Are you prepared for your CISO’s resignation?

   Normal  0      false  false  false   EN-US  ZH-CN  AR-SA                                                                                                                                                                                                                                                                                                                                                                                                                                              /* Style Definitions */table.MsoNormalTable{mso-style-name:"Table Normal";mso-tstyle-rowband-size:0;mso-tstyle-colband-size:0;mso-style-noshow:yes;mso-style-priority:99;mso-style-parent:"";mso-padding-alt:0cm 5.4pt 0cm 5.4pt;mso-para-margin:0cm;mso-para-margin-bottom:.0001pt;mso-pagination:widow-orphan;font-size:12.0pt;font-family:Calibri;mso-ascii-font-family:Calibri;mso-ascii-theme-font:minor-latin;mso-hansi-font-family:Calibri;mso-hansi-theme-font:minor-latin;}

When you receive a staff member’s resignation, even if you’re happy to see that person grow, 99% of the time it’s not ideal news.  When it comes to cyber security leaders resigning, it can be a little more devastating than usual.   Experienced cyber security professionals and leaders are in high demand resulting in organisations battling it out to engage with and secure talent.  As many as 61 percent of CSOs/CISOs/VP-level/heads-of candidates (“CISO’s”) are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week*.

The key to surviving a leader’s resignation is to plan for it – in a positive way. The reality is that not only will leaders be enticed to leave, the industry needs them to. With many organisations coming to the realisation that they need a senior security leader, we need CISO’s to share the love (and their skills and experience) by taking on newly created roles. 

In many businesses, the CISO is the only dedicated security employee you have.  Yes, there are those in IT securing the network or others addressing enterprise risk but often the CISO is the only one tasked with executing the information and cyber security strategy.  They are also beating the awareness drum across the whole organisation from induction sessions to briefing the board.  They are across the latest industry concerns, bugs, viruses and breaches – as well as understanding how others are combatting this. And they are leading the organisation in addressing regulatory requirements.  Without a CISO, an organisations security progress may not only stop but regress. Without someone focussed on cyber, the risk to the organisation increases.

Resolving the immediate risk could be achieved via a succession plan, which can take many forms.  Firstly, you can budget for and support the recruitment of a security team and nurture skills to step in and lead if required.  This would set you in good stead to not miss a beat after a resignation and provides promotion-ready direct reports with a pathway. Alternatively, if you don’t have the budget for a team, you can still plan for a successor. This may be someone from within your organisation who can hold the fort and continue the security strategy while you hire.  Finally, you could seek the support of a trusted third party consultant to act in the role (CISOaaS/interim CISO) who can be immediately effective in addressing the needs of the business.

These are just three options to consider when addressing the exit of your CISO to ensure you’re prepared. Make sure you know which one of these (or any other option you consider workable) you would employ as you never know when you might need to activate your succession plan. Does your organisation have a strategy to minimize risk and disruption to your business when a replacement CISO must be found?

*http://www.esg-global.com/esg-issa-research-report-2017