Succession Planning: The Day After the Deputy CISO Left Work on a Gurney

Our anonymous CSO thought he'd planned for a disaster--until he experienced an unexpected absence of a key staff member

I was sitting in a meeting when my assistant rushed in and whispered to me that there were paramedics in my deputy CISO’s office. I excused myself, and as I walked out of the conference room, I saw my deputy on a gurney being pushed into an elevator by three paramedics and two firefighters. The only thing they told me before the elevator door closed was that she was having difficulty breathing and they were taking her to the hospital.

After they left, I realized that I didn’t know what hospital she was going to or what, if anything, I should tell her family. About five minutes later, her husband called me and said that he was the one who had called the ambulance. They had been talking on the telephone when she began having medical problems. A couple of hours later, I got another call from her husband, who said that although his wife wasn’t in critical condition and would recover, the medical staff wasn’t sure when she would be able to return to work.

Although I was relieved to hear that she would recover, I began thinking about the projects she was working on and the people she was dealing with. I knew she was working with the legal folks on a contract issue and with HR on a critical personnel situation. Unfortunately, though, I had few details about most of the other things she was involved with. We had a couple of pilot projects and technology reviews with some vendors, but I didn’t have any names or numbers for the people she was working with. Most importantly, we were in the middle of our annual budget development, and she had been working with several groups to gather metrics and establish new security requirements for the subsequent funding they would need.

I had no idea whom I should contact to cancel meetings, what could or could not be postponed and if any of the negotiations were at a critical stage where I needed to elegantly step in and take over. We’ve all heard the anecdotes about key people getting “hit by a bus” and disrupting the organization, but I was now looking at almost that same scenario. In the end, it turned out that she was back to work sooner than I first feared, but the whole thing was an eye-opening experience for me.

It could have been much, much worse, of course. A few months ago, one of our vendors told me that one of its regional salespeople had died suddenly, and the company had to try to re-create his last few weeks of work to determine what customers he was working with, what stage of talks he was at with certain customers and what he had agreed to with others. It began getting frustrated calls from some customers wondering what had happened, and other customers even tried to take advantage of the situation by making claims that they had been promised certain things that were contrary to company policy. What’s more, this salesman had encrypted all of his files, including his customer contact list and pending sales list. This is usually a smart move, but unfortunately for this vendor, he had used an encryption program not managed by the company, which meant there wasn’t a back-door way for it to get into his files. The company literally had to start all over with the customers in the area.

Points of Failure

The day my deputy CISO left unexpectedly wasn’t the first time I faced such a scenario. Several years ago, one of my key engineers had a family medical emergency that required him to move out of state for several months while a child received specialized medical care. During this time, he was almost completely incommunicado. He didn’t have access to a computer because this was before the days when nearly everyone had a laptop. The immediate void caused some critical outages because, although we were able to bring in someone with the technical skills to cover his position, he had been working on a couple of very technical projects that only he had knowledge of. To complicate things further, he had encrypted a lot of the files that the organization needed for daily operations.

Since then, I’ve been pretty meticulous in avoiding any single point of failure for my technical positions. I think most CSOs are. But what about our leadership? People sometimes joke that things might run more efficiently without any managers around, but it’s obvious that some things come to an immediate halt when you lose key staff. That’s why in the military and in a lot of major companies, there are policies forbidding leadership from traveling together and—in some instances where the political or geographic climate is unfriendly—even from meeting due to the possibility of one disastrous event eliminating or incapacitating the upper hierarchy of an organization. In many cases, we tend to over-rely on key personnel with critical leadership skills or organizational memory, and this can have a negative impact on both the business and the other people in the organization.

The reality is that the loss or incapacitation of key personnel can result in organizational chaos unless you have some form of plan that addresses how you respond. I’m no doomsdayer, but recent discussions about the potential impact of an avian flu pandemic are enough to make you sit up and take notice. Estimates by the Centers for Disease Control show that an influenza pandemic could infect up to 200 million people and cause between 200,000 and 1.9 million deaths in the United States. They also note that absenteeism of up to 20 percent to 50 percent from staff, vendors and services could occur. That would take a bite out of any organization’s productivity!

While my organization has a business continuity plan for recovering from interrupted critical functions after various emergencies, and a disaster-recovery plan for resuming operations, neither of these addressed the loss of key leadership personnel like I have now experienced. It may sound egotistical, but it quickly became clear to me on that day that if either I or any of my leadership team became ill or died, then the entire organization would face major difficulties. I was convinced that without our corporate knowledge and professional contacts, the potential organizational risks were too high to ignore.

Strategies for Coping

We don’t have the time or space here to go into the entire risk management process or details of business continuity, but a simple way to start is to ask your leadership team members what the impact would be if they didn’t show up for work tomorrow. This should lead to identifying the critical activities performed by each individual. The next step might be to detail how the loss of each of these key people would affect those activities and how the operations or business would be impacted if the objectives couldn’t be accomplished.

From a more formal perspective, there are several other steps you can take:

Better communication. Having regular communication with your team is a good way to stay abreast of the day-to-day activities in your group. We sometimes become so dependent on e-mail that we forget how important it is to actually talk and ask questions. I can’t count the times some nonverbal clue in a conversation led me to ask one more question that led to the nut of the problem or gave me some information that I didn’t know I needed.

Meetings, bloody meetings. Regardless of (un)conventional wisdom and what the (mis)informed may believe, good staff meetings are an essential means of understanding who is working on what as well as what those important things are. The key word here is “good.” We’ve all spent time in meeting hell. On the other hand, well-organized meetings can benefit everyone.

One time I began to feel that our weekly staff meetings were wasting people’s time and that I could accomplish the same thing by meeting individually with key staff members on a regular basis. After about four weeks, I began getting comments from staff complaining that they never knew who was working on what anymore or what was going on and asking to have the staff meetings reinstituted. The lesson here is that there’s a synergy from getting the group together, and that ability to share information is a significant component of mitigating the loss of key personnel.

KMA. Although I never want to be accused of being a micromanager, I also never want to be caught without critical information when I need it. I understand that it’s a double-edged sword, and the team never lets me forget it. My mantra to my staff is Keep Me Advised (KMA). I don’t need to (and in most cases don’t want to) get involved in making routine operational decisions, but I always want to know when something unusual is going on. I hate getting calls from my boss, a vendor or a customer about an issue or incident that my staff is working on that I don’t know anything about. This also goes with external conversations that could potentially impact our government customers or public constituents.

Personnel evaluations and progress reports. A good time to go over major activities that your leadership team is involved with is during regular evaluations or reporting period reviews. Because this is when you are typically establishing professional goals, it’s the perfect time to identify both the formal and informal functions your people are working on.

Planning for the loss of key people, including your leadership team, is critical to your continuity of operations. After my experience with my deputy CISO, I’m even more of an advocate of the old saying, “The worst time to plan for an emergency is during the emergency.” Not only is it the worst time, but it’s also a pretty painful time—even if you’re not the one who leaves the office on a gurney.

CSO Undercover is written anonymously by a real CSO. Send feedback to csoundercover@cxo.com.

NEW! Download the Winter 2018 issue of Security Smart