Lacking CISO succession plans sparks concern

No succession plans for chief information security officers have been established by almost 41% of companies even though 75% of CISOs expressed being very or entirely open to transferring to another company over the next three years, CNBC reports. Moreover, organizations with a CISO succession plan mostly have one person with elevated odds of being underqualified for the position, a Heidrick & Struggles report showed. Such lack of succession plans is concerning amid the growing prevalence of cybersecurity risks that require cyber leadership, according to Heidrick & Struggles Partner and Global Cybersecurity Practice Leader Matt Aiello. "Organizations that do not have a succession plan in place leave their business vulnerable to undue risk, as the threat landscape and regulatory environment continue to evolve at a rapid pace," said Aiello, who also emphasized the challenges in replacing CISOs and urged that CISO succession should be considered as seriously as those of company CEOs. Similar sentiments have been expressed by Deloitte Risk and Financial Advisory Principal in Cyber and Strategic Risk Danel Soo. "The lack of a successor could disrupt business-as-usual cybersecurity operations, resulting in delays, gaps in critical cyber risk management activities, and hindered cyber incident response and decision-making," added Soo.