Building Sustainable CISO Succession Paths

The CISO role is rapidly evolving as organizations put more responsibility on the plates of their security and risk executives, particularly within large enterprises. In spite of that, a new survey report from security consulting firm Kudelski Security indicates that there is still "no well defined path to becoming a CISO or other senior security leader." The study shows that many organizations are still shooting from the hip when it comes to security succession planning, recruiting security specialists, and grooming senior security leaders with the skills and traits increasingly required by the business to run enterprise-class cybersecurity programs.

This is a serious strain on security continuity due to the short-lived tenure of the modern CISO, which tends to be only about two to four years long. According to the report, this compressed schedule essentially means that recruitment or succession planning should start pretty much as soon as the incumbent CISO warms up their seat and defines the organization's security strategy. However, that's not what's happening at most organizations. The report shows that only about half of US organizations have selected a CISO successor, and in EMEA just a little over a third of organizations can say the same.

Finding solid future CISO candidates, training them, and exposing them to upper-level management all takes coordinated effort and intention on the part of the existing CISO. Though mentoring is certainly a crucial component of this, CISO succession planning is more than that.

"While our research showed that the majority of security leaders are offered leadership training, coaching, and mentoring by their CISO, this needs to align to objectives around succession planning," the report explains.

The report lays out a number of excellent tips for planning for executive continuity in the CISO office, including the following five highlights.

Grooming CISO Lieutenants

A solid security team needs empowered lieutenants operating under the CISO to operate efficiently, anyway. These junior executives are also obvious candidates for grooming for the top posts. In order to elevate the junior positions simply from being a lackey to actual corner-office material, the CISO must be prepared to give them autonomy and guided exposure to the board and lines of business to start building the relationships within the business that are so important to a CISO role.

"Modern CISOs are working in an increasingly political environment and must have the skills to navigate this domain," the report explains. "It takes time to develop these skills, so the importance of experience should not be underestimated."

Emphasize Skills That Matter Most

According to the report's survey, the modern CISO role's most important responsibilities are as business leader and evangelist before all else. This means the skills that matter most for CISO candidates have less to do with technical acumen—thought tech knowledge is still definitely on the top ten list—and more to do with communication and knowledge of the business.

The survey found the following the top six skills to be the most highly regarded among CISOs (with survey percentages in parenthesis), which should be thoughtfully instilled among succession candidates:

• Communication skills (82%)
• Business acumen (62%)
• Cyber risk management (56%)
• Relationship management (55%)
• Calmness and clarity of thought under pressure (55%)
• Hands-on security technologies (52%)

Clearly, the emphasis should far and away be on helping drive improvement in communication with both internal and external stakeholders.

Encourage Role Rotation

Typically, CISO lieutenants tend to oversee one or more of the key security pillars within a security department, which usually encompass four areas: security architecture and engineering, security operations, cyber resilience, and regulatory and compliance. Grooming strong succession candidates should involve some level of role rotation, so that the future head honcho can have a solid footing in all of the security domains over which they'll be called to lead.

"Provide employees with opportunities in functional areas outside of their regular responsibilities," recommends the report. "If their exposure is limited to one area, it is hard to develop a rounded skillset and perspective."

For example, they mention one financial services industry CISO who rotates security leaders between roles every two to three years to prepare them for the top spot.

Focus on Retention

The focus for the CISO should be on retaining lieutenants and junior people for as long as possible—this is crucial for not only filling the CISO role but also sustaining the program. There's no one hard-and-fast rule for doing this, which is why retention is such a hard thing to accomplish. But some of the important tips offered by the report are ensuring there are clear career paths set out for security team members, giving them opportunities for developing both hard and soft skills, giving them the freedom to do interesting work, and instilling work-life balance benefits to the job like flexible work hours and ample vacation policies.

Training and Mentorship

"Once in-post, a CISO needs to train and mentor the next generation of security leaders," the report explains.

Training and mentoring should be done in a mix of formal and informal methods. For example, formal training for technical matters can help succession candidates keep up on the latest tools, but a lot of one-on-one mentoring from CISO to lieutenant happens day-in and day-out through ad hoc sessions as their relationships progress. CISOs should also encourage their juniors to find mentors elsewhere, with the report explaining that sometimes mentorship works better when coaching is provided by someone outside the organization. This is where industry events and relationship building with security peers can make a difference.

Obviously, not every CISO hire will come from within the organization, but establishing a succession path will only strengthen the organization. As the report explains, some organizations may take a 50/50 approach to recruiting CISOs, perhaps going external if current candidates are not yet ready for the role but keeping them on a formalized career path.

"Every CISO comes into the role with different abilities and strengths," explains the report. "The important thing is to identify how these strengths can be built on and how the impact of their weaknesses can be mitigated."