Succession Planning: The Day After the Deputy CISO Left Work on a Gurney

Our anonymous CSO thought he'd planned for a disaster--until he experienced an unexpected absence of a key staff member

We don’t have the time or space here to go into the entire risk management process or details of business continuity, but a simple way to start is to ask your leadership team members what the impact would be if they didn’t show up for work tomorrow. This should lead to identifying the critical activities performed by each individual. The next step might be to detail how the loss of each of these key people would affect those activities and how the operations or business would be impacted if the objectives couldn’t be accomplished.

From a more formal perspective, there are several other steps you can take:

Better communication. Having regular communication with your team is a good way to stay abreast of the day-to-day activities in your group. We sometimes become so dependent on e-mail that we forget how important it is to actually talk and ask questions. I can’t count the times some nonverbal clue in a conversation led me to ask one more question that led to the nut of the problem or gave me some information that I didn’t know I needed.

Meetings, bloody meetings. Regardless of (un)conventional wisdom and what the (mis)informed may believe, good staff meetings are an essential means of understanding who is working on what as well as what those important things are. The key word here is “good.” We’ve all spent time in meeting hell. On the other hand, well-organized meetings can benefit everyone.

One time I began to feel that our weekly staff meetings were wasting people’s time and that I could accomplish the same thing by meeting individually with key staff members on a regular basis. After about four weeks, I began getting comments from staff complaining that they never knew who was working on what anymore or what was going on and asking to have the staff meetings reinstituted. The lesson here is that there’s a synergy from getting the group together, and that ability to share information is a significant component of mitigating the loss of key personnel.

KMA. Although I never want to be accused of being a micromanager, I also never want to be caught without critical information when I need it. I understand that it’s a double-edged sword, and the team never lets me forget it. My mantra to my staff is Keep Me Advised (KMA). I don’t need to (and in most cases don’t want to) get involved in making routine operational decisions, but I always want to know when something unusual is going on. I hate getting calls from my boss, a vendor or a customer about an issue or incident that my staff is working on that I don’t know anything about. This also goes with external conversations that could potentially impact our government customers or public constituents.