Security Succession Planning for CSOs

February 1, 2015

You have been with your current organization for more than 10 years leading the corporate security function, having conceived and built the program, hired staff around the world and integrated the department to being a trusted advisor to senior management. Since this is your second career, you are now reaching a point that you would like to retire and pursue other passions and personal interests. After sitting down and discussing this with your boss, you realize that he or she and the management team are concerned about the lack of a succession plan for your replacement. Their position is: While your second level staff is very good operationally, they are not under serious consideration for your role, and HR will be looking outside the company for your replacement.

This scenario is something that we see quite often within the security community, at all levels, not just the senior security role. Some of the indicators that no one on your staff is a likely successor are:

There is a significant difference between your base compensation of your direct reports. We have seen gaps of more than $50,000, in which case it is unlikely that they will be viewed as being at the same management level. Also, be aware that most organizations will not increase a salary in conjunction with a promotion by more than 10-15 percent, except in the most extraordinary circumstances that require special leveling. Further, do you really want to be responsible for downgrading your role? This will send the wrong signal throughout the organization as to the importance of the position and may well result in downgrading the reporting structure.
While you have done an excellent job in identifying and hiring staff to perform a wide range of tactical activities in the security risk portfolio, you have not implemented a career development plan that allows for improvement of their soft skills, cross-functional development beyond security-related activities or providing opportunities to operate strategically with key leaders and managers.
You have not documented all aspects of your function and do not have well-developed job descriptions that can be used to identify those soft and professional skills needed to advance. Without these, how are you going to execute individual development plans? Keep in mind that these should be modeled along the same methodology used in the rest of the organization.
Allow and encourage your team to take on assignments (even if temporarily) outside the function and even outside the regions or countries they are assigned. A number of senior security executives hired by leading companies in the last 10 years have during their careers sought out and have taken on roles well outside their comfort zone so as to better understand their organization’s business drivers and build lasting relationships. This gave them a competitive advantage against those candidates who did not, and they were able to better connect with the executives on the interview teams.
Your team members have not developed relationships with your organization’s key and emerging management team beyond interacting with them on security problems.
You have not given your team members accountability for high-profile, high-impact projects to improve their credibility and visibility with the leadership team. Do you bring any of your direct reports to meetings with your boss and other senior leadership and encourage participation? If you are not comfortable with this, why would you think management would consider them as having potential as your successor?
Have you engaged in discussions with your boss and the HR manager responsible for organizational development concerning the irrational, political and emotional dynamics of succession planning and evaluation of future potential within your company?
There is only one person in your function who you feel is an appropriate successor, and you do not have not backup plan. What do you think will happen if that person advances their career outside and takes a CSO role for another company with a great compensation package?

These handful of indicators can be used as a starting point for your career development and succession planning initiatives. Being aware of the commonly observed pitfalls can help you maximize the effectiveness of your program and will be beneficial in ensuring you have a talent pipeline strategy aligned with your organization for not only your role, but also it can be used to view the needs of your entire function to assist with its future success within your company.

Are You Hiring the Best?

Do you Have a Great Resume?

Master Internal Marketing for Security Career Success

Networking for a Successful Security Career

Chart Your Security Career's Course in 2019

Jerry Brennan is CEO of the Security Management Resources Group of Companies (www.smrgroup.com), the leading global executive search practice focused exclusively on corporate and information security positions.

Lynn Mattice is Managing Director of Mattice & Associates, a top-tier management consulting firm focused primarily at assisting enterprises with ERM, cyber, intelligence, security and information asset protection programs. He can be reached at: matticeandassociates@gmail.com

You must login or register in order to post a comment.

Boeing is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems, and service provider of aftermarket support. The company supports airlines and U.S. and allied government customers in more than 150 countries and employs more than 150,000 people across the United States and in more than 65 countries.

With so many recent high-profile breaches accomplished through compromising passwords on privileged accounts, Privileged Access Management is now everyone’s priority (Gartner puts it at the top of their “Top Security Projects” list for 2 years in a row). But where do you start? And how do you know which PAM solution will work best to protect your organization without sacrificing productivity?