Thank you Jan Tinneberg and Unsplash for this graphic
For CISOs on the way out of the door, we share a people-centric framework to enable you to exit with grace and equip you for your next leadership challenge.
When to read this?
- You plan to leave the job voluntarily. You haven’t told them yet, but you know that you’ll want to “do it right.”
- You’ve been given notice. The company has asked you to transition over the next few weeks or months.
An important element of preparing your Security Leadership exit is intentional reflection. Looking back on the journey thus far and the road ahead, with the strengths and blind spots that have brought you to this point will benefit the team you leave and perhaps most importantly, your next team and organization. What follows is a list of the people and relationships to consider as well as the lists of actions and deliverables to prioritize for each.
CISO Succession: The Four Stakeholders
Whether exiting voluntarily or not, the clock is started and there’s an expectation that you now need to prepare the organization — to be ready for what comes next.
The four audiences to keep in mind as you organize your exit are:
- The Team You’re Leaving Behind
You’re leaving a team and a group of individuals behind. You cared about them and you still care about them — individually and collectively. Consider addressing both individual team members (specifically your direct reports) as well as the overall ‘security team’ (the department, collectively). - Your Successor
You want to do right by your successor. After all, you remember coming into the job and wishing you had some breadcrumbs as you found your own way. Your successor, whoever they are, will be stepping into a new role. - Regulators / Executives / Boards
As a departing executive, you are reminded that as soon as you leave, your executive influence does too. Commonly, the exiting executive becomes the scapegoat (it’s as much for forward momentum as it is lazy). It’s acceptable that your narrative and the company’s will diverge. - Yourself
Transitions are one of the few professional inflection points that provide an opportunity for intentional reflection and growth. As you leave your CISO role, reflect honestly and also define a positive arc for yourself and for the program that you’re leaving.
For the Team You’re Leaving Behind
Here are four messages to convey to the team that you’re leaving behind:
- Victory Lap — This is a specific list of successes. It can be organized by a person individually, or for a program. Defining this list and then sharing it activates a feeling of pride (for you as well as the recipient). It also serves as an artifact that they can share and repeat with the new supervisor. Share this intentionally, maybe even written out.
- Keep Doing These Things — This is a specific list of positive feedback. It can be organized by a person individually, or for a program. Defining this list and then sharing it is an important marker of what is working and a good reference list for what to continue to emphasize.
- Calendar of Expectations (of the team) — There are certain data points (updates, metrics, etc) that occur at specific intervals in the calendar that the team contributes to — and MUST continue doing. This list shouldn’t be all-encompassing — it’s the ‘must dos’ because the company asks for them at specific predictable intervals. Communicate to the team who will request it, what format, and how to prepare it. This list could be organized by sub-team or calendar.
- Forward Feedback — This isn’t appropriate for all situations. However, one gift that a departing Security Leader can leave for their team is to positively envision each team member’s future professional arc through the bias of your experience and exposure to them. Share with them what you see as their opportunities at this organization. In your role you collected special insights into each person’s strengths; and you have — even if you’ve never formally shared them — opinions and advice that can unlock their own journey of professional development. Sharing this message is a choice.
For Your Successor
Whether you know who will be filling your role or not, it doesn’t matter. Organize a succession folder that includes the documents listed below. Minimally, dust off these documents in their current & logical location to make sure that they are well-labeled and easy to find. To effectively assemble (and not overly stuff) this folder, imagine yourself walking into this role. What did you wish you had? Provide these for your successor, even if you think “they won’t need it” or “they won’t use it.”
- Board: Last Four — Whether these are actual board materials or program summaries, having the last four executive program updates helps the incoming successor see the trajectory and messaging as well as the format and style of updates. What makes this even more effective is if there is also a document that lists the notes, take-aways, actions from those meetings.
- Departmental: Operating Documents — Within your security department you had a roadmap (regardless of when it was last updated or how accurate it is). You also had a departmental budget (even better if it’s organized by vendor or by calendar month). Importantly, what roadmap was messaged to supervisors / leaders? Is this a presentation? Is this a memo?
- People: Talent Management & Partner Relationships — Aggregate a guide to quickly orient the successor to the security team (name, title, function, performance rating, promotion schedule). Create a similar guide to outline cross-functional internal business relationships. List recurring meetings with senior leaders, committee meetings, and working groups as well as the frequency and quality of the interactions for each.
- Risks: List of Prioritized Issues — Think of this as your ‘vent list,’ or maybe it’s your ‘cya’ list. Also think hard about whether you need to document this, because it may already be listed in a risk register or in presentations already delivered. Depending on the reasoning, you may find it appropriate to prepare a list of prioritized risks / issues. This may also ‘save you’ in a future investigation.
For the Regulators / Execs / Board
The moment your departure is announced will also signal a shift in your influence and your relationship with these stakeholders. Accepting this demonstrates maturity and eases your evolving engagement with the company’s leaders.
There should be clarity on what you are responsible for, until the hour of your departure. Your compliance obligations may follow you. So be mindful of documentation and future potential liability.
For Yourself
Whether self-reflection is comfortable for you or not, thinking through the ‘storyline’ of your role is important — even if just for you. Taking the time to do it thoughtfully and with a decidedly positive interpretation will help you arrive more confidently into your next role.
Another way to think of this is as a case study of your tenure and ‘assignment.’ Use these guiding statements:
- I got here when…
Describe the reason YOU were brought in — the situation, the need, your mandate. - While I was here, we….
Describe the construct of the program that you built, and the operations that you established. - These achievements…
While it’s tempting to list ALL of the tactical achievements, that isn’t useful. You’re leaving a leadership position — provide the summary of program achievements. Think of this as the risks that you managed and the value that your program brought to the organization. - Reflection forward…
As you complete the case study, summarize with the pride of a team captain, how the security team is equipped to succeed (even in your absence). And if you feel like it’s too rosy then consider intentionally what challenges lay ahead.
Another part of the ‘case study’ is more personal — and perhaps never shared. While it’s a reflection, you’re invited to look forward (with the benefit of your recent tenure), and anticipate. Anticipate what you believe the next ‘phase’ of the program will be — and answer honestly why you chose to leave. Even if just for yourself.
Don’t do this to criticize. Do this to give words to your preferences and style. Perhaps adjusted for your current life-stage. By taking inventory of why you chose to leave and why now, you also reset your energy to enter a new organization and team.
Spend the time to do so purposefully. You may think that you’ll get to this “later.” However, “later” is often filled with new activities.
A quick note about vendors
Vendors are often forgotten when it comes to being informed of a transition to a new CISO. Prepare a single email that can be sent to each vendor letting them know that their contact person has changed, and be sure to copy that contact person. You owe it to the company.
Any vendor relationship that you want to maintain for future roles should happen entirely offline from the current organization. If you value that vendor, they’ve likely invested a lot of time and energy in bringing that value to you, so they’ll be happy to stay in touch.
Conclusion
Exiting is bittersweet. No matter the circumstance, there will be mixed emotions. Reflecting on the way you exit and the work you did will make all the difference as you enter your next role.
In many ways, the way you exit, and the final impression you leave will shape the narrative of the ‘kind of CISO’ you are, and enable you to enter your next chapter with grace and confidence that you did the ‘right thing’ regardless of the circumstances for your departure. Afterall, wouldn’t you have wanted your successor, or your prior boss to have done each of these things?
Written Jointly by: Yael Nagler & Chris Veltsos