July 6, 2017 By George Moraetes 3 min read

Given today’s unrelenting threat landscape, the chief information security officer (CISO) and his or her deputy CISO have arguably the toughest jobs on the organizational chart. Although it is a well-paid, respectable role, the CISO must be available to many different departments and remain savvy in all areas of cybersecurity due to the current IT skills shortage. Indeed, this professional’s role is extremely stressful and demands standards of security that are nearly impossible to deliver with 100 percent assurance.

The average security leader’s tenure is a mere two years. The CISO can be dismissed for a wide variety of reasons, such as an overlooked vulnerability, an insider attack or another type of data compromise. Furthermore, like any professional, a security leader may need to take temporary leave due to medical reasons or other unforeseen circumstances. To prepare for these events, organizations should appoint a deputy CISO and establish a clear succession plan to maintain smooth operations during a transition in security leadership.

Grooming the Deputy CISO

There is no question that high turnover rates constitute grave threats to organizations. Without a security leader, companies cannot withstand the continuous onslaught of cyberattacks. In many organizations, the CISO’s main role is to keep the company out of hot water — and that means dealing with the constant barrage of threats and maintaining compliance. However, the role is much more ambiguous than that. Candidates for the deputy CISO position should be evaluated based on their ability to navigate this complexity and juggle the CISO’s many responsibilities.

A deputy CISO must be able to:

  • Develop and cross-train future leaders in the department.
  • Ascertain the costs of developing future leaders.
  • Execute the security strategy consistently among all associates in the department.
  • Identify associates’ skills, capitalize on their strengths and improve upon weaknesses.

Planning a CISO Succession Strategy

An effective CISO succession plan should include four key elements to ensure a seamless transfer of authority.

1. Stakeholder Engagement

The succession plan should be presented to executives and board members on an annual basis. It’s critical to engage senior leadership in this process, and to empower the deputy CISO to develop the necessary skills and experience he or she need to be successful. This succession plan must be a living document and part of the overall security program.

2. Evaluation of Internal Staff

Favoritism should never be a criterion, so it is wise to hire an outside firm to evaluate deputy CISO candidates within your department. A third-party assessment could unearth a diamond in the rough from several layers down on your organizational chart. At the very least, it would help executives gauge the depth of the company’s talent pool.

3. Simulations and Stress Tests

Like any disaster recovery strategy, business continuity testing is an integral part a CISO succession plan. A security leader’s planned vacation, for example, can be a great opportunity to test the deputy CISO’s capabilities. However, impromptu, unannounced drills are also essential to develop an aspiring CISO’s ability to work under pressure.

4. Elevate the Deputy CISO

It takes many years to become a well-rounded security leader, and the incoming CISO must never be left to sink or swim. Instead, all senior executives and staff members should support the new CISO as he or she transitions into the role. The organization should also make other leaders, mentors and coaches available to help the security team adjust. A rich feedback environment is crucial to develop the executive presence that is lacking in many candidates.

Passing the Baton

A deputy CISO must be prepared to take over when the CISO passes the baton. He or she should also be comfortable being held accountable for security. The leader must be ready, capable and confident to lead the security team in dealing with challenges such as the cybersecurity skills gap and the increasing sophistication of threats. More importantly, this individual must possess the executive presence required to work with senior executives and facilitate a smooth transition of authority in the security space.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today