Finding the right person to be your information security officer (ISO) can be a challenge. The person filling this role often wears many hats, most of which are critical to the ongoing success and security of your day-to-day operations. The value provided by an ISO is exactly what makes it all the more painful if they decide it's time to "start seeing other people."
If your ISO leaves, where would it leave you? Financial institutions don't have the luxury of wallowing while finishing off a tub of chocolate ice cream after a bad break-up. Your business would be much better served if you created a succession plan. This article will serve as your guide for what to do before your ISO leaves, what to do in the unfortunate event it happens, and your next steps.
Before Your ISO Leaves
I interviewed several individuals who have managed the departure of an ISO. Most of the "lessons learned" they shared had little to do with what happened after the ISO left. Instead, their suggestions focused on what they wished they'd done while the ISO still worked for their business. What I learned can be summed up in three steps: Appreciate, Communicate, and Rejuvenate.
Step 1: Appreciate
When you are in a long-term relationship, it can be easy for things to become "business as usual" and end up taking people for granted. With each passing day, more items are often added to your ISO's "to do" list. Avoid burnout for your skilled staff by recognizing the work they do and taking steps to support them when they need it most.
Are you treating your ISO like you did when they were a prospective employee? If not, that might be a great place to start. Continue to get to know them. Find out what they like about their job and what they find challenging. An excellent ISO doesn't come along every day, so it is important to keep the spark alive. Schedule routine check-ins to make sure you both stay on the same page and keep working towards the same goals.
Aside from these general ideas, I don't know exactly what "appreciation" would look like for you. But I bet if you asked your ISO about their biggest pain points, the answer might just become a little clearer.
Step 2: Communicate
While the roles and responsibilities of an ISO vary depending on each organization's needs and resources, there is one thing which remains true pretty much across the board: The ISO is integrally involved with your business' information technology (IT), audit, and compliance functions. Basically, everything that makes the business run, your ISO is part of it. Because of this, it is of utmost importance to learn and understand the ISO's responsibilities, skills, and competencies. While you're at it, I recommend making a list.
Getting clear on this list is valuable for several reasons, including:
- Identifying if there are any gaps. Since the ISO shares responsibilities with other departments, it can be beneficial to identify if there are any duties which are not being adequately covered. For example, who reviews monitoring system alerts? Who performs access control reviews? Who manages your IT asset inventory? You get the idea.
- Determining if there is anything you can take off their plate. In a relationship, once a person starts doing something, they will probably do it forever unless someone takes intentional action to change it. Maybe your ISO doesn't need to be spending half their time each month on vendor management. Maybe your ISO doesn't need to be the only security person on the Incident Response Team. Maybe your ISO doesn't need to be responsible for making the annual security awareness training happen. Finding out and prioritizing what your ISO needs to focus on and reassigning other tasks, as needed, is important for retaining your ISO.
- Demonstrating their value to others. You've likely heard the phrase, "you never know what you have until it's gone." Well, if you have a clearly defined list of responsibilities, you can know. Better yet, you can share it with others. This list can be used to demonstrate the value-add of the ISO role. For example, if your ISO is responsible for performing risk assessments, you can directly map the results of those assessments back to the money you saved by not having to manage a costly ransomware incident. If your ISO is responsible for completing a cybersecurity assessment each year, you can directly map those results to having happy examiners the next time they ask for your control maturity assessment.
- And of course, picking up the pieces. While this isn't the primary benefit of having a clearly communicated list of responsibilities, it certainly can't hurt if the worst should happen. Short term, it helps with delegation and making sure nothing slips through the cracks. Long term, it helps with training the new ISO. It's just a good idea from all angles.
Step 3: Rejuvenate
The ISO role is inherently controversial. The ISO's job is to secure the business. Every step towards security is often seen as a step away from efficiency. For example, multifactor authentication is the "control of the day." It's a great control for keeping people out, but it also requires you to unlock an extra lock before you can get in. The ISO is the person who usually pushes for these controls and is often seen as the "no" person. While important for the security of the business, always being the "bad cop" can be tiresome.
Another exhausting item on the job list is being on-call 24/7. Whether it is monitoring alerts, responding to incidents, or taking urgent calls from one of the many departments they work with, the ISO role can be demanding and can keep your ISO in a state of stress, just waiting for the next notification to pop up.
Make sure your ISO has an opportunity to step away from the inundation of security concerns. Have skilled personnel who can cover for them when it's time for family vacation, time for a random day off, or even just time for sleep. Make sure your ISO has the time they need to rejuvenate. This benefits them, and you as well, because it helps you know the business would be able to continue operations if your ISO left, which is the whole point of why we're here.
Besides, you know what they say… "Absence makes the heart grow fonder," right?
Hiring an ISO is expensive. It is much better for your business to retain your current ISO than to find a new one. In whatever ways you decide to appreciate, communicate, and rejuvenate, I'd be willing to wager it will cost you less than hiring and training a new individual to be your ISO.
If Your ISO Leaves
"We need to talk." These are the four words no ISO's boss wants to hear. (Well, this and "there's been an incident.") Sometimes, things just don't work out. There are a billion and one reasons an ISO may choose to leave the company. Money. Family. Health. Flexibility. Culture. Location. Mid-life crisis. You name it. Some things you could have prevented, while others are out of your control. Whatever the reason for your ISO leaving, you need a plan.
So, what can you do? For starters, you can download our ISO Offboarding Checklist. The checklist will help you keep track of these six steps for what to do if your ISO leaves.
Step 1: Perform an Amicability Assessment
When your ISO announces they are leaving, the first thing you'll want to do is determine the nature of the departure. In other words, on a scale of "we're still friends" to "they're setting things on fire," how hard is this going to be?
- We're still friends. This is the best-case scenario. While the departure might still sting a little, everyone knows it is for the best, you can be happy for each other, and you can proceed through the rest of the checklist in the coming days and weeks ahead.
- They're setting things on fire. This is the worst-case scenario. If your ISO turns into a malicious insider, your number one job is to protect the business. Perform the rest of the checklist ASAP.
Step 2: Communicate with Stakeholders
Due to the breadth of the ISO's role in your business, the next step is to communicate the ISO's departure with all affected parties. Some examples could include the:
- Board of Directors and Senior Management. Notify the leaders of your business. Due to their role in governance, they need to know when a major shift happens among critical roles.
- Committees/Teams. Notify the committees on which the ISO is a key player (e.g., security committee, incident response team, disaster recovery team, etc.), so they can plan accordingly.
- System Owners. Notify the individuals who may need to remove the ISO's access to systems. For any system on which the ISO is the responsible party, determine if an alternate administrator is available.
- Supervised Personnel. If the ISO was a manager, notify applicable staff, so they are aware of the departure and know to whom they should report in the ISO's absence.
- Third Parties. Notify the third parties who may have the ISO as their primary contact (e.g., vendors, regulators, payment providers, etc.).
- Receptionist. Especially in less than amicable situations, notify the person who might encounter the former ISO first, so they are aware of the situation and know the most helpful ways to engage with the former ISO.
Step 3: Remove Access and Reclaim Assets
This part is the equivalent of returning the t-shirts you borrowed and getting back your mix tapes. While not necessarily specific to the ISO role, asset management holds extra importance in this case because if not performed correctly, it can leave your organization significantly vulnerable.
Here are some specific items you'll want to do:
- Revoke access to systems. For any system the ISO can access, change the user account's password, deactivate the account, update the multifactor authentication method, etc. If you aren't sure where to get started, check your IT asset inventory and coordinate with system owners.
- Revoke physical facility access. Take back any physical keys, ID cards, badges, etc. Consider changing the locks to all facilities (e.g., buildings, server rooms, storage units, etc.). If you use a digital lock system, update the code and/or remove their account.
- Change shared passwords. Passwords are like toothbrushes. Don't share them. Ever. But if you're in one of those weird relationships where you do have a shared toothbr … password, be sure to change it.
- Reclaim business assets. If the ISO has been given technology assets (e.g., desktop, laptop, smartphone, tablet, monitors, etc.), paper documents, or company credit cards, be sure to retrieve those. Make sure to gather and document receipts for any outstanding purchases.
- Check personal assets used for business. Make sure personal assets are clear of organization data, as well. This could include personal computers, mobile devices, or applications (e.g., LastPass). On all assets, confirm the ISO can no longer access their business email, communication apps (e.g., Slack, Teams, Zoom, etc.), multifactor authentication apps, productivity apps, etc.
Step 4: Review and Reassign Responsibilities
An ISO is often tasked with critical responsibilities at an organization. To make sure nothing falls through the cracks:
- Create or review the ISO's list of responsibilities. (Bonus points if you did this earlier.) In the event you do not have a list of the ISO's responsibilities, create one as soon as possible to make sure no critical functions fall through the cracks (e.g., monitoring IDS/IPS system alerts, monitoring fraud alerts, etc.).
- Determine the status of any ongoing projects assigned to the ISO. In addition to routine responsibilities, an ISO is often tasked with ongoing projects, such as performing internal reviews, coordinating audits and examinations, or responding to findings.
- Check the ISO's calendar to maintain awareness of upcoming deadlines. The ISO may have important meetings scheduled, such as an upcoming annual report to the Board of Directors, a security committee meeting, the annual acceptable use policy (AUP) review, or even an exam.
- Delegate responsibility for any "in progress" and/or critical items. Hiring a new ISO can take some time. As such, it is imperative the most important items are entrusted to others to complete. Be careful with this though, as it can become burdensome for the individuals who shoulder the load. As the ISO operates in a role of "checks and balances," be sure to consider if the delegation presents a conflict of interest for the person assuming the responsibility.
Step 5: Perform Ongoing Monitoring
Based on the nature of the departure, you may want to perform ongoing monitoring to make sure everything was adequately addressed. Specifically, be sure to monitor:
- Email inbox. If the ISO was responsible for communications with important third parties, ensure someone monitors incoming communications for a while (e.g., 6+ months). Remove the ISO's account from internal distribution lists and set an "out of office" reply which communicates to whom future emails should be sent.
- User activity logs. On your most critical systems, check the user activity logs periodically to verify the former ISO did not have any alternate accounts which they use to access the system.
- Fraud detection systems. Especially for financial institutions where the ISO had unique knowledge of the organization's inner workings, make sure to keep an eye out for any suspicious transactions or fraudulent activity.
Step 6: Perform a Lessons Learned Assessment
At the end of it all, be sure to make time for some deep introspection. The most important question to ask would be: "What do you wish you had known or done differently before your ISO left?" Based on this information, adjust your operations to make sure if this happens again, you are more prepared next time than you were today.
After Your ISO Leaves
Losing an indispensable part of your business can be painful, but operating alone can be even worse. If your organization has determined having a standalone ISO is an important part of your business, there are plenty of fish in the sea, so to speak. Get on the business equivalent of dating apps (e.g., LinkedIn, Glassdoor, Indeed, ZipRecruiter, etc.) or call up some old friends and see if they might be willing to set you up with someone they know. However you choose to proceed, the most important thing is that you get back out there and make sure your business is secure for many years to come.
If you're looking to get that special someone a gift to tell them how much you appreciate them, check out Tandem. Tandem is a cybersecurity governance, risk management, and compliance (GRC) application, designed with ISOs in mind. Our suite of products was created by a team of security and compliance specialists who know how challenging it can be to manage a business' information security function. We exist to form a partnership, be in Tandem, with you. Learn more about Tandem on our website at https://tandem.app.