7 steps to ensure a successful CISO transition

Leaving your job on good terms involves many tasks, but nothing is more important than priming your replacement for success. Despite your reasons for moving on, helping the new CISO acquire the knowledge and skills needed to excel is crucial for ensuring a smooth transition, as well as burnishing your reputation for being a responsible executive and team player.

Incoming CISOs face a daunting assignment, notes Brandon Hoffman, CISO at IT and cybersecurity intelligence platform provider NetEnrich. “This task goes beyond technical issues, but expands to people and the business itself,” he says. “Any information that can help quickly onboard the new CISO betters their chance of being successful.”

Here are seven ways departing CISOs can successfully help onboard their replacements:

1. Be open, candid, and positive

Mike Gruen, CISO at cybersecurity training firm Cybrary, urges outgoing CISOs to fully support their successor and to resist any urge to undermine the newcomer’s authority. “Throughout the transition period, the two of you should have regular one-on-one conversations behind closed doors where each feels comfortable being open and candid,” he says. “This is where each of you can disagree and come together with the goal of presenting a unified team, even when your approaches don’t necessarily 100% align.”

Try to keep a positive attitude about the transition, suggests Sam Rehman, CISO at EPAM Systems, a product development digital platform. “Be open and share your thoughts,” he says. “Share the good, the bad and the ugly, but leave your perception of people and politics out of it.”

2. Create a transition plan

As the transition gets underway, work with your successor to create a step-by-step plan and timeline. “Evaluate your role and responsibilities and start to carve out self-contained portions that can be easily handed off so that it’s a gradual, piece-by-piece transition, starting with the easier projects first,” Gruen advises. “Nobody wants to get thrown into the deep end on day one—or day ten.”

Help the new CISO build a solid management foundation, particularly in the area of employee soft skills. “Things like team expectations, management style, and understanding what motivates or doesn’t motivate team members are extremely relevant during this time,” Gruen says. Be careful, however, that the discussion doesn’t drift into interpersonal issues. “Let the successor form their own opinions about the staff,” he says. “It can be a fine line between providing facts about high and low performers and team members’ skills while not providing bias toward or away from anyone in particular,” Gruen notes. “This can be a delicate operation.”

If the new CISO is arriving from outside the enterprise as part of a planned transition, consider creating a phase-in period of one to two weeks during which you both work as partners, handling everyday security and management tasks. “The transition period should be time-boxed to ensure a clean handover and getting the new CISO fully empowered as soon as possible,” says Charles Blauner, CISO of venture capital firm Team8 and former global head of infosec at Citigroup.

Finally, be honest and share with your successor the security issues and concerns that keep you awake at night. “It might be obvious to you, but for the newcomer it might take months, if not longer, before he or she would have the same insight,” Rehman says.

3. Brief the new CISO on business and security activities

As the transition process moves forward, it’s time to bring the successor up to speed on established business activities, as well as the directions and goals enterprise leaders have set. “Unless the new CISO is a current employee that has institutional knowledge, and has been promoted within the company, he or she often lacks this knowledge,” observes Israel Barak, CISO at cybersecurity technology firm Cybereason.

The incoming CISO also needs to fully understand the status of all security-related activities. Key bases that should be covered during this discussion include governance issues, compliance requirements, and the state of current and planned security initiatives. “Lastly, [share] any major incidents and the post-mortem details of the issue,” Hoffman says.

4. Provide documentation of security tools and practices

The best reward a departing CISO can leave behind for his or her successor is complete and accurate documentation of all security tools and practices. “This includes documentation of the required governance and compliance [mandates], and also any network and application architecture information,” Hoffman says. “Incoming CISOs have a huge challenge upfront determining what exactly needs to be secured from a priority point of view.” He also suggested leaving behind specific details on the organization’s security program, including its current state, what’s working, what’s not working, current and planned major initiatives and the reasons for supporting those projects.

Andrew Morrison, a principal specializing in cyber risk strategy, defense, and response at business advisory firm Deloitte, says that one of the more impactful transition approaches he’s seen is when an outgoing executive offers the incoming leader with the same briefing materials that are submitted to the board of directors and other executive leadership on a quarterly or semi-annual basis. “Succinct analyses of current priorities and risks that were worthy of top leadership discussion can be used to set a foundation for future transition activities around systems, resources and talent,” he explains.

5. Be honest but factual about organizational and staffing issues

Full transparency is required to give the incoming CISO his or her best chance for success. “This is true with respect to technical, operational, and control issues, yet it’s also true with organizational issues and people issues,” Blauner says. “With people issues, it’s critical to keep discussions factual and professional.”

One of the first tasks a new CISO needs to tackle is assessing the organization’s security talent, including strengths and weaknesses, and identifying the most skilled contributors. The new security leader also needs to quickly understand the expectations that have been placed upon the existing team and how well they’re being met. “It’s also is critical to understand where the gaps in current talent lie,” Barak notes.

6. Involve stakeholders in the onboarding process

To ensure long-term success, the new CISO should receive advice and guidance from key business stakeholders, since these are the people best positioned to place the enterprise’s security program into full context. “Any good CISO’s program is built to support the business, so knowing the business and getting connected to its leadership as soon as possible will help enable a successful transition,” Blauner explains. Business stakeholders are also the security organization’s most important internal clients, so as the group’s leader it’s important for the incoming CISO to gain a rapid and complete understanding of what the top stakeholders think is working and not working.

Besides receiving insights and suggestions, an incoming CISO needs enterprise leaders’ enthusiastic support. “During the interview process and transition, it’s crucial that the executive leadership team remains engaged with and sponsors the new leader,” Morrison says. Doing so will “provide the confidence necessary to develop and execute a bold technology agenda and, if necessary, make difficult or unpopular decisions.” 

7. Step away, but follow up 

After all the transition details have been finalized, consider taking a break. Scheduling a week or two away from the office will allow the new CISO to manage operations without close observation or interference. “By not being physically or digitally connected for an extended period of time, it’s an easy way to see if you missed anything important during the transition period,” Gruen explains.

Finally, don’t look back. Once all of the transition work has been completed, it’s time to focus on your career’s next stage. “You did your job; did it well,” Rehman says. Let the new CISO be successful. “If possible, check in in a few months just to say ‘hi,’ and see if they have any questions.”