The CISO Is Leaving – Now What? These 5 Succession Plan Tips Will Keep Orgs Safer

In March, Troy Stairwalt resigned as CISO for the state of Wisconsin when the state’s cybersecurity biennial budget request failed to receive necessary support for legislative review, and federal funding was cut for several cybersecurity programs.

As of late May, no one had been hired to replace the chief information security officer, although the state’s Department of Administration hopes to fill the position soon, according to a spokesperson.

This kind of void in cybersecurity leadership, even for a short period of time, is probably more common than you’d think — especially since the average tenure for a CISO is estimated at only 18–26 months, according to a 2023 report, far less than the average 4.9 years for other C-suite roles.

Gain visibility to vulnerable data – in real time and at scale – and meet regulatory compliance requirements.

How that job tenure has been affected by new regulatory mandates and compliance burdens, which have grown exponentially in the last two years, remains unclear. One thing, however, is certain: A CISO departure could happen at any time, leaving the company rudderless in terms of security and more vulnerable to a range of threats, and ultimately making a CISO succession plan essential for any organization.

Executive search firm Heidrick & Struggles, in its 2024 Global Chief Information Security Officer Organization and Compensation Survey, found that of the 416 CISOs it surveyed worldwide in summer 2024, slightly less than half (47%) did not have an adequate internal successor in place in the event the CISO left unexpectedly – which could be quite costly considering the competitive market for top cybersecurity talent.

“Do not get caught off guard,” says Paul Perry, risk advisory practice leader at Warren Averett, a provider of technology, accounting, and other business services. “What if they win the lottery and do not show up to work the next day?”

Your CISO succession plan: the answer to rising compliance and new regs

Aside from a lottery win, several factors can contribute to a CISO departure – like the broadening scope of the job and the related multitude of stressors.

Do not get caught off guard.

Many cybersecurity chiefs are now taking on new responsibilities such as artificial intelligence risk management, data governance, and strategic planning for security teams, while also having to stay on top of a growing number of data privacy regulations and compliance requirements. The SEC’s new standardized cyber disclosure rules, for instance.

Passed in 2023 and taking effect from late 2023 through late 2024, these rules require disclosure of material cybersecurity incidents within four business days of determining that a cybersecurity incident is material; and annual disclosure of cybersecurity risk management, strategy, and governance. This means CISOs must ensure that the proper filings are made on time and the necessary assessments are done to keep their orgs in compliance. It’s an added burden at a time when they’re trying to incorporate new forms of AI and automation into their overall security mechanisms.

[Read also: CISO success story – evolving from breaches to business strategy]

At the same time, CISOs are increasingly expected to report to and engage with their corporate boards. While this can deliver benefits such as increased awareness of threats and funding for security programs, it can also present communication challenges if the board lacks technical knowledge.

Pressure points: Why a CISO succession plan can ease stress (for boards, at least)

The increased workload for CISOs combined with growing pressure to ensure that enterprises are secure can lead to burnout – and resignations.

“The constant pressure to defend against evolving cyberthreats contributes to significant stress and burnout among CISOs,” says Anthony Nyberg, director of the Center for Executive Succession at the Darla Moore School of Business at the University of South Carolina.

“All C-suite roles are extremely stressful, but there may be more direct challenges to CISOs with substantially more real-time pain when something goes wrong,” Nyberg says. “The number of midnight emergency phone calls may be greater for CISOs than for most other roles.”

CISOs are in the tough position of having to proactively defend against threats, get blamed when things go wrong, and receive little or no praise when things go right, Nyberg says. “It is difficult to show people what you did well when your role is to keep bad things from happening,” he says.

[Read also: 4 critical leadership priorities for CISOs in the AI era]

With all this, it’s easy to see why a CISO might depart for one of the massive market opps out there for cyber pros. So enterprises need to be prepared for it. To ensure a smooth transition when a CISO leaves, organizations should consider the following best practices:

1. Develop a formal succession plan

Having a formal succession plan in place that identifies potential replacements for the current CISO and a proposal for how best to transition is vital. A well-structured plan helps with continuity in leadership and minimizes disruptions to security operations, Nyberg says.

If the succession plan is perpetually in place, then leaders can identify what additional training potential CISOs will require to eventually be effective.

“Many companies do not have formal succession plans for many of their C-suite roles, particularly soon after a person starts the role,” Nyberg says. “If CISOs are in the role for less time than other positions, the likelihood of having a strong succession plan in place in time is lower.”

2. Identify and train internal candidates

It can be difficult to find qualified CISO successors promptly, Nyberg says. “We see this with many C-suite roles; there is simply a lack of necessary talent, and this is likely to be even more true in an area – cybersecurity – that is changing so dramatically so quickly,” he says.

Investing in the development of internal talent creates a pipeline of potential successors familiar with the organization’s culture and systems, Nyberg says. “This is a key element in the succession planning and helps reduce some of the risk of the CISO departing,” he says. “If the succession plan is perpetually in place, then leaders can identify what additional training potential CISOs will require to eventually be effective.”

[Read also: CISOs rely on smart cyber threat intel – this simplified guide helps you keep on top of evolving threats]

Existing employees should be in on the plan too: Management can inform them so they understand the skills required to become a CISO and are encouraged to build those skills to become a future CISO candidate.

3. Appoint a deputy CISO

“Try to find a senior cybersecurity leader who actually wants to move up and, after discussion with the CISO, make them the deputy CISO and include them in executive meetings [so] they can gain experience,” says Doug Saylors, cybersecurity practice lead at global technology research and advisory firm ISG.

Try to find a senior cybersecurity leader who actually wants to move up and, after discussion with the CISO…, include them in executive meetings [so] they can gain experience.

“This allows the employee and the leadership team to get to know each other and lets the employee determine whether they really want to move into a CISO role,” Saylors says. “Most importantly, if you don’t have a role available when the deputy is ready to actually be a CISO, help them find one outside the company. That builds loyalty, so they may come back when needed.”

In the event there are no qualified internal candidates for the CISO role, companies can try to hire a CISO from outside, perhaps on a part-time consultant-type basis. They can also bring on a virtual CISO, a cybersecurity expert who provides CISO-level leadership on a flexible, remote, and oftentimes contract basis.

4. Engage the board and executive leadership

Involving top leadership in succession planning underscores the strategic importance of cybersecurity, and ensures alignment with organizational goals, Nyberg says.

[Read also: Cybersecurity readiness checklist for board members]

“We know that it is critical for C-suite roles to be engaged strategically, and this also means that as CEOs choose a CISO they need to be thinking strategically about what the future challenges may be,” Nyberg says.

5. Have a grasp of the current security posture

Organizations need to ensure senior executives and the board of directors understand the company’s current cybersecurity posture and any gaps that exist, Saylors says.

“Too often, gaps are ignored because the CISO can keep things ‘secure’ by constantly taking extraordinary measures that are generally not well documented or understood,” Saylors says. “In this case, a CISO departure leaves the organization unnecessarily exposed. Monthly meetings with the CISO to discuss these topics in an understanding manner ensure the remaining team members and executives know what to do if the CISO unexpectedly departs.”

Bottom line: The average CISO is only going to stay in the job for about two years, maybe less, according to recent stats. But enterprises shouldn’t be left scrambling: By following these best practices, an organization can have a new CISO in the pipeline for a smooth transition whenever the old cyber-boss departs.