Maintaining Your Compliance Strategy During (and After) CISO Turnover

Patrick Sullivan
Author: Patrick Sullivan, Vice President of Customer Success at A-LIGN
Date Published: 12 January 2022

Editor’s note: The following is a sponsored blog post from A-LIGN:

Amidst the “Great Resignation,” employees across industries — and experience levels — are reconsidering their relationship with work. People are leaving their jobs to spend more time with family, pursue other professional opportunities with greater flexibility, or to just try something completely new.

When members of a senior leadership team leave, specifically, organizations recognize that they need to do much more than just simply fill a seat. They need to find ways to replace institutional knowledge, rebuild strategies and build a strong culture among remaining employees. This activity has highlighted an unintended consequence of turnover that has been drastically overlooked: managing the cybersecurity and compliance strategy.

Turnover can be an especially messy burden in the world of compliance and cybersecurity. As employees come and go, compliance and cybersecurity teams need to update access credentials and manage risks related to data breaches — all while executing on an organization’s larger compliance and cybersecurity initiatives.

And if you’re dealing with turnover on the compliance and cybersecurity teams themselves — which is incredibly common — that can have serious consequences on your ability to roll out new products and services. Below, we explore a few ways your organization can maintain its compliance strategy when turnover at the Chief Information Security Officer (CISO) level hits.

CISO Turnover is Inevitable
Research has shown that CISOs rarely stay in their roles for more than two years. These top-level information security professionals may leave because they are dealing with high stress and burnout, have suffered a security incident, or because they opt to pursue opportunities on the vendor side.

To deal with this inevitability, it’s prudent to rely on a tool that’s typically managed by CISOs themselves — a business continuity plan. Business continuity plans are often thought of in reference to major breaches or natural disasters that hit your data centers, but in reality, these plans help establish protocols and processes to navigate other business changes, like employee turnover. Existing standards like ISO 22301 can serve as a guide for your business to ensure your continuity plan is top notch because it provides a framework for an organization to plan, establish, implement, monitor, review, maintain and continually improve its business continuity management system.

Including compliance priorities in your business continuity plan — from a project perspective and an employee turnover perspective — you can ensure that your compliance strategy remains on track during times of CISO transition.

Be Careful with Pauses
CISOs are particularly in demand at the moment, especially as the risk of breaches rises and organizations implement new security policies and procedures to accommodate a hybrid workplace structure. With all that's at stake, the period of time immediately following a CISO exit is especially critical. In fact, your organization may experience a bit of dysfunction during this time as you hit the pause button on key information security projects.

But be careful with these pauses — this period introduces significant risk for your organization as bad actors may look to take advantage of a lapse in security. When that happens, your organization may be dealing with a compounded issue — the new and increased threat risks become an even higher priority over the need to fill the CISO role.

Again, in these situations, we recommend relying on a business continuity plan to guide your team through pause periods. In fact, a component of your business continuity plan could include interim solutions to fill the gap for senior-level roles that need to be filled. Consider, for example, virtual CISOs as a way to bridge the gap for your business and limit the length of these pause periods. This can be beneficial for organizations that need immediate assistance without the burden of paying a full-time salary.

Find a Strategic Partner to Lead You Through CISO Turnover
If you find yourself in a situation where you have a need to fill the gap of a senior-level executive, like a CISO, one of your primary goals should be to effectively bridge the gap between the old regime and new regime as smoothly as possible.

Consider enlisting the help of a long-term third-party vendor who can assist with all of your compliance and cybersecurity needs — regardless of who sits in the CISO seat at your business. A partner who assists with a variety of cybersecurity and compliance tasks (for example, your yearly compliance certifications) can help store and share institutional knowledge and context with your new hires from year to year. These vendor partners typically work with and build strong relationships with multiple players in your organization. The benefit? When one person leaves your organization, the relationship with the vendor remains largely unchanged and your pre-existing project plans go on as planned.

Working with a strategic partner ensures that your key projects continue moving forward, regardless of who is at the helm within your business.

The Bottom Line
It’s impossible to shield your organization from turnover. Plan ahead for inevitabilities and develop processes and structures to ensure that turnover doesn’t disrupt key business practices and strategic goals. By bolstering your business continuity plan, utilizing creative solutions to limit pauses, and enlisting the help of long-term partners, you can maintain your compliance strategy and stay the course when CISO turnover occurs.