Succession Planning: The Day After the Deputy CISO Left Work on a Gurney

Our anonymous CSO thought he'd planned for a disaster--until he experienced an unexpected absence of a key staff member

The day my deputy CISO left unexpectedly wasn’t the first time I faced such a scenario. Several years ago, one of my key engineers had a family medical emergency that required him to move out of state for several months while a child received specialized medical care. During this time, he was almost completely incommunicado. He didn’t have access to a computer because this was before the days when nearly everyone had a laptop. The immediate void caused some critical outages because, although we were able to bring in someone with the technical skills to cover his position, he had been working on a couple of very technical projects that only he had knowledge of. To complicate things further, he had encrypted a lot of the files that the organization needed for daily operations.

Since then, I’ve been pretty meticulous in avoiding any single point of failure for my technical positions. I think most CSOs are. But what about our leadership? People sometimes joke that things might run more efficiently without any managers around, but it’s obvious that some things come to an immediate halt when you lose key staff. That’s why in the military and in a lot of major companies, there are policies forbidding leadership from traveling together and—in some instances where the political or geographic climate is unfriendly—even from meeting due to the possibility of one disastrous event eliminating or incapacitating the upper hierarchy of an organization. In many cases, we tend to over-rely on key personnel with critical leadership skills or organizational memory, and this can have a negative impact on both the business and the other people in the organization.

The reality is that the loss or incapacitation of key personnel can result in organizational chaos unless you have some form of plan that addresses how you respond. I’m no doomsdayer, but recent discussions about the potential impact of an avian flu pandemic are enough to make you sit up and take notice. Estimates by the Centers for Disease Control show that an influenza pandemic could infect up to 200 million people and cause between 200,000 and 1.9 million deaths in the United States. They also note that absenteeism of up to 20 percent to 50 percent from staff, vendors and services could occur. That would take a bite out of any organization’s productivity!

While my organization has a business continuity plan for recovering from interrupted critical functions after various emergencies, and a disaster-recovery plan for resuming operations, neither of these addressed the loss of key leadership personnel like I have now experienced. It may sound egotistical, but it quickly became clear to me on that day that if either I or any of my leadership team became ill or died, then the entire organization would face major difficulties. I was convinced that without our corporate knowledge and professional contacts, the potential organizational risks were too high to ignore.