00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. Joined as always, by Steve Maresca and Michael Grande.
Michael Grande 00:15
Hello.
Jason Pufahl 00:16
So today we’re going to spend a little bit of time talking about succession planning more specifically, probably at the executive level, like your Chief Information Security Officers, maybe executive IT. But I think it’s relevant, the topics we’re going to cover generally are relevant for any sort of important employee within the company. But on that CISO side, they tend to be shorter duration positions, you know, very often we’ll see shorter duration positions there. And certainly, Steve, with the work that you do on a sort of a day to day basis is the sort of strategic adviser for a lot of clients on the security side, you have conversations around, you know, should you hire a CISO? Are you helping maybe to backfill the exit of a CISO? Or maybe you might be providing support for a CISO, but you regularly have these conversations around well, what happens if this individual isn’t here anymore, what do you do?
Steven Maresca 01:14
Right, I mean, we work with a lot of organizations that are, maybe they’ve been named CISO. But they’re also fulfilling other departments functions so, they’re strapped and stretched thin. So we help them in a lot of different ways. What we’re really talking about are CIOs, CISOs, Directors of Security, anyone that fits that general description, because they’re key employees.
Michael Grande 01:35
And does it sort of cover sort of intentional and unintentional? I would think, in similar ways, right, because burnout’s, probably a leading issue in some cases and plan succession, on the other side of the spectrum, right.
Steven Maresca 01:50
That’s the luxury. So some framing here, over the last two to four years, you know, 2022, 2020, through the present time, the tenure of a typical CISO depends on the industry, spans somewhere between 18 to 26 months. It’s wildly short.
Jason Pufahl 02:07
26, not 36?
Steven Maresca 02:09
Yes. Somewhere in the neighborhood of 85% of CISOs surveyed at very brave quarters indicate that they’re looking for another role or would move to one if an opportunity arose. Gartner, just to reinforce that same statement says in 2022, that somewhere in the neighborhood, about half of those employees will shift to other roles by 2025. Wow, it’s staggering. And we see that regularly. There are so many positions unfilled throughout pretty much every industry we work with. And burnout is very common in the really high regulated, highly regulated industries. You know, it doesn’t take long for something to occur that is adverse to the organization’s existence. And sometimes that means someone shifting.
Jason Pufahl 02:56
Well, and the seaso role is often a blame role. Well, so that so that does add to the stress for sure.
Steven Maresca 03:02
It can be and, you know, even if that’s not the case, attack frequency in some industries is very, very high, pure burnout on a psychological level, because you’re just going at it day to day and never really, truly getting ahead. That wears people out quickly.
Michael Grande 03:18
I have to think, in some industries, especially, as you mentioned, highly regulated additional burden of of regulatory compliance, reporting requirements, attestations, things that sort of, you know, may not have been in the purview of the job description to start, over time that changes.
Steven Maresca 03:39
It’s death by 1000 cuts from that perspective. And that kind of underscores why retaining talent is so critical, because once you develop competence in that area, as soon as they leave, you’ve intrinsically lost something central to the business or the organization. So the backdrop is that departures of key staff can happen unexpectedly, whether it’s a personal crisis, a health issue, termination, that there’s lots of reasons. So plan around the unplanned. That’s what we’re really thinking from, from a preparatory perspective. Everything else is more organizational sustainment, and making sure that people can be brought in to fill positions that are scheduled to terminate or retirements that are known multiple years in advance that’s more of a calm measured angle to this.
Michael Grande 04:34
So and this may be sort of jumping around a little bit, but when we say sort of plan for the unexpected and ensure there’s cross training and cross development, who’s ultimately responsible for a lot of that work, or ultimately to be sort of guiding that decision making? It’s it really is the rest of the C-Suite and sort of executive leadership of the company or organization?
Steven Maresca 04:57
It should be. Yeah, this is something that is is not well recognized through management boards, in my opinion. Usually, the responsibility for finding replacement talent is pushed down several levels. And that’s fine. But it does mean that there are difficulties at times and trying to self determine what that might mean. So let’s shift into what things can be done to help plan? Bottom line is start early, presume that someone will depart.
Jason Pufahl 05:20
So let’s, can we pull it back even a little bit further? There’s one, one way is easy. You’re fortunate enough to have an employee say I’m going to retire in a year, right? Or something like that. So now you have this collaborative opportunity to maybe hire a replacement. The other the other way we’re thinking about this is, how does the organization protect itself against the potential departure, knowing the data, right, it’s just 18 to 26 months, you’re likely not having a conversation with the CISO saying, hey, you know, someday you’re going to leave, I want to start planning for it. How do you see orgs go after that? Is it training a maybe a more junior person to potentially take that position? What do you see that works?
Steven Maresca 06:12
Yeah, I mean, the most important way of planning is mentoring other employees, looking inward for this type of role is frankly, a second thought for most organizations, they tend to look outward.
Jason Pufahl 06:29
However, somebody who already has that experience, right?
Steven Maresca 06:32
Right, but the cultural learning the, the essential skills for someone like a CISO or CIO tend to be inquired with internal relationships. They’re evangelists, they’re diplomats, they are translators, across departments, you can be all of that as an external entity and coming in being effective from outside. But you then need to build all of the relationships, right? You shorten the overall onboarding and integration by months and months, maybe years, you have those relationships, you have those relationships already established. So training junior people who have expertise in a variety of key areas, organizational capabilities. It basically they understand the technology, they understand the people, they understand the business mission, as well, as, you know, more multan tackling around project management and registration management.
Michael Grande 07:25
And I would think, from an organization’s point of view, the better cross training, the better understanding that set forth initially that, hey, we’ve got, you know, we’ve got a lot of capable folks participating and knowledgeable in this area, it probably makes the culture a little bit better, it probably makes it a better environment for someone to potentially stay longer. I mean, it’s all sorts of opportunity, because there’s opportunity, right, and so you know, that that’s a, that feels like it would be an important factor.
Steven Maresca 07:53
It does, but also trying to separate the person from the role, which is a very challenging issue at a lot of places. You can encourage people to stay longer, but they need to know the role that they’re walking into requires and what it will mean when they inhabit it. A lot of the time titles are people. Right? So it, we have to stay away from the notion of the CISO was John, right, because that’s not the job, the CISO is the role. And if you don’t define it, then you can’t know what to look for. You don’t know what characteristics to support.
Jason Pufahl 08:15
So that and that’s one of the benefits of, it may be slightly different than succession planning. It’s looking at the landscape, understanding or maybe trying to recognize what’s coming in the future, nd either training internally to meet those demands, or you’re potentially hiring for that. But if there is an opportunity to say, we know there’s a new regulatory requirement that’s coming up, let’s make sure that whomever we hire has that right sort of familiarity or capability,
Michael Grande 08:55
You know, this this conversation, while focused on technology, for sure, it’s security really feels as though it’s applicable across all levels of an organization. Certainly, it’s, you know, smart planning, right. You know, understanding roles, understanding responsibilities, implementing good controls, planning for the unexpected. Really, it sounds like good lessons, though,
Jason Pufahl 09:20
it seems easy when you say it, you know, while we’re recording a podcast, but then as soon as you leave, you and I were just chatting, you know, you want to you need to run back because you’re busy today, and you’ve got a whole variety of sort of pending problems to deal with. Those are the things that make it hard to plan. And unfortunately for most people, that’s kind of every day, it’s hard to step back and plan.
Steven Maresca 09:41
And that’s true everywhere, right? Everywhere. The focus here is that we’re talking about really high flux positions that rotate within a single reporting cycle from an audit perspective or something. That’s catastrophic, right? So understanding where your high rotation turnover is, understanding the rules that have market dynamics that cause such things, that that’s where people should focus. Other things that you should do, you have to anticipate future requirements. As you said, that means technology that means business, that means regulatory, train multiple people as groups so that nothing is reliant on the one person running the interaction. All right, you don’t want your CISO being the sole person interacting with financial audit. You know, that happens some places, which sounds crazy, for a financial audit. But sometimes it’s the CISO, not the CFO. Got to bring in the board, you talked about that before. They have influence, they have connections, they have important say, as it pertains to succession planning, they need to make sure that they, the plans that are established, actually meet business requirements on a multi-year seven year cycle, and sometimes the only folks with that actual perspective are operating at that level. So they need to be part of the conversation. And you know, more broadly than that, I think it’s extraordinarily important that, as we emphasize elsewhere, security is everyone’s responsibility. And in this particular discussion, that is kind of the case for the CISO, the CISO shepherds, everyone else should understand their role. And if that’s the function, should be easy to refill. I think as a takeaway, define a plan, define candidates for rising up, equip them to do so, mentor. Yeah, and, you know, reward people with promotions and titles and all the things that entice them to stay and continue to build the organization. That’s how you tolerate occasional absence, longevity as a positive rather than negative, right, yeah, we work with a lot of CISOs. They’re busy, we’re supporting them. We work with a lot of organizations that lack a CISO. So be comfortable bringing in outsiders, but understand that the same requirements for bringing them into the fold and teaching them. The business is intrinsically required for all of this.
Jason Pufahl 12:08
So maybe my last question would be, do you see organizations do planning? I’ll call it succession planning, but just planning and evaluating of staff? Maybe on a quarterly basis? What what frequency do you see it? And I’m sure there’s there are drivers that making maybe all of a sudden have something that’s in the forefront that you feel urgent, but should you look at this quarterly?
Steven Maresca 12:31
This is probably an annual thing. Yeah, we’re not talking about employee evaluations here. Yeah, those are a feed in to succession planning.
Jason Pufahl 12:39
More evaluating sort of the state of the organization and the risk.
Steven Maresca 12:42
No, candidly, most organizations don’t do this at all. And that’s the reason for talking about, right. This is a please think about it, because it will hurt you at some point, or at the very least, it will be a point of friction.
Michael Grande 12:54
An annual feels much more, you know, agreeable from a schedule, especially from a board agenda perspective.
Steven Maresca 13:01
Yeah. And that’s the pace of business change, generally speaking, so it works out that way.
Jason Pufahl 13:07
Yeah, but annual if you if the average lifespan is 18-26 months, so your quarterly does sound like often? Sure. Annual to me, seems maybe not quite often enough.
Steven Maresca 13:21
There are some that assert that you should start planning for a replacement six months after someone is hired. I think that’s somewhat unreasonable.
Jason Pufahl 13:28
That’s a little pessimistic, I hope.
Michael Grande 13:30
Welcome aboard. When you disembark, by the way,
Steven Maresca 13:34
Candidly, I think that’s just maintaining all of the documentation and sustaining the trajectory, rather than being too pessimistic about it.
Jason Pufahl 13:42
So I think I’ll wrap up, and I feel like we say this kind of regularly, which is, this doesn’t have to be a hugely complicated project. Just actually sit down and spend an hour of critical thought sometimes. And that would likely be sufficient in probably to your point more than a lot of organizations are doing right today, like, we have the business continuity discussions where people treat that as a huge endeavor, and then do nothing. There’s, there’s a middle ground, and it’s okay, and
Michael Grande 14:13
Be okay being a little uncomfortable with the topic, right? Because it’s, it’s a little disconcerting to think about departure, think about unplanned, you know, situations that can arise, but it’s a necessity.
Steven Maresca 14:26
The simplest echo of all of this is writing up a job description of what your CISO does, or should be doing. Yeah, or CIO or any other executive to your person that needs to have this planning attached to it. Don’t make them do their job description, because that might be perceived a little forward. Yeah. Do it in a structured way. Yeah.
Jason Pufahl 14:43
All right. Well, guys, thanks for, thanks for joining. I think this is a this is a good topic it you know, anytime you can take a minute to plan, your organization is going to be better for it. It’s hard to do, but I think good advice. So as always, we do hope that you know, somebody heard this and got some just got some real value. Hit hit the like button. Every every podcast I listened to now it really does push, like, make sure you subscribe, make sure you leave a comment. And I think we really do need to start asking people to do that more explicitly now because it is how, how we grow. And that’s our goal, right?
Michael Grande 15:19
We’ve got over 100 episodes,
Jason Pufahl 15:21
So 100, this might be 109? Yeah, is it 109? You know,
Michael Grande 15:27
It’s getting up there. Yeah,
Jason Pufahl 15:28
Right in there. Okay. Well, so yeah, there’s a lot of content if you start from the beginning. Yeah. Anyway, thanks for listening. We always appreciate it. And thank you.
15:41
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.