Succession Planning Needs to be Part of Security Recruiting

I just finished reading “Leadership In The Era Of Economic Uncertainty”. It is a timely book written either at the tail end of 2008 or even in the first month or two of 2009.

The book covers a lot of ground but one particular subject that caught my attention was succession planning. The subject made me think of a company that hired an extremely bright and talented CISO in the early part of this decade.  This CISO was more talented than anyone this company had ever hired to take care of information security, compliance and risk management.

The CISO delivered and over approximately four years, was promoted four times. This is a great story so far don’t you think?  Here is where the story takes a turn though.  The CISO was so successful that he was ultimately promoted to the CTO office.

Over four years, with a security staff exceeding 40 security professionals, this CISO never focused on bringing someone up behind him to step into his shoes. When the time came for his promotion to CTO to occur, the company had to go outside the organization to find a new CISO.

I’ve seen this type of non-planning happen frequently.  What prompted me to write about succession planning was a mix of ideas. 

• First, I read a good book that brought the subject back to the forefront of my mind. 
• Second, I thought of a specific instance in which the lack of a sound succession plan generated personnel challenges that could have been avoided.
• A conversation shared wtih a really smart HR Director whom I’ve worked with for several years focused on the topic of succession planning and hiring with the future in mind.

The company’s Converged Chief Security Officer was hired in 2008.  There is talk today of starting a new security recruiting search to identify a Security Architect to work under the CSO.  The HR Director is smart enough to think not only about who we need to recruit to fill the void that exists today but he is also thinking about focusing our security recruiting on identifying and hiring hiring someone who could ultimately step into the shoes of the VP of Security should that person leave or should something happen to him.

 This may seem like a simple story on the surface but the implications of getting it wrong are costly.   What stands out to me is that employers rarely engage me in succession planning discussions. When a discussion of this nature occurs, it really stands out. When an employer is thinking of the future when they hire in the present, more often than not, they’ll hire based on cost and what they see on a security job candidates’s resume today rathe than focusing on what the candidate’s potential is for the future.

When hiring for the future in the present, employers have to consider whether or not today’s candidate has the raw materials to be groomed and mentored in such a way that they can step up to a bigger role within the organization in the future. When hiring is done in this way,  with the end in mind rather than just focusing on the here and now, better hires are made and this level of recruiting  is strategically more fun for the security recruiter to tackle.