Succession Planning for Security Departments

Survival of the fittest may work in the animal kingdom, but grooming the next generation of CSOs requires a substantial investment of time, a sincere interest in employee development and a dash of humility. Are you ready for succession planning?

When McDonald's Chairman and CEO Jim Cantalupo died suddenly of an apparent heart attack this past April, the hamburger chain was able to do something that many companies would be hard-pressed to do in the midst of the shock of such a loss: It immediately named a new executive team. Just hours after Cantalupo's death, the McDonald's board of directors named Charlie Bell the company's new CEO, a move that soothed the nerves of the company's jittery investors and employees.

But this was no impulse decision. When Cantalupo came out of retirement to take the reins of the fast-food giant more than a year ago, he requested that Bell be named COO so that he could groom him to eventually take over the top spot. Cantalupo understood that his legacy at the company would be judged by more than the number of new items added to the menu. It would be measured by how he prepared his successor and the smoothness of the transition of power.

Leaders often wrestle with the task of grooming a successor, and history is rife with stories of succession planning gone awry. Recent tales of Michael Eisner's travails at Disney show the hazards of having no succession plan whatsoeveralthough he claimed to have an emergency envelope tucked inside his desk containing the identity of his handpicked replacement. But, in reality, Eisner drove so many of his would-be successors out of the company that, after ousting him as chairman, the Disney board is still actively working on building a real succession plan.

And it's not just a part of disaster planning. As talented executives and managers graduate to larger leadership roles, they vacate positions that need to be filled by equally gifted people. As a result, executive succession planning has become a staple of corporate due diligence.

A study by executive search firm Korn/Ferry International found that succession planning programs are on the rise: Only 33 percent of American boards of directors reported having a CEO succession plan in place in 2001, but by 2003 that number had jumped to 77 percent. "We're clearly seeing more emphasis placed on things like business continuity planning," says Mark Polansky, managing director and member of the Advanced Technology Practice at Korn/Ferry's New York office. "But it's not only about physical security, cybersecurity and losing electrical power," he says, "9/11 taught us it's also about losing people. [Succession planning] is consequently becoming a more prominent and practiced art."

Although a CEO's successor gets the most media attention, a succession plan should be in place for all of a company's top executives, including the CSO. "If you lose one or two senior executives, it's a domino effect that impacts a whole series of people," says John Bruckman, managing director of the Change Management Group, a consultancy staffed by industrial and organizational psychologists. "You want to replace those people from within, and you want someone to seamlessly step in and take over as if nothing happened. You should have two to three successor candidates for every key position," he advises.

We spoke with CSOs and management consultants to glean their perspective on the challenges and benefits of developing a succession plan for the CSO. We present their tips for growing security leaders who will ably guide your team into the future, and we show you why attention to succession planning can make your tenure as the CSO even more secure.Don't Fear the Reaper Executives often delay succession planning or give the process short shrift for the same reason that people put off drawing up a will; it's uncomfortable to think about death and dying. In the corporate world, creating a succession plan raises the equally feared specters of layoffs or retirement. It takes guts to tackle the issue head on.

A succession plan is more than a document containing the secret identity of your company's next CSO. It is a living mission statement that puts into writing the attributes that future security leaders must have. It also includes the development and training programs needed to nurture successors and a methodology for ensuring management's accountability to the plan.

A succession plan does not necessarily have to name an actual successor, although most CSOs we spoke with have candidates in mind that they have discussed with senior management. "The individual's identity is confidential to the point where it needs to be announced," says David Burrill, head of group security for British American Tobacco. "If you nominate someone too early, he'll think that what he does in the future doesn't matter." Instead, Burrill wants to keep his candidates hungry for the position. "[My candidates] will know that they're doing well, that they are highly regarded and will almost certainly know they're in the running for the job. But if there is only one person in the running, if there isn't a sense of competition, we have a problem."

The transparency of the process depends largely on the corporate culture that you're working within. Many companies keep their candidate list completely confidential, sharing it only with top management for fear that the process will become too political or open the department up to be cherry-picked by headhunters. Other companies make selecting executive successors a more open process where each candidate gets an annual or biannual review indicating what he needs to do to prepare himself to take on the CSO role. Regardless of which method you choose, the criteria for the CSO role should not be treated like a trade secret. If you want employees to aspire to be future security leaders, they have to understand the standards and expectations against which they will be judged.

The goal for Burrill and for many of the CSOs we interviewed is to build a succession plan that's so solid that they never have to look outside the company for a security executive candidate. "If we got it right, we should be able to home grow our own head of security," says Burrill. "If we had to go out to the public sector [to hire candidates], I would consider it a failure because they would have to adjust to our business environment and quite a lot of them never will. Over time that can cripple an entire function."Plan from the Top...A good succession plan should be two things: mandated from the top down and then built from the bottom up. Management support and leadership are critical to validating the plan and creating accountability. Sound recruitment and retention policies are crucial to bringing good people into the system.

Few CSOs have the luxury of choosing their successors without a good deal of input from management, so it's important that the process is steered by corporate leadership. "It has to be driven from the top, by the board of directors, the chairman and the CEO. It can't be driven by the CSO," says Bruckman. "All he can do is make a really good case for one particular candidate."

At Merck, CEO Ray Gilmartin is within two years of retirement and has set an example of succession planning for his management team by announcing that his successor will come from within. Gilmartin has stressed the importance of developing leaders internally by acknowledging that when he was brought in from the outside in 1994 it was far more disruptive to the organization than an internal appointment would have been. Merck CSO Bob Moore believes that Gilmartin's strategy applies equally to the security function. "There is a lot of disruption when you bring someone in from the outside to head up security. And to be brutally frank, if a company doesn't develop from within, it points to a lack of planning on its part."

At British American Tobacco, succession plans are mandated throughout the company, and tied to the organization's career development meetings (CDMs) that take place between all employees and their managers. CDMs address an employee's performance as well as his potential and identify individuals with leadership prospects. Once a year, Burrill meets at corporate headquarters in London with a member of the board and a senior executive from human resources to discuss employees within security who are prepared to succeed into senior executive positions. This ensures that Burrill's hottest prospects are discussed with senior management while keeping him accountable for their continued development and progress....And Build from the BottomOn the other side of the spectrum, CSOs need to be diligent about attracting individuals with leadership potential into security and making it appealing for them to stay on and build careers there. The problem is that managers and executives tend to value people who are like them, says James Redeker, chairman of the Employment Services Practice Group at law firm Wolf, Block, Schorr and Solis-Cohen. And that fact is often reflected in hirings and promotions. This can be particularly true in security organizations, which tend to be populated by people with similar backgrounds such as law enforcement, three-letter government agencies and information security.

"The danger is that you start to create clones," says Burrill. "If everyone is trained the same way and everyone agrees with each other, then nobody is going to ask the rogue questions." Burrill values a staff with diverse backgrounds. "We want our security managers to come from the military, from law enforcement and the state department. We want some to be brought up through the business side and some who have never been in any of those groups. They all blend together to create a pot of gold," he says.

Building your own leaders also presents some unique challenges in the security world. Unlike other business units, security tends to be small and there are limited opportunities to break into management. Consequently, part of the price of building a strong succession plan with solid future CSO candidates is that you have to be willing to lose them. "Most security organizations are lean and mean until you get to the major companies," says Bill Wipprecht, CSO of Wells Fargo. He believes in cross-training his people to ensure that they have the leadership skills that will prepare them to take over when somebody leaves or retires. But he acknowledges that sometimes those opportunities will come up at another company before they do at Wells Fargo. "If somebody comes to me and says he's going to be security director at another company, that makes me proud," he says. "I don't mind promoting people out like that because it's a positive thing for the industry."

However, timing can also work in a company's favor. Jim Christian, vice president and head of corporate security and aviation at Novartis, has had employees leave for a better opportunity with a competitor, and then three years later a position will open up and Novartis can lure that individual back. "A lot of it is timing; sometimes we have the person and not the position," says Christian.

Derrick Barton, cofounder of the Center for Talent Retention, suggests that CSOs who want to hold onto their best people should consider creating career opportunities rather than waiting for positions to open up. This can mean designing a special assignment for someone who wants to build his or her skills in a particular area of security. Thus, employees who are hungry for development can get it without necessarily being appointed to a new job. "Make it a role that the person can execute and be compensated for," says Barton. "There doesn't have to be a ton of hierarchy for something to be a career-opportunity trigger."

The simple act of letting a person know that she is well thought of is also important to employee retention. "I can't tell you how many high performers were delivering great work, but no one ever told them. They decide, 'I'm out of here,'" says Barton. "Once that happens, there's a very high correlation with those people actually leaving, and they will deliver high performance until the moment they walk into your office and say they're moving on." CSOs can't put off these discussions, or they will find their best replacement candidates slowly trickling out of the corporation.

On a positive note, one employment trend benefiting CSOs is that the decade of the freelance nation is over. Employees are no longer as interested in hopping from one company to another as they were in the '90s. The desire for stability, and the opportunity to build a career at a single company, is more valued at this point.Define the RoleWhen succession plans do exist, they are often based on the wrong criteria. Performance evaluations can identify talented people within your group, but they are records of an individual's past accomplishments. A good succession plan should be based on the skills and values that will define the CSO role in the future. The executive that has been a corporate superstar for the past 15 years is not necessarily the best-equipped leader for the challenges that are sure to arise in the next decade. CSOs who embark upon succession planning must first consider what the defining characteristics of the future security executive will be.

1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022