Succession planning is crucial to business continuity planning and maintaining an organization’s growth, longevity, and legacy. A succession plan is essentially a strategy for transferring key roles when individuals leave due to retirement, resignation, or whenever circumstances such as Pandemic or natural disaster impact the availability of your key employees. While a typical succession plan may focus on the transition of senior executives, such as the CEO, CFO, COO, executive director, or bank president or manager, it is also important to include other key employees in which you may have a concentration of duties, such as the Information Security Officer (ISO).
Why plan for transitions?
While everyone has a part to play in supporting an institution’s information security, compliance processes, and cybersecurity activities, no one is more central to this endeavor than the ISO. Those taking on the role of ISO assume a wide range of responsibilities, as well as the associated accountability. Financial institutions should be prepared and know how to proceed should the ISO leave or be unavailable or unable to perform their job duties. This means not only identifying alternate personnel for this key position, but also having those folks properly trained in advance.
In addition, regulators are increasingly requiring financial institutions to have a formal succession plan for key employees, and we’ve seen an uptick in findings related to this issue. The Federal Financial Institution Examination Council’s (FFIEC) IT Examination Handbook requires financial institutions to include cross-training and succession planning in the business continuity plan to ensure back-up personnel are identified for key operational positions. In addition, the FFIEC guidance also states that institutions should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program. ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.
Yet many institutions approach ISO succession planning in general, let alone for the ISO, as an afterthought (if at all) and are ill-prepared to address and manage the ever-growing list of ISO responsibilities. Studies show that while a succession plan is crucial, less than half of banks have a long-term and emergency succession plan in place, according to research by Bank Director. Also, approximately 37 percent of banks identified succession planning among their top three board composition challenges, reported the 2018 Bank Director survey. Another 25 percent of those surveyed expressed dissatisfaction with their bank’s succession planning efforts.
Regardless of the situation, planning (and cross training) ahead of time can help minimize uncertainty, prevent unnecessary stress and assure continuity in the information security/cybersecurity process. Considering that the ISO is responsible for oversight and coordination of the security and confidentiality of Non-Public Information (NPI) , as well as FFIEC compliance and regulatory requirements, a misstep or lack of guidance in these areas can cause operational, regulatory, and reputational risks to the financial institution.
Creating a succession plan for the ISO
Succession planning generally entails identifying and developing successors who can replace vital roles. Strategies for succession planning vary based on the size, type, and goals of the organization, but there are some basic steps to follow:
- Assess requirements and responsibilities — A good place to begin the planning process is to understand the primary responsibilities, expertise, and requirements of the ISO position. Although this continues to evolve, to date we’ve identified 35 distinct elements in 7 categories ranging from information security to BCP, Vendor Management, and Strategic IT planning.
- Evaluate internal talent — Identify which employees may be the most qualified to take on these tasks, bearing in mind that in all likelihood you may need multiple resources. Commit to cross training these individuals through hands-on training, classroom education, and mentorship.
- Recruit externally — If there is a shortage of internal talent to fill the ISO role, institutions might consider identifying potential resources outside their organization, such as a virtual ISO service.
Succession planning for the ISO is a matter of information security continuity, and any gaps in this area may impact the entire enterprise, including the senior management, employees, customers, shareholders, and other stakeholders. Banks and credit unions should keep in mind that succession planning in general is not a one-and-done undertaking. Because of the evolving nature of information security, it is an ongoing exercise, and succession plans should be reassessed regularly and updated as needed. Effective succession planning and cross training will make transitions (planned or unplanned) a more positive experience for everyone in the organization.