The role of a CISO has continually expanded over the years, and now requires alignment not only to IT, but also business partners, third party partners, boards, customers, and other key stakeholders. One CISO cannot be everywhere all the time and engage meaningfully with all these groups. Beyond the scope of customer demands, the 24/7/365 schedule is a recipe for disaster.
It begs the question – Who is the one person in your organization empowered to act as a substitute for you?
Maybe you haven’t had time to consider when or where to start. Start today…and don’t be afraid to start small. Pick a part of your role that you haven’t been able to give enough attention. Who on your team can step in for you? Consider incident command, communication reviews, leadership summit planning, organizational design, board/executive briefing preparation, managing content and execution for your governance board, control framework alignment, developing metrics or maturity assessments. Your ideal candidate will be someone who can engage with and understand your team, stakeholders, business, and threat landscape. They should also be aligned and aware enough to offer your guidance when you step out for a much-needed vacation, or eventually for good. If you don’t have that person on your team, then ask yourself: “How can I define my next position opening with this need in mind?” If you already have someone in place or in mind, are you giving them individual opportunities to test their performance and get the much-needed feedback from you and your executive team, business partners and stakeholders?
The Deputy CISO role isn’t just good for your team and your organization. A Deputy can be invaluable for addressing your own weaknesses. What is your biggest Blind Spot? What Blind Spots exist within your team or your program? Identify or recruit a Deputy who can understand those issues and offer you solutions and support in addressing them. As a Deputy through the years, I found myself in very difficult and tense situations that required me to vet or even veto decisions the CISO was considering. There were times I had to be candid about why I didn’t agree with an approach or a direction my leaders wanted to take. These decisions ranged from organizational structure and decisions, metrics, communications, and at times, even my own role or involvement. On many occasions, my perspective was received and rejected, but it was still considered valuable. That’s what having a trusted advisor (AKA Deputy) is all about: having someone who can give you an alternative perspective to consider, especially when you are distracted, unavailable or stretched too thin.
A Deputy is someone who understands your direction, and offers timely, valuable perspective or validation.
A final benefit of having a Deputy to call upon during these situations, is that it gives our next generation of leaders’ invaluable situational experience. Great leaders prepare, not only for their own responsibilities, but for the next generation of leaders they are cultivating, and for the legacy organization they will leave behind. In that vein, it’s important to look at where you are today, and where you will be in the future. Thinking ahead for the day you need to move on is considered a professional obligation. Higher than desired turnover rates combined with the high need for qualified security professionals, it’s no wonder security leaders are in an ever-growing demand. It’s up to us to look ahead and begin cultivating those leaders. The time as a CISO is a great opportunity and responsibility to teach others the role and prepare the organization for your eventual departure. Characteristics of a great deputy are simple… what makes you a great CISO? Consider this…the ability to drive your strategy across the control framework and provide checks and balances across the team. Sharing the strategy with all stakeholders with timeboxed outcomes that can be communicated in business terms. Tie your strategy to funding, assessment outcomes, metrics, client updates, compliance, and/or operational reporting. Give your Deputy the ability to execute one or any of these efforts without dictating how and you might be surprised at the creativity and solutions they provide back. This would also give you the opportunity to assess alignment between the two of you with your guidance, direction, strategy with identifying strengths and areas of improvement…it’s where you mentor and mold the next generation of CISOs.
I’d like to leave you with this… investing time in your successor now will allow you to cover more of the role and help prepare you and the organization for the future. If you or your appointed Deputy need help, call me, I’d welcome the opportunity.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels