Cyber Risk Advisory

What to Expect When You are Expecting… Your CISO to Leave

Kurt Manske

Director, Cyber Risk Advisory, Coalfire

Blog Images 2022 05 04 Tile

The situation

“The CISO is leaving the company. What are the next steps?”

No executive likes to hear that a key member of the business is leaving the organization. Turnover among key business leaders isn’t unusual, but as a factual matter, CISO average tenure is relatively short – approximately 24 to 48 months.

Several reasons exist for this turnover rate. There is a shortage of cybersecurity talent to fill necessary cybersecurity roles around the globe, which in turn drives higher compensation and opportunities for cybersecurity professionals. Many executive leaders are coming to understand that CISOs face an inordinate amount of stress in their role, leading to frequent burnout and increased turnover. Perhaps there are also organizational reasons for the CISO’s departure, such as lack of support for cybersecurity initiatives, or the feeling that the CISOis unable to affect positive change and reduce risk at the organization.

The nature of change in technology and in the cybersecurity landscape makes it critical to avoid “potholes” during transition periods, and to select the right individual to run a cybersecurity team with the goal of reducing risk while aligning with the business needs of the organization.

Engaged planning before the turnover

The time to manage risk related to CISO turnover is well before a departure occurs.

To use a sports analogy, every general manager or athletic director maintains a “short list” of potential candidates for key roles, such “head coach,” “scouting leader,” or “director of recruiting.” These confidential lists are regularly maintained and updated for the purpose of pre-identifying individuals who would be a good fit for the role and the culture of the organization. One general manager continually kept himself appraised of his options by keeping a list of 10 to 15 names for each key leadership role divided into the categories like “aspirational target” and “realistic target” and “non-aspirational/caretaker.”

Leaders should consider managing and maintaining a similar kind of list that identifies potential indiviuduals for the CISO role. The list should be actively managed as part of the professional networking process. Meeting with contemporaries and others, discreetly gather names, develop relationships, and research their leadership skills, CISO experience, and whether they might be good fits within the organization.

Managing the turnover challenge

The three-part key to a successful CISO transition is to:

  1. Engage in a thoughtful and measured response that assesses the organization’s cybersecurity business needs
  2. Develop a clear understanding of the current and future risk and threat profile
  3. Perform an forthright evaluation of the reasons for the CISO turnover.

Cybersecurity threats impacting an organization don’t care that its CISO is departing. The threats won’t magically remediate themselves or disappear, nor will they stop impacting and creating risk. There will always berisks  to manage, and a team that needs leadership and guidance in order to maintain focus during a transition period.

For several reasons, the cybersecurity team should be notified as soon as possible and  engaged frequently during any transition period.  First of all, like any other key organization role, CISOs often develop a “luminary” type of aura, with the result being a core group of dedicated followers who could depart with the CISO. If the CISO came with a team when they joined the organization, there may be some proactive steps needed to identify, respond to, and mitigate the potential for additional department turnover.

Second, the process of obtaining an understanding of a cybersecurity department, its work objectives, key projects, and the core activities will provide an effective channel to engage with team leaders. It will also provide useful information to guide the search for the right CISO.

Avoiding the “next man up” trap

Many executive leaders who evaluate personnel on their cybersecurity team are biased in their belief that the right person for the CISO role is someone already on the team.

Unless an individual was previously identified and groomed for the role as part of a planned CISO succession process, then the leader must exercise caution against automatically sliding someone directly into the CISO role. There are specific reasons why the previous CISO left, and chances are that the CISO filled the other positions with personnel of similar cultural and technical skill sets and capabilities.

If there is an individual on the team that might fill the CISO role, the position should still be made competitive. By identifying and defining the needs of the CISO role now and in the future, and by spending time with the team and other cybersecurity experts, the potential for a failed CISO hire might be avoided. A careful selection process will ensure thatthe right person will fill the role – whether or not that person is internal or external to the organization.

Capitalizing on the opportunity

At Coalfire, our experience shows that the best-managed cybersecurity organizations have a core focus on aligning with the organization to reduce risk, increase revenue, and decrease costs.

Meeting with the executive leadership team and other key individuals in the business to understand their needs is crucial to the success of any future CISO. Step down a level within the organization and reach out to key leaders in procurement, compliance, privacy, finance, legal, product development, systems development, back office, and sales to identify potential operational or cultural gaps that exist as the search intensifies for a leader who can best align cybersecurity to the needs of the business.

Another available consideration is to engage a virtual CISO (vCISO) on an interim or contract basis to help oversee day-to-day cybersecurity operations and help gather information, define needs, and clarify the CISO role for the future. Utilizing interim leadership is not uncommon in other roles, such as interim CFOs, CEOs, etc., and an organization should consider doing so for the CISO role. A concerted and thoughtful effort to obtain this information and having a trusted individual on your team to effectively translate what is needed for the organization, will pay dividends in the future.