Company leadership vacancy in cybersecurity: lack of preparedness and strategies for improvement

In many organizations, the lack of clear succession plans for Chief Information Security Officers (CISOs) leaves them vulnerable when leadership changes occur. This issue, according to Maggie Myers, a managing executive search consultant at Korn Ferry, is prevalent as most companies have no formal CISO succession plans.

The CISO role often finds itself reporting to different executives within an organization, which limits strategic visibility and influence. This structural barrier keeps mid-level security leaders from gaining the necessary experience to move into a CISO role due to limited oversight of responsibilities and a lack of board-level engagement.

The challenge for mid-level security professionals becoming CISOs is not only about shifting from hands-on security work but also about acting as strategic business partners. The CISO role requires a broader perspective that includes understanding how cybersecurity fits with information technology, compliance, customer relationships, vendor management, and other stakeholders throughout the company.

Marty Barrack, CISO and chief legal and compliance officer at XiFin, transitioned into the CISO role organically after starting as general counsel in 2018, with no prior succession planning at his company. Similarly, Chris Holden, senior vice president and CISO at Crum & Forster, stepped into his role after the previous CISO departed, with no formal succession plan in place.

However, building and training future CISOs is crucial for organizations. It saves money, reduces risk, and ensures stability and continuity in security leadership. A supportive learning environment is important for fostering growth and taking risks with potential successors.

Rotational programs are effective in developing successors by allowing them to gain experience in different parts of the business. These programs provide a comprehensive understanding of the organization's operations, which is essential for a CISO.

Effective succession planning begins immediately when a new CISO takes the role, with the creation of a deputy CISO position that has cross-functional oversight and access to the leadership team and, when necessary, the board. This deputy CISO can be groomed to take over the role when the current CISO leaves.

The IANS Research and Artico Search report shows that CISO turnover has dropped from 21% in 2022 to an annualized 11% in the first half of 2024. This decrease may indicate that more organizations are recognizing the importance of succession planning and are taking steps to address this issue.

Barrack discovered that a lawyer's view of risk was not the right perspective for the CISO role. To address this gap, he pursued the Certified in Risk and Information Systems Control certification from ISACA. This certification provided Barrack with the necessary skills to manage risks from a cybersecurity perspective.

In conclusion, the CISO role is primarily focused on risk management, prioritizing threats, and communicating risk management effectively across the organization. Companies can't wait until their CISOs leave to think about succession planning, as cyber threats are constantly evolving, and the role of security leadership is becoming more important. Proactive approaches to succession planning are essential for ensuring the long-term security and success of any organization.

Company leadership vacancy in cybersecurity: lack of preparedness and strategies for improvement