Planning for expected and unexpected security leadership transitions is essential to maintaining a comprehensive infosec program. This piece explains the importance of good succession planning and documentation to help ensure the program remains effective, even in the face of unexpected leadership turnover.
How to Address InfoSec Turnover
With the current global shortfall of cybersecurity workers hitting 3.4 million, according to ISC2, all organizations today struggle to hire and retain cybersecurity talent. With so many open positions, it’s no wonder many cybersecurity professionals decide to leave their current position in search of new challenges and/or better working environments. Primary issues that factor into a decision to stay or leave include compensation, working hours and job satisfaction.
From the employer’s perspective, it is absolutely vital to ensure employees feel like they belong and are supported so necessary work can get done and extra effort is acknowledged and rewarded. After all, cybersecurity is a significant business enabler and good people are a critical ingredient for success.
However, even the best organizations have turnover. The key is to ensure inevitable turnover is planned for prior and addressed effectively as it happens.
Tips to Reassess the Security Organization
Departures of key employees should be seen as opportunities to reassess the health of the organization (are most team members happy and motivated?) and how effective its talent strategies are. If you haven’t done so yet, consider taking some time to evaluate why the security leader left to ensure you understand their reasoning (was the security leader facing roadblocks within the organization or was the departure motivated by less organization-specific reasons, such as better salary or location, etc.).
- Security leaders tend to stay if they feel they are adequately supported and valued, and the organization itself is fair and transparent. They also need to have a clear understanding of their roles and responsibilities and have the ability to escalate matters when issues crop up.
- While significant security incidents are unavoidable, it is essential for security leaders to have adequate resources, both internally and externally. All too often, too much pressure is placed on security leaders to work around the clock in the aftermath of a cybersecurity incident. But this can lead to burnout and cause the leader to consider leaving for better opportunities.
- Adequate security team staffing, market rate compensation, clout and reasonable workloads all combine to ensure a cybersecurity leader remains effective and satisfied—while organizations with the opposite factors in place often experience abrupt departures. It’s important to honestly evaluate these issues so you can address them before a new leader is hired.
Download: 2023 Security Organization and Compensation Benchmark Report
Build a Security Team Succession Plan
The most important way to ensure a smooth transition is to have a strong succession plan in place within the security team. This is something the team can work on while the search for a new security leader continues. You must not only work to hire the right talent to fill the vacant security leader position, but also ensure you can place someone in a deputy role who can step in at times of need.
You’ve already seen what happens when a security leader leaves unexpectedly, but having a good succession plan is also critical to ensuring the team keeps running smoothly should the security leader become unavailable for any other reason (e.g., ill health, etc.).
It’s usually best to choose an internal candidate for the deputy role because such individuals are familiar with how the organization works, likely have developed key partnerships with other departments and can ensure the program continues to run smoothly while the search for a new leader is conducted. The deputy should not be considered as a full-on replacement for the security leader but should be able to act as an emergency backup in times of need.
Document Security Leadership Strategy
Finally, the best security leaders—and those most likely to remain and thrive in the position—are closely aligned with the strategic and tactical priorities of the organization, as well as its mission and vision. You already have a strategic plan in place for the year ahead, and the deputy can help ensure the team continues to execute on that plan during the search for a new leader. But once hired, you should also ensure the new security leader produces a written plan, informed by the strategic and tactical goals of the organization. This plan will likely align with the current plan because it should set forth the primary goals and objectives in light of how the team will further the organization’s strategic and tactical priorities. In other words, the security leader’s plan should enable the team to fulfill the priorities of the organization.
If the security team has any questions or concerns during this transition, the security leader’s supervisor, executive leadership and/or the board of directors should feel free to engage in a dialogue to make sure there is optimal alignment between what the security leader’s plans are and what needs to be achieved strategically and tactically.
Tips to Ensure a Smooth Security Transition
The key to ensuring a successful transition to a new security leader is good planning. To ensure your transition to a new security leader is as smooth as possible:
- Assess what happened: Determine what sparked the previous security leader’s departure and ensure any issues are addressed before bringing in a new hire.
- Build a strong succession plan: Very few organizations are prepared to address sudden departures. While departures from the organization are never desirable, organizations must be prepared for this contingency. Ensure someone is designated and ready to take on the deputy role.
- Document the team strategy: Ensure that even as security leaders come and go, the strategy and objectives of the team overall remain clear and actionable. Having each leader not only document the team’s goals and objectives, but also base those goals and objectives on the strategy of the business as a whole ensures the team will keep executing and supporting the business.
- Beware of burnout: If anything seems amiss, listen to the security leader and work to fix what is broken. Retention is easier than replacement.
Download the State of the CISO, 2023–2024 Benchmark Report - the fourth in our 2024 series of reports – for additional insights and data on the evolving CISO role within the security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.