{"id":4575,"date":"2025-08-28T07:00:00","date_gmt":"2025-08-28T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4575"},"modified":"2025-08-28T07:00:00","modified_gmt":"2025-08-28T07:00:00","slug":"the-ciso-succession-crisis-why-companies-have-no-plan-and-how-to-change-that","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4575","title":{"rendered":"The CISO succession crisis: why companies have no plan and how to change that"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISO turnover is showing signs of stability, dropping from 21% in 2022 to 12% in 2023 and to an annualized 11% in the first half of 2024, according to IANS Research and Artico Search\u2019s report<\/a>. Still, organizations face a stark reality: when their top security executive departs, there\u2019s often no one ready to step into the role.<\/p>\n

This stability masks an underlying problem: most companies don\u2019t have clear succession plans or strong programs to prepare future CISOs, leaving them exposed when leadership changes.<\/p>\n

The problem isn\u2019t just finding people with technical skills, it\u2019s developing people internally who can also talk to executives and think like business leaders. But it is not easy to develop leaders internally who also understand business, can communicate well, and think strategically. These are the qualities that turn a security professional into a CISO. With cyber threats increasing and regulations stacking up, the gap between hands-on security work and executive leadership has never been wider.<\/p>\n

The succession planning vacuum<\/h2>\n

How often do companies have formal CISO succession plans? \u201cI\u2019d say almost never,\u201d says Maggie Myers, managing executive search consultant at Korn Ferry. That lack of planning is exactly why so many end up turning to her firm, she adds.<\/p>\n

Without a plan to develop leaders from within, companies leave themselves exposed. They end up relying on outside hires \u2014 a process that can take months and leave key security roles empty in the meantime.<\/p>\n

The story Myers hears most often from clients is a familiar one. \u201c\u2018We have a number two. They would love to put their hat in the ring for the top job,’\u201d she notes. \u201cAnd almost every time we hear, \u2018Technically, they are excellent. Rock solid. They can run world-class operations.’\u201d But the problem is that they really haven\u2019t learned to connect cybersecurity to corporate strategy, business strategy, merger and acquisition growth initiatives, and that broader strategic mindset around cybersecurity, she explains.<\/p>\n

Even organizations that have managed internal CISO transitions often did so without formal planning. Marty Barrack, CISO and chief legal and compliance officer at XiFin, transitioned into the CISO role organically after starting as general counsel in 2018. \u201cSo, we never had one before,\u201d Barrack says of succession planning at his company. \u201cThe role was an acknowledgment of the direction and oversight that I was exercising over the security function.\u201d<\/p>\n

Similarly, Chris Holden, senior vice president and CISO at Crum & Forster, stepped into his role after the previous CISO departed. \u201cAt the time, there was no formal succession plan,\u201d he tells.<\/p>\n

The technical-to-strategic divide<\/h2>\n

One major obstacle keeping many mid-level security pros from becoming CISOs isn\u2019t their tech skills \u2014 it\u2019s learning to shift from doing hands-on security work to acting as strategic business partners. That change takes a whole new set of skills and a different way of thinking.<\/p>\n

\u201cI think you see this with a lot of CISOs. A lot of us have come up through a very technical background,\u201d Holden notes. \u201cMore than 50% of my time now is [spent] interacting with non-technical executives that have a much different perspective on what I thought cybersecurity was.\u201d<\/p>\n

The challenge extends beyond simply communicating with executives. \u201cIf a cybersecurity professional wants to become a CISO, they have to go through a transition from a focus on tactical activities involving security issues and broaden their perspectives to the overall risks and business processes of the company and the role of cybersecurity in that,\u201d Barrack says.<\/p>\n

This broader perspective encompasses understanding how cybersecurity fits with information technology, compliance, customer relationships, vendor management, and other stakeholders throughout the company, including environmental, social, and governance considerations that now frequently include cybersecurity components, according to Barrack.<\/p>\n

\u201cYou have to be able to analyze issues at that broader corporate level and communicate that to board members, to other executives and to third-party stakeholders,\u201d Barrack says. This requires \u201ca recognition of the various issues that have to be addressed, a suitable framework for your analysis, and an appropriate way of balancing that risk so that your priorities reflect your company\u2019s priorities.\u201d<\/p>\n

The risk management evolution<\/h2>\n

Another reason the CISO pipeline is so thin is that many security leaders never make the leap in how they view risk. They\u2019re trained to see it in black and white \u2014 fix every flaw, block every threat. But the CISO role is also about tradeoffs, balancing security with business needs, and being able to explain those choices to the board. Without that shift, there just aren\u2019t enough internal candidates ready to step into the top job.<\/p>\n

Barrack discovered this firsthand during his transition. \u201cOne of the things that I recognized pretty quickly was that a lawyer\u2019s view of risk was not the right perspective,\u201d he says. To address this gap, he pursued the Certified in Risk and Information Systems Control certification from ISACA. \u201cThat really helped me drill into risk from the security perspective and the business perspective, rather than a legal and regulatory perspective,\u201d Barrack says.<\/p>\n

The key difference comes down to what gets prioritized. \u201cI don\u2019t think that lawyers are great about prioritizing risk because they generally look at all risk as needing to be dealt with,\u201d Barrack explains.<\/p>\n

Cybersecurity is really about facing constant threats \u2014 deprecated software, hidden flaws, phishing emails, fraud, and attacks that can come from inside and outside the company. A CISO\u2019s real job is deciding which risks matter most and figuring out how to set the right priorities.<\/p>\n

And this risk management perspective must be communicated effectively across the organization. \u201cThe CISO role is a risk management role that communicates clearly to all the stakeholders that the risk management function is being managed properly and effectively to deliver good security in an effective way,\u201d Barrack notes.<\/p>\n

Structural barriers to development<\/h2>\n

Taking on the cybersecurity leader role is not just about individual skills, the way many companies are structured keeps mid-level security leaders from getting the experience they\u2019d need to move into a CISO role. Myers points to several systemic problems that make effective succession planning tough.<\/p>\n

\u201cFor a lot of cases, the CISO role for the top job is still pretty varied within the organization, whether they\u2019re reporting to the CIO, the CFO, or the CEO,\u201d she explains. \u201cThat limits the strategic visibility and influence, which means that the number two doesn\u2019t really get the executive exposure or board-level engagement needed to really step into that role.\u201d<\/p>\n

The issue gets worse because of the way companies are set up, according to Myers. CISOs often oversee a wide range of responsibilities, risk, compliance, governance, vendors, data privacy and crisis management. But cyber teams are usually lean and split into narrow functions, so most deputies only see a piece of the picture. That limited view makes it hard for them to be seen as truly ready for the top job.<\/p>\n

Board experience presents another significant barrier. \u201cThe CISO has to have board experience, especially depending on the industry or the type of company and their ownership structure. That\u2019s pretty critical,\u201d Myers says. \u201cThat\u2019s a hard thing to just walk into on day one and have that credibility and trust without having had the opportunity to develop it throughout your tenure.\u201d<\/p>\n

Additionally, some highly skilled technical professionals simply have no interest in management responsibilities. Holden acknowledges this challenge: \u201cSome of the best, most technical people I\u2019ve ever met have just no interest in dealing with people management,\u201d he says. \u201cThey really like the personal satisfaction reward of being that individual contributor.\u201d<\/p>\n

Building effective succession programs<\/h2>\n

Organizations that have developed successful succession programs share several common approaches. The most critical element is early and intentional planning that begins immediately when a new CISO takes the role.<\/p>\n

\u201cThey start on day one,\u201d Myers says of the most forward-thinking CISOs. \u201cThey come in and the first thing they do is assess the talent, assess the team, and immediately start thinking about their succession plan, like identifying who the potentials are within their organization.\u201d<\/p>\n

The key is creating a deputy CISO position rather than simply elevating existing functional leaders. \u201cI mean a true deputy CISO where they\u2019re able to come in and own multiple verticals and have that cross-functional oversight, rather than staying in one silo,\u201d Myers explains.<\/p>\n

That person needs access to the leadership team and, when it makes sense, the board. And it\u2019s not just about preparing slides \u2014 they should actually be in the room, listening and contributing to the discussion, she adds.<\/p>\n

Rotational programs work well too, because they let potential successors gain experience in different parts of the business. This approach ensures they develop \u201cenough experience in each area to really have something to build off of and a leg up when they are trying to take on that top job,\u201d according to Myers.<\/p>\n

Barrack emphasizes the importance of creating a supportive learning environment. \u201cI try and foster a really positive learning environment where people understand escalation is not bad, and the result of escalation may be a learning point for one of my people, but that\u2019s not punitive,\u201d he said. \u201cYou have to let them grow, and that means taking risks with them. You have to set them up for success, but you have to let them grow.\u201d<\/p>\n

Putting effort into succession planning pays off in more ways than just building a bench of future CISOs. Myers points out that when internal talent is developed to be strong technically as well as ready to engage with senior leadership, companies save money and reduce risk across the organization. The upfront investment more than pays for itself in stability, continuity, and lower costs.<\/p>\n

The experts agree that companies can\u2019t wait until their CISOs walk out the door to think about who\u2019s next. Cyber threats keep evolving, and the role of security leadership is only becoming more important. Building and training future CISOs isn\u2019t a nice-to-have anymore \u2014 it\u2019s a must. The organizations that start now will be the ones with steady leadership in place when the next big challenge hits.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISO turnover is showing signs of stability, dropping from 21% in 2022 to 12% in 2023 and to an annualized 11% in the first half of 2024, according to IANS Research and Artico Search\u2019s report. Still, organizations face a stark reality: when their top security executive departs, there\u2019s often no one ready to step into […]<\/p>\n","protected":false},"author":0,"featured_media":4576,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4575","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4575"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4575"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4575\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4576"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}