Succession Planning: The Day After the Deputy CISO Left Work on a Gurney

Our anonymous CSO thought he'd planned for a disaster--until he experienced an unexpected absence of a key staff member

I was sitting in a meeting when my assistant rushed in and whispered to me that there were paramedics in my deputy CISO’s office. I excused myself, and as I walked out of the conference room, I saw my deputy on a gurney being pushed into an elevator by three paramedics and two firefighters. The only thing they told me before the elevator door closed was that she was having difficulty breathing and they were taking her to the hospital.

After they left, I realized that I didn’t know what hospital she was going to or what, if anything, I should tell her family. About five minutes later, her husband called me and said that he was the one who had called the ambulance. They had been talking on the telephone when she began having medical problems. A couple of hours later, I got another call from her husband, who said that although his wife wasn’t in critical condition and would recover, the medical staff wasn’t sure when she would be able to return to work.

Although I was relieved to hear that she would recover, I began thinking about the projects she was working on and the people she was dealing with. I knew she was working with the legal folks on a contract issue and with HR on a critical personnel situation. Unfortunately, though, I had few details about most of the other things she was involved with. We had a couple of pilot projects and technology reviews with some vendors, but I didn’t have any names or numbers for the people she was working with. Most importantly, we were in the middle of our annual budget development, and she had been working with several groups to gather metrics and establish new security requirements for the subsequent funding they would need.

I had no idea whom I should contact to cancel meetings, what could or could not be postponed and if any of the negotiations were at a critical stage where I needed to elegantly step in and take over. We’ve all heard the anecdotes about key people getting “hit by a bus” and disrupting the organization, but I was now looking at almost that same scenario. In the end, it turned out that she was back to work sooner than I first feared, but the whole thing was an eye-opening experience for me.

It could have been much, much worse, of course. A few months ago, one of our vendors told me that one of its regional salespeople had died suddenly, and the company had to try to re-create his last few weeks of work to determine what customers he was working with, what stage of talks he was at with certain customers and what he had agreed to with others. It began getting frustrated calls from some customers wondering what had happened, and other customers even tried to take advantage of the situation by making claims that they had been promised certain things that were contrary to company policy. What’s more, this salesman had encrypted all of his files, including his customer contact list and pending sales list. This is usually a smart move, but unfortunately for this vendor, he had used an encryption program not managed by the company, which meant there wasn’t a back-door way for it to get into his files. The company literally had to start all over with the customers in the area.