Skip to main content

Featured

Protecting Employee Data is an Organization’s Legal Obligation or Is It?

In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was…

Succession Planning: The Importance of a Deputy CISO


Given today’s unrelenting threat landscape, the chief information security officer (CISO) and his or her deputy CISO have arguably the toughest jobs on the organizational chart. Although it is a well-paid, respectable role, the CISO must be available to many different departments and remain savvy in all areas of cybersecurity due to the current IT skills shortage. Indeed, this professional’s role is extremely stressful and demands standards of security that are nearly impossible to deliver with 100 percent assurance.

The average security leader’s tenure is a mere two years. The CISO can be dismissed for a wide variety of reasons, such as an overlooked vulnerability, an insider attack or another type of data compromise. Furthermore, like any professional, a security leader may need to take temporary leave due to medical reasons or other unforeseen circumstances. To prepare for these events, organizations should appoint a deputy CISO and establish a clear succession plan to maintain smooth operations during a transition in security leadership.

Grooming the Deputy CISO

There is no question that high turnover rates constitute grave threats to organizations. Without a security leader, companies cannot withstand the continuous onslaught of cyber attacks. In many organizations, the CISO’s main role is to keep the company out of hot water — and that means dealing with the constant barrage of threats and maintaining compliance. However, the role is much more ambiguous than that. Candidates for the deputy CISO position should be evaluated based on their ability to navigate this complexity and juggle the CISO’s many responsibilities.
A deputy CISO must be able to:

  • Develop and cross-train future leaders in the department.
  • Ascertain the costs of developing future leaders.
  • Execute the security strategy consistently among all associates in the department.
  • Identify associates’ skills, capitalize on their strengths and improve upon weaknesses.


Planning a CISO Succession Strategy

An effective CISO succession plan should include four key elements to ensure a seamless transfer of authority.

1. Stakeholder Engagement

The succession plan should be presented to executives and board members on an annual basis. It’s critical to engage senior leadership in this process and to empower the deputy CISO to develop the necessary skills and experience he or she need to be successful. This succession plan must be a living document and part of the overall security program.

2. Evaluation of Internal Staff

Favoritism should never be a criterion, so it is wise to hire an outside firm to evaluate deputy CISO candidates within your department. A third-party assessment could unearth a diamond in the rough from several layers down on your organizational chart. At the very least, it would help executives gauge the depth of the company’s talent pool.

3. Simulations and Stress Tests

Like any disaster recovery strategy, business continuity testing is an integral part of a CISO succession plan. A security leader’s planned vacation, for example, can be a great opportunity to test the deputy CISO’s capabilities. However, impromptu, unannounced drills are also essential to develop an aspiring CISO’s ability to work under pressure.

4. Elevate the Deputy CISO

It takes many years to become a well-rounded security leader, and the incoming CISO must never be left to sink or swim. Instead, all senior executives and staff members should support the new CISO as he or she transitions into the role. The organization should also make other leaders, mentors, and coaches available to help the security team adjust. A rich feedback environment is crucial to develop the executive presence that is lacking in many candidates.

Passing the Baton

A deputy CISO must be prepared to take over when the CISO passes the baton. He or she should also be comfortable being held accountable for security. The leader must be ready, capable and confident to lead the security team in dealing with challenges such as the cybersecurity skills gap and the increasing sophistication of threats. More importantly, this individual must possess the executive presence required to work with senior executives and facilitate a smooth transition of authority in the security space.

Comments