devote attention to their employees and the workforce marketplace if they intend to move on or even retire. Leaving your enterprise in untested and inexperienced hands should not be your legacy.

Here are six issues to consider while you plan for an orderly succession in the CISO seat.

1. Compensation Gaps

If there is a big difference between your compensation and that of your potential replacements, it may be a sign that your staff does not include a viable candidate. Look at your staff and their responsibilities, and consider how they have progressed in their careers. Are any of them positioning themselves to move up to the next level, but have not been recognized or given opportunities?

If the compensation gap is more than 15 percent, a potential in-house replacement is unlikely to move into your position with a comparable salary, essentially downgrading the job and invalidating your succession planning.

2. Range of Roles

Have your reports had experience across a range of functions within and beyond their security-related activities? As CISO, you understand that it’s important to have a broad view of the enterprise, the industry and the various functions that make the business successful. Your replacement needs to step into your role with a complete understanding as well. You can start prepping possible successors by assigning security staff temporarily to other business units.

3. Documentation

What areas within your control are not adequately documented? HR may have some documentation on various job functions, but you are responsible for updating them with specifics about skills and competencies. In addition, make sure the processes and controls you’ve implemented — and the considerations that lead to those decisions — are well documented so your replacement can understand the progressions and not have to start over from scratch.

4. Cross-Functional Cooperation

Does your team regularly work with other business units? In addition to formally loaning some of your staff to other units, you should encourage less formal interactions that lead to some level of personal contact with management-level staff. Your replacement should come into the job with existing relationships with their new peers.

5. Narrow Set of Choices

Is there more than one individual qualified to take your place? The cybersecurity job market is highly competitive. If you are grooming only one person to step into your role, it’s likely they will be qualified to fill someone else’s shoes as well. Prepare more than one candidate so that you have a plan B if you lose your most valuable player to another opportunity.

6. Visibility

Do your staff members get public credit for successful projects? If your name is the only one mentioned in relation to project launches, your staff will be nameless and your replacement will be seen in the same light as an outside hire. Make sure your staff members who are involved with high-profile projects are recognized for their contributions.

Bolster Your Legacy

Leaving your organization in cybersecurity shambles makes for a lousy legacy. Don’t leave your position in the hands of an unprepared apprentice. Instead, make the most of your management and mentoring skills while you’re able.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today