CISO Succession Planning Takes Preparation

April 24, 2017
| |
2 min read

The chief information security officer (CISO) position is among the most difficult roles to fill because the pool of qualified applicants is small and the job market is highly competitive. That’s why career succession planning is important for the enterprise and its staff.

Six Keys to Successful Succession Planning

Incumbent CISOs need to devote attention to their employees and the workforce marketplace if they intend to move on or even retire. Leaving your enterprise in untested and inexperienced hands should not be your legacy.

Here are six issues to consider while you plan for an orderly succession in the CISO seat.

1. Compensation Gaps

If there is a big difference between your compensation and that of your potential replacements, it may be a sign that your staff does not include a viable candidate. Look at your staff and their responsibilities, and consider how they have progressed in their careers. Are any of them positioning themselves to move up to the next level, but have not been recognized or given opportunities?

If the compensation gap is more than 15 percent, a potential in-house replacement is unlikely to move into your position with a comparable salary, essentially downgrading the job and invalidating your succession planning.

2. Range of Roles

Have your reports had experience across a range of functions within and beyond their security-related activities? As CISO, you understand that it’s important to have a broad view of the enterprise, the industry and the various functions that make the business successful. Your replacement needs to step into your role with a complete understanding as well. You can start prepping possible successors by assigning security staff temporarily to other business units.

3. Documentation

What areas within your control are not adequately documented? HR may have some documentation on various job functions, but you are responsible for updating them with specifics about skills and competencies. In addition, make sure the processes and controls you’ve implemented — and the considerations that lead to those decisions — are well documented so your replacement can understand the progressions and not have to start over from scratch.

4. Cross-Functional Cooperation

Does your team regularly work with other business units? In addition to formally loaning some of your staff to other units, you should encourage less formal interactions that lead to some level of personal contact with management-level staff. Your replacement should come into the job with existing relationships with their new peers.

5. Narrow Set of Choices

Is there more than one individual qualified to take your place? The cybersecurity job market is highly competitive. If you are grooming only one person to step into your role, it’s likely they will be qualified to fill someone else’s shoes as well. Prepare more than one candidate so that you have a plan B if you lose your most valuable player to another opportunity.

6. Visibility

Do your staff members get public credit for successful projects? If your name is the only one mentioned in relation to project launches, your staff will be nameless and your replacement will be seen in the same light as an outside hire. Make sure your staff members who are involved with high-profile projects are recognized for their contributions.

Bolster Your Legacy

Leaving your organization in cybersecurity shambles makes for a lousy legacy. Don’t leave your position in the hands of an unprepared apprentice. Instead, make the most of your management and mentoring skills while you’re able.

Scott Koegler
Freelance Writer and Former CIO

Scott Koegler practiced IT as a CIO for 15 years. He also has more than 20 years experience as a technology journalist covering topics ranging from software ...
read more