CISO turnover is showing signs of stability, dropping from 21% in 2022 to 12% in 2023 and to an annualized 11% in the first half of 2024, according to IANS Research and Artico Search’s report. Still, organizations face a stark reality: when their top security executive departs, there’s often no one ready to step into the role.
This stability masks an underlying problem: most companies don’t have clear succession plans or strong programs to prepare future CISOs, leaving them exposed when leadership changes.
The problem isn’t just finding people with technical skills, it’s developing people internally who can also talk to executives and think like business leaders. But it is not easy to develop leaders internally who also understand business, can communicate well, and think strategically. These are the qualities that turn a security professional into a CISO. With cyber threats increasing and regulations stacking up, the gap between hands-on security work and executive leadership has never been wider.
The succession planning vacuum
How often do companies have formal CISO succession plans? “I’d say almost never,” says Maggie Myers, managing executive search consultant at Korn Ferry. That lack of planning is exactly why so many end up turning to her firm, she adds.
Without a plan to develop leaders from within, companies leave themselves exposed. They end up relying on outside hires — a process that can take months and leave key security roles empty in the meantime.
The story Myers hears most often from clients is a familiar one. “‘We have a number two. They would love to put their hat in the ring for the top job,’” she notes. “And almost every time we hear, ‘Technically, they are excellent. Rock solid. They can run world-class operations.’” But the problem is that they really haven’t learned to connect cybersecurity to corporate strategy, business strategy, merger and acquisition growth initiatives, and that broader strategic mindset around cybersecurity, she explains.
Even organizations that have managed internal CISO transitions often did so without formal planning. Marty Barrack, CISO and chief legal and compliance officer at XiFin, transitioned into the CISO role organically after starting as general counsel in 2018. “So, we never had one before,” Barrack says of succession planning at his company. “The role was an acknowledgment of the direction and oversight that I was exercising over the security function.”
Similarly, Chris Holden, senior vice president and CISO at Crum & Forster, stepped into his role after the previous CISO departed. “At the time, there was no formal succession plan,” he tells.
The technical-to-strategic divide
One major obstacle keeping many mid-level security pros from becoming CISOs isn’t their tech skills — it’s learning to shift from doing hands-on security work to acting as strategic business partners. That change takes a whole new set of skills and a different way of thinking.
“I think you see this with a lot of CISOs. A lot of us have come up through a very technical background,” Holden notes. “More than 50% of my time now is [spent] interacting with non-technical executives that have a much different perspective on what I thought cybersecurity was.”
The challenge extends beyond simply communicating with executives. “If a cybersecurity professional wants to become a CISO, they have to go through a transition from a focus on tactical activities involving security issues and broaden their perspectives to the overall risks and business processes of the company and the role of cybersecurity in that,” Barrack says.
This broader perspective encompasses understanding how cybersecurity fits with information technology, compliance, customer relationships, vendor management, and other stakeholders throughout the company, including environmental, social, and governance considerations that now frequently include cybersecurity components, according to Barrack.
“You have to be able to analyze issues at that broader corporate level and communicate that to board members, to other executives and to third-party stakeholders,” Barrack says. This requires “a recognition of the various issues that have to be addressed, a suitable framework for your analysis, and an appropriate way of balancing that risk so that your priorities reflect your company’s priorities.”
The risk management evolution
Another reason the CISO pipeline is so thin is that many security leaders never make the leap in how they view risk. They’re trained to see it in black and white — fix every flaw, block every threat. But the CISO role is also about tradeoffs, balancing security with business needs, and being able to explain those choices to the board. Without that shift, there just aren’t enough internal candidates ready to step into the top job.
Barrack discovered this firsthand during his transition. “One of the things that I recognized pretty quickly was that a lawyer’s view of risk was not the right perspective,” he says. To address this gap, he pursued the Certified in Risk and Information Systems Control certification from ISACA. “That really helped me drill into risk from the security perspective and the business perspective, rather than a legal and regulatory perspective,” Barrack says.
The key difference comes down to what gets prioritized. “I don’t think that lawyers are great about prioritizing risk because they generally look at all risk as needing to be dealt with,” Barrack explains.
Cybersecurity is really about facing constant threats — deprecated software, hidden flaws, phishing emails, fraud, and attacks that can come from inside and outside the company. A CISO’s real job is deciding which risks matter most and figuring out how to set the right priorities.
And this risk management perspective must be communicated effectively across the organization. “The CISO role is a risk management role that communicates clearly to all the stakeholders that the risk management function is being managed properly and effectively to deliver good security in an effective way,” Barrack notes.
Structural barriers to development
Taking on the cybersecurity leader role is not just about individual skills, the way many companies are structured keeps mid-level security leaders from getting the experience they’d need to move into a CISO role. Myers points to several systemic problems that make effective succession planning tough.
“For a lot of cases, the CISO role for the top job is still pretty varied within the organization, whether they’re reporting to the CIO, the CFO, or the CEO,” she explains. “That limits the strategic visibility and influence, which means that the number two doesn’t really get the executive exposure or board-level engagement needed to really step into that role.”
The issue gets worse because of the way companies are set up, according to Myers. CISOs often oversee a wide range of responsibilities, risk, compliance, governance, vendors, data privacy and crisis management. But cyber teams are usually lean and split into narrow functions, so most deputies only see a piece of the picture. That limited view makes it hard for them to be seen as truly ready for the top job.
Board experience presents another significant barrier. “The CISO has to have board experience, especially depending on the industry or the type of company and their ownership structure. That’s pretty critical,” Myers says. “That’s a hard thing to just walk into on day one and have that credibility and trust without having had the opportunity to develop it throughout your tenure.”
Additionally, some highly skilled technical professionals simply have no interest in management responsibilities. Holden acknowledges this challenge: “Some of the best, most technical people I’ve ever met have just no interest in dealing with people management,” he says. “They really like the personal satisfaction reward of being that individual contributor.”
Building effective succession programs
Organizations that have developed successful succession programs share several common approaches. The most critical element is early and intentional planning that begins immediately when a new CISO takes the role.
“They start on day one,” Myers says of the most forward-thinking CISOs. “They come in and the first thing they do is assess the talent, assess the team, and immediately start thinking about their succession plan, like identifying who the potentials are within their organization.”
The key is creating a deputy CISO position rather than simply elevating existing functional leaders. “I mean a true deputy CISO where they’re able to come in and own multiple verticals and have that cross-functional oversight, rather than staying in one silo,” Myers explains.
That person needs access to the leadership team and, when it makes sense, the board. And it’s not just about preparing slides — they should actually be in the room, listening and contributing to the discussion, she adds.
Rotational programs work well too, because they let potential successors gain experience in different parts of the business. This approach ensures they develop “enough experience in each area to really have something to build off of and a leg up when they are trying to take on that top job,” according to Myers.
Barrack emphasizes the importance of creating a supportive learning environment. “I try and foster a really positive learning environment where people understand escalation is not bad, and the result of escalation may be a learning point for one of my people, but that’s not punitive,” he said. “You have to let them grow, and that means taking risks with them. You have to set them up for success, but you have to let them grow.”
Putting effort into succession planning pays off in more ways than just building a bench of future CISOs. Myers points out that when internal talent is developed to be strong technically as well as ready to engage with senior leadership, companies save money and reduce risk across the organization. The upfront investment more than pays for itself in stability, continuity, and lower costs.
The experts agree that companies can’t wait until their CISOs walk out the door to think about who’s next. Cyber threats keep evolving, and the role of security leadership is only becoming more important. Building and training future CISOs isn’t a nice-to-have anymore — it’s a must. The organizations that start now will be the ones with steady leadership in place when the next big challenge hits.
No Responses