Ensuring Security Program Continuity: How CISOs Can Prepare Their Teams for Leadership Absence

No one ever thinks they will unexpectedly be away from work; however, it happens and being prepared makes all the difference in the continued success of a security program. In the last year I personally had no idea I would miss over a month of work due to two major surgeries. No need to go too much in detail but over the summer of 2024 I had my gallbladder removed to fix my ongoing struggles with multiple pancreatitis attacks and spine surgery to reverse paralysis that was taking hold of my left arm. Both surgeries were abrupt and needed to be performed back-to-back.

With my absence the security team performed and carried on without me. At first it hurt my ego that the team doesn’t need me. Then on reflection, I am proud that my leadership style set up the security program for success in my absence.

My leadership style is that everything I do reduces my team’s dependency on needing me. The four key practices that I have had success with preparing my teams to carry on the company strategy are:

1. Preparing for leadership transition
2. Building a collaborative security strategy
3. Empowering team members through leadership training
4. Establishing fundamental operational practices  

1: Preparing for Leadership Transition

Every security program needs a succession plan for all key positions within the program including the Chief Information Security Officer (CISO). If the CISO doesn’t document and communicate plans for key roles, including their own, business leadership will not have all the information needed to make educated decisions when the CISO is not available. Succession planning for your absence is critical.  

How to document succession planning 

Documenting the succession plan and communicating the plan to key stakeholders and the security team is important so everyone understands their role and responsibilities if the CISO is not available for hours, days, weeks, or months.  

Define the CISO Role and Responsibilities 

• Document all aspects of the CISO's duties, including strategic planning, policy development, risk assessment, compliance oversight, and incident response leadership. 

• Outline the technical expertise, leadership qualities and communication skills, required for the role. 

Identify Potential Successors 

• Evaluate team members who exhibit leadership potential, possess necessary skills, and have a deep understanding of the organization's security needs. 

• Consider external talent pools or interim consultants if internal resources are limited. 

Establish Clear Succession Procedures 

• Define who will assume responsibilities during temporary absences and what authority they will have. 

• Outline the process for selecting a permanent successor, including criteria, evaluation methods, and decision-making authorities. 

By documenting a succession plan, you help ensure that your organization's security posture remains strong, even in your absence. This proactive approach minimizes risks associated with leadership gaps and demonstrates a commitment to organizational resilience. 

2: Build a Collaborative Security Strategy 

The entire team must know and understand the security strategy in order for the strategy to be successful in the absence of the CISO.  

Involve the Entire Team in Strategy Development 

When developing the security strategy all members of the team must be part of the development. This ensures the team is committed to the entire strategy.  

Workshops and Brainstorming Sessions: Conduct regular meetings where team members can contribute ideas and discuss security challenges. This inclusion fosters ownership and understanding of the strategy. 

Cross-Functional Input: Engage stakeholders from other departments (IT, HR, Legal) to ensure the strategy aligns with overall business objectives and covers all necessary areas. 

Establish Clear Objectives and Goals 

Without clear objectives and goals, the security strategy will not be understood by all stakeholders. This also allows for continued efforts towards executing the strategy in your absence, making sure the program is not affected negatively.  

Unified Vision: Develop a mission statement for the security program that everyone understands and supports. 

SMART Goals: Set Specific, Measurable, Achievable, Relevant, and Time-bound objectives to provide clear direction. 

Accessible Documentation: Store documents in a centralized, secure repository accessible to all team members (e.g., an internal wiki or document management system). 

By involving the entire team in building and documenting the security strategy, you create a shared understanding and ownership that empowers team members to maintain and advance the security program in your absence. This collaborative approach not only ensures continuity but also strengthens the team's capability and resilience. 

3: Empowering Team Members Through Leadership Training 

Every team member must be trained to be leaders regardless of the position held within the security program. Having a team of leaders ensures that your absence doesn’t adversely affect the security program. 

Conduct Regular Team Meetings 

Regular team meetings allow all team members to have a voice and share what is currently happening by the team, but also reinforces the strategy throughout the year.  

Team Updates: Hold weekly or bi-weekly meetings to review progress, address issues, share information, and adjust plans as needed. 

Open Forum: Encourage open dialogue and feedback to promote continuous improvement. 

Educate and Evangelize the Security Program 

• Encourage the team to deep dive into documentation and information surrounding the security program.  
  
• Have each team member periodically present their responsibilities, successes, and failures of different aspects of the security program. 
  

Implement Mentorship and Coaching Programs

As the CISO there is not enough time to mentor and coach each team member; however, your team is an extension of you if the program is laid out as outlined here.  

Mentorship Pairing 

• Pair less experienced team members with seasoned leaders for guidance, knowledge sharing, and continuous feedback. 

• Keep in mind that the seasoned leaders and the CISO need continuous feedback also, so encourage peer feedback for all members of the team including the CISO.  

Professional Coaching 

• Work with Human Resources to offer coaching sessions focused on developing specific leadership competencies. 

• Consider Business Operations pairing for team members to allow coaching from a business perspective and not just security.  

• Encourage networking and engagement by the team with those outside of the company.  

Lunch and Learn Sessions 

• Host informal gatherings where team members can share knowledge on leadership topics and share insight and happenings within the portion of the security program they are responsible for. 

Peer Coaching 

• Encourage team members to coach each other, fostering a collaborative learning environment. 

Assign Leadership Roles in Projects 

Ensuring that all team members have leadership roles assigned during project will boost team confidence, responsibility, and experience.  

Project Lead Opportunities 

• Allow team members to lead projects or initiatives, giving them practical leadership experience. 

Committee Participation 

• Involve them in decision-making committees or fusion teams within the organization. 

• If the team members can’t be members of committees, invite your team to participate in events where it makes sense as observers.  

Encourage Decision-Making and Autonomy 

The only bad decision is no decision. If your team members are allowed to make decisions they will learn how to make a decision using the available information, not being intimidated when the decision counts the most, during your absence.  

Empowered Decisions 

• Grant team members the authority to make decisions within their areas of responsibility. 

• Encourage decisions, even after a wrong decision is made.  

• Always stand by your team members if they make a wrong decision as long as it was made off of data and information.  

Ownership of Tasks 

• Encourage the team to take full ownership of their projects, including planning, execution, and reporting. 

• Encourage and assist, but don’t take over tasks.  

Develop Personalized Leadership Development Plans 

Each team member is different and offers a diverse view within the security program. Getting to know the team’s strengths and weaknesses will allow you to develop personalized leadership development plans for each team member.  

Goal Setting 

• Work with each team member to set personal leadership development goals aligned with organizational objectives. 

Progress Reviews 

• Hold regular check-ins to assess development and adjust plans as needed. 

Foster a Culture of Continuous Learning 

Once a team member stops learning, the security program is designed to fail. 

Learning Resources 

• Provide access to books, webinars, online courses, and other educational materials on leadership and security topics like Cyber Security Tribe. 

Learning Communities 

• Create forums or groups where team members can discuss leadership challenges and share insights. 

Set Time Aside for Learning 

• To ensure continuous learning time must be set aside for each team member for formal and non-formal education.  

• Encourage learning that is needed by the security program to be success but also, time must be set aside for team members to learn what excites them.  

Promote Cross-Functional Collaboration 

Exposing team members to each other team members’ duties and responsibilities helps continued support of the security program and employee retention.  

Interdepartmental Projects 

• Encourage team members to work with other departments to broaden their organizational understanding and leadership skills. 

Job Shadowing 

• Allow them to observe team members in different roles or departments. 

Provide Regular Feedback and Recognition 

Without open and timely communication frustration can set in for the team as well as the CISO. Feedback loops and constant recognition are key for a high performing security team.  

Constructive Feedback 

• Offer timely and specific feedback on their leadership efforts and areas for improvement. 

Recognition Programs 

• Acknowledge and reward leadership achievements to motivate continued growth. 

• Recognize outstanding leadership contributions formally. 

• Highlight leaders in company communications or at events. 

Leadership Feedback 

• Allow each team member the time to offer feedback on your leadership and operational engagement on a regular basis.  

Encourage Innovation and Initiative 

The CISO can’t be the only source for innovation, ideas, and initiatives. Likely the team will have better insight for operational ideas and improvement since they are on the front lines day in and day out. 

Idea Submission: Set up systems where team members can propose new ideas or improvements to processes. 

Support Risk-Taking: Create a safe environment for experimentation, where calculated risks are encouraged and failures are viewed as learning opportunities. 

Lead by Example 

As the leader of the security program and team it is essential that all team members are able to witness the CISO taking actions to support the team throughout the entire security program.  

Model Leadership Behavior: Demonstrate the leadership qualities you wish to instill, such as integrity, accountability, and resilience. 

Transparency: Share your own leadership challenges and successes to build trust and openness. 

By investing in leadership training and empowering every team member, you not only prepare individuals to step up in your absence but also strengthen the overall effectiveness and resilience of your security program. This approach fosters a proactive, engaged team capable of maintaining momentum and driving success, regardless of leadership transitions. 

4: Establishing Fundamental Operational Practices

Without the basics nothing is possible and your security program will fail in your absence. 

Develop Comprehensive Policies and Procedures 

Without documentation no one understands the execution of the security program whether you are absent or not.  

Standardized Documentation 

• Create clear and concise policies, standards, guidelines, procedures, and playbooks that cover all aspects of your security operations. 

• Use standardized templates and language to ensure consistency across all documents. 

Accessibility 

• Store all documents in a centralized, secure repository such as an intranet site or document management system. 

• Ensure that all team members have appropriate access permissions to these documents. 

Regular Updates and Reviews 

• Schedule periodic reviews (e.g., quarterly or annually) to update policies and procedures in line with new threats, technologies, or regulatory changes. 

• Involve team members in the review process to incorporate diverse insights and promote ownership. 

• Have team members present the documentation for continuous improvement feedback and updates.  

• Provide training sessions on documentation to ensure all team members understand and can execute them effectively. 

• Incorporate documentation reviews into onboarding for new team members. 

Training and Awareness 

• Provide training sessions on procedures to ensure all team members understand and can execute them effectively. 

• Incorporate procedure reviews into onboarding for new team members. 

Automation and Tools 

• Leverage automation where possible to reduce the risk of human error. 

• Document how tools and technologies integrate with procedures. 

Maintain Records of Current Initiatives 

Anyone should be able to step up and take over current initiatives in a moment’s notice without confusion or question.  

Project Documentation 

• Keep detailed records of all ongoing projects, including objectives, timelines, milestones, and responsible parties. 

• Use project management tools to track progress and provide visibility to the entire team and stakeholders. 

Strategic Plans 

• Document the long-term security strategy, aligning it with the organization's overall goals. 

• Include risk management strategies, investment priorities, and key performance indicators (KPIs). 

Risk Assessments 

• Regularly conduct and document risk assessments to identify potential vulnerabilities. 

• Prioritize risks based on their likelihood and impact, and outline mitigation strategies. 

• Track mitigation plans to ensure timely execution.  

Reporting Mechanisms 

• Establish standardized reporting formats for project updates, risk assessments, and security incidents. 

• Schedule regular meetings or reports to keep all stakeholders informed. 

Create and Update Informational Lists

Knowing who to engage at any level is critical to the security program. Proper informational lists will reduce lost time for the team churning during a critical time or event.  

Internal Contacts 

• Compile a directory of key internal personnel, including their roles, responsibilities, and contact information. 

• Include team members, executive leadership, IT staff, and other relevant departments.  

External Contacts 

• Maintain up-to-date lists of external stakeholders such as vendors, service providers, regulatory bodies, law enforcement, and emergency services. 

• Include primary and secondary contacts to ensure redundancy. 

Emergency Response Contacts 

• Clearly identify contacts for immediate response during security incidents or crises. 

• Ensure this list is easily accessible, both digitally and in hard copy, in case of system outages. 

Regular Verification 

• Schedule routine checks (e.g., bi-annually) to verify and update all contact information. 

• Assign responsibility to a team member for maintaining the accuracy of contact lists.  

Implement Performance Metrics and Reporting 

Establishing performance metrics and reporting ensures that in your absence the team is still able to carry on and manage the security program. 

Define KPIs 

• Establish key performance indicators (KPIs) related to security operations, such as incident response times, compliance rates, and system uptime. 

• Align KPIs with strategic objectives to measure effectiveness. 

Regular Reporting 

• Create dashboards and reports to visualize performance data. 

• Share insights with the team and leadership to promote transparency and continuous improvement. 

Ensure Compliance and Audit Preparedness

Compliance and audit readiness ensures that any improvements that are needed either due to regulatory mandates or based on gaps in the company’s controls are documented and identified as continuous improvement.  

Regulatory Mapping 

• Document how operational practices meet specific regulatory requirements (e.g., CCPA, NYDFS, NAIC, PCI-DSS, etc.). 

• Keep up-to-date of regulatory changes and update documentation accordingly and in a timely manner. 

Policy Enforcement 

• Implement controls to ensure compliance with policies and procedures. 

• Conduct internal audits to identify gaps and areas for improvement. 

Establish Risk Management Processes

Risk doesn’t take a break, therefore, establishing a risk management process is critical to continue understanding and communicating risk to the company.  

Risk Registers 

• Maintain a centralized risk register documenting identified risks, assessments, and mitigation plans. 

• Update the register regularly to reflect new threats or changes in the environment. 

Risk Ownership 

• Assign specific risks to team members responsible for monitoring and managing them. 

• Document roles and expectations related to risk management. 

Risk Communication 

• Develop protocols for reporting risks to leadership and stakeholders. 

• Include risk metrics in regular reporting cycles. 

• Ensure team members are a part of the process to ensure risk is properly communicated even in your absence.  

Foster a Culture of Accountability 

Without accountability there is no way to ensure the security program functions in your absence.  

Accountability Measures 

• Implement performance management processes that hold team members accountable for following operational practices. 

• Recognize and reward compliance and excellence in operational execution. 

CISO Decision Log 

• Maintain a CISO decision log that clearly outlines decisions made related to the security program, risk, and compliance.  

By establishing and maintaining these fundamental practices, you create a resilient security program capable of functioning effectively, even in your absence. This approach not only mitigates risks associated with leadership gaps but also empowers your team to uphold the organization's security posture consistently and perpetually. 

I’m not a perfect leader, but I do believe in empowering teams to operate smoothly without my direct involvement. Unexpected situations and a wide range of responsibilities mean I’m not always available to the team. During this year’s health scare, I simply sent a brief text to my immediate manager and my governance, risk, and compliance leader, confident they could handle things while I focused on healing and spending time with my family. As much as I wanted to stay engaged, I soon realized working through recovery wasn’t possible. I couldn’t be more proud of the entire team stepping up as they always do and more than grateful for an organization that truly supported my return to health.