Natural Selection

WHEN MCDONALD'S Chairman and CEO Jim Cantalupo died suddenly of an apparent heart attack this past April, the hamburger chain was able to do something that many companies would be hard-pressed to do in the midst of the shock of such a loss: It immediately named a new executive team. Just hours after Cantalupo's death, the McDonald's board of directors named Charlie Bell the company's new CEO, a move that soothed the nerves of the company's jittery investors and employees.

But this was no impulse decision. When Cantalupo came out of retirement to take the reins of the fast-food giant more than a year ago, he requested that Bell be named COO so that he could groom him to eventually take over the top spot. Cantalupo understood that his legacy at the company would be judged by more than the number of new items added to the menu. It would be measured by how he prepared his successor and the smoothness of the transition of power.

Leaders often wrestle with the task of grooming a successor, and history is rife with stories of succession planning gone awry. Recent tales of Michael Eisner's travails at Disney show the hazards of having no succession plan whatsoever — although he claimed to have an emergency envelope tucked inside his desk containing the identity of his handpicked replacement. But, in reality, Eisner drove so many of his would-be successors out of the company that, after ousting him as chairman, the Disney board is still actively working on building a real succession plan.

And it's not just a part of disaster planning. As talented executives and managers graduate to larger leadership roles, they vacate positions that need to be filled by equally gifted people. As a result, executive succession planning has become a staple of corporate due diligence.

A study by executive search firm Korn/Ferry International found that succession planning programs are on the rise: Only 33 percent of American boards of directors reported having a CEO succession plan in place in 2001, but by 2003 that number had jumped to 77 percent. "We're clearly seeing more emphasis placed on things like business continuity planning," says Mark Polansky, managing director and member of the Advanced Technology Practice at Korn/Ferry's New York office. "But it's not only about physical security, cybersecurity and losing electrical power," he says, "9/11 taught us it's also about losing people. [Succession planning] is consequently becoming a more prominent and practiced art."

Although a CEO's successor gets the most media attention, a succession plan should be in place for all of a company's top executives, including the CSO. "If you lose one or two senior executives, it's a domino effect that impacts a whole series of people," says John Bruckman, managing director of the Change Management Group, a consultancy staffed by industrial and organizational psychologists. "You want to replace those people from within, and you want someone to seamlessly step in and take over as if nothing happened. You should have two to three successor candidates for every key position," he advises.

We spoke with CSOs and management consultants to glean their perspective on the challenges and benefits of developing a succession plan for the CSO. We present their tips for growing security leaders who will ably guide your team into the future, and we show you why attention to succession planning can make your tenure as the CSO even more secure.

Don't Fear the Reaper

Executives often delay succession planning or give the process short shrift for the same reason that people put off drawing up a will; it's uncomfortable to think about death and dying. In the corporate world, creating a succession plan raises the equally feared spectres of layoffs or retirement. It takes guts to tackle the issue head on.

A succession plan is more than a document containing the secret identity of your company's next CSO. It is a living mission statement that puts into writing the attributes that future security leaders must have. It also includes the development and training programs needed to nurture successors and a methodology for ensuring management's accountability to the plan.

A succession plan does not necessarily have to name an actual successor, although most CSOs we spoke with have candidates in mind that they have discussed with senior management. "The individual's identity is confidential to the point where it needs to be announced," says David Burrill, head of group security for British American Tobacco. "If you nominate someone too early, he'll think that what he does in the future doesn't matter." Instead, Burrill wants to keep his candidates hungry for the position. "[My candidates] will know that they're doing well, that they are highly regarded and will almost certainly know they're in the running for the job. But if there is only one person in the running, if there isn't a sense of competition, we have a problem."

The transparency of the process depends largely on the corporate culture that you're working within. Many companies keep their candidate list completely confidential, sharing it only with top management for fear that the process will become too political or open the department up to be cherry-picked by headhunters. Other companies make selecting executive successors a more open process where each candidate gets an annual or biannual review indicating what he needs to do to prepare himself to take on the CSO role. Regardless of which method you choose, the criteria for the CSO role should not be treated like a trade secret. If you want employees to aspire to be future security leaders, they have to understand the standards and expectations against which they will be judged.

The goal for Burrill and for many of the CSOs we interviewed is to build a succession plan that's so solid that they never have to look outside the company for a security executive candidate. "If we got it right, we should be able to home grow our own head of security," says Burrill. "If we had to go out to the public sector [to hire candidates], I would consider it a failure because they would have to adjust to our business environment and quite a lot of them never will. Over time that can cripple an entire function."

Plan from the Top...

A good succession plan should be two things: mandated from the top down and then built from the bottom up. Management support and leadership are critical to validating the plan and creating accountability. Sound recruitment and retention policies are crucial to bringing good people into the system.

Few CSOs have the luxury of choosing their successors without a good deal of input from management, so it's important that the process is steered by corporate leadership. "It has to be driven from the top, by the board of directors, the chairman and the CEO. It can't be driven by the CSO," says Bruckman. "All he can do is make a really good case for one particular candidate."

At Merck, CEO Ray Gilmartin is within two years of retirement and has set an example of succession planning for his management team by announcing that his successor will come from within. Gilmartin has stressed the importance of developing leaders internally by acknowledging that when he was brought in from the outside in 1994 it was far more disruptive to the organization than an internal appointment would have been. Merck CSO Bob Moore believes that Gilmartin's strategy applies equally to the security function. "There is a lot of disruption when you bring someone in from the outside to head up security. And to be brutally frank, if a company doesn't develop from within, it points to a lack of planning on its part."

At British American Tobacco, succession plans are mandated throughout the company, and tied to the organization's career development meetings (CDMs) that take place between all employees and their managers. CDMs address an employee's performance as well as his potential and identify individuals with leadership prospects. Once a year, Burrill meets at corporate headquarters in London with a member of the board and a senior executive from human resources to discuss employees within security who are prepared to succeed into senior executive positions. This ensures that Burrill's hottest prospects are discussed with senior management while keeping him accountable for their continued development and progress.

...And Build from the Bottom

On the other side of the spectrum, CSOs need to be diligent about attracting individuals with leadership potential into security and making it appealing for them to stay on and build careers there. The problem is that managers and executives tend to value people who are like them, says James Redeker, chairman of the Employment Services Practice Group at law firm Wolf, Block, Schorr and Solis-Cohen. And that fact is often reflected in hirings and promotions. This can be particularly true in security organizations, which tend to be populated by people with similar backgrounds such as law enforcement, three-letter government agencies and information security.

"The danger is that you start to create clones," says Burrill. "If everyone is trained the same way and everyone agrees with each other, then nobody is going to ask the rogue questions." Burrill values a staff with diverse backgrounds. "We want our security managers to come from the military, from law enforcement and the state department. We want some to be brought up through the business side and some who have never been in any of those groups. They all blend together to create a pot of gold," he says.

Building your own leaders also presents some unique challenges in the security world. Unlike other business units, security tends to be small and there are limited opportunities to break into management. Consequently, part of the price of building a strong succession plan with solid future CSO candidates is that you have to be willing to lose them. "Most security organizations are lean and mean until you get to the major companies," says Bill Wipprecht, CSO of Wells Fargo. He believes in cross-training his people to ensure that they have the leadership skills that will prepare them to take over when somebody leaves or retires. But he acknowledges that sometimes those opportunities will come up at another company before they do at Wells Fargo. "If somebody comes to me and says he's going to be security director at another company, that makes me proud," he says. "I don't mind promoting people out like that because it's a positive thing for the industry."

However, timing can also work in a company's favour. Jim Christian, vice president and head of corporate security and aviation at Novartis, has had employees leave for a better opportunity with a competitor, and then three years later a position will open up and Novartis can lure that individual back. "A lot of it is timing; sometimes we have the person and not the position," says Christian.

Derrick Barton, cofounder of the Center for Talent Retention, suggests that CSOs who want to hold onto their best people should consider creating career opportunities rather than waiting for positions to open up. This can mean designing a special assignment for someone who wants to build his or her skills in a particular area of security. Thus, employees who are hungry for development can get it without necessarily being appointed to a new job. "Make it a role that the person can execute and be compensated for," says Barton. "There doesn't have to be a ton of hierarchy for something to be a career-opportunity trigger."

The simple act of letting a person know that she is well thought of is also important to employee retention. "I can't tell you how many high performers were delivering great work, but no one ever told them. They decide, 'I'm out of here,'" says Barton. "Once that happens, there's a very high correlation with those people actually leaving, and they will deliver high performance until the moment they walk into your office and say they're moving on." CSOs can't put off these discussions, or they will find their best replacement candidates slowly trickling out of the corporation.

On a positive note, one employment trend benefiting CSOs is that the decade of the freelance nation is over. Employees are no longer as interested in hopping from one company to another as they were in the '90s. The desire for stability, and the opportunity to build a career at a single company, is more valued at this point.

Define the Role

When succession plans do exist, they are often based on the wrong criteria. Performance evaluations can identify talented people within your group, but they are records of an individual's past accomplishments. A good succession plan should be based on the skills and values that will define the CSO role in the future. The executive that has been a corporate superstar for the past 15 years is not necessarily the best-equipped leader for the challenges that are sure to arise in the next decade. CSOs who embark upon succession planning must first consider what the defining characteristics of the future security executive will be.

The first quality often cited is the necessity of fitting in with the organizational culture. This can be especially important in the security realm where success is highly dependent on the ability to change people's behaviour. David Saenz, vice president of worldwide security at Levi Strauss, is involved with the International Security Management Association (ISMA) Leadership Program, a yearlong executive development and leadership seminar for potential CSOs held at Georgetown University. He often coaches students to pay attention to an organization's culture when they interview for a top security job. "We've had people that have interviewed for positions [at Levi Strauss], and they had all the skills. But in terms of the fit and the culture, they wouldn't have been in sync."

Cultural sensitivity and fitting in have to be married with the political and business savvy that security departments have historically lacked. Security has often been perceived as the "dark shadow," notes Moore, in the sense that it is closeted away from the rest of the organization, creating the illusion that it is somehow different from other business units.

It's a problem that Saenz still sees in the writing projects done by would-be-CSO students. "The papers fail to link security work to the strategic objectives of the business," he says. "There is a lack of a sound financial analysis, other than saying we should do this because security is inherently good."

A company's CSO is just one of many executives competing for limited resources, and without speaking the language of financial impact and ROI, his batting average will be poor. "If you want to be a plumber, you learn the language of a plumber. Likewise, you have to learn talk the language of business — which is money," says Saenz.

CSOs also need a battery of less tangible skills to be successful: initiative, imagination, the flexibility to roll with business changes, and an understanding of and social proficiency with cultures outside of the United States. "Security is driven by the social and political realms as well as economics, and you have to have those different skills," says Moore. "Security professionals, in addition to being specialists, have to be generalists with special skills."

Develop High Performers

Once you identify the skills that you want your security executive candidates to have, the next challenge is to create the opportunities and experiences that will inculcate those qualities into your leadership pool. Often this means pushing your most talented people outside their area of expertise to see if they sink or swim.

Communication skills are critical to a CSO and will only become more important as the security function grows in prominence. Wipprecht agrees that a CSO candidate must have the right technical skills. But getting to the top also requires people skills — especially the ability to communicate with management. "You've got to expose your future talents to management," says Wipprecht. "Management has to get to know you on a personal basis," he says.

Moore goes a step further, encouraging his top security managers to interact regularly with senior executives to eliminate some of the natural deference to seniority that often exists. "You have to move outside your comfort zones in order to prepare for those big steps."

Ensuring that their top performers get business and management exposure can also give CSOs valuable insight into their abilities. Moore gets feedback from the line-of-business clients and stakeholders with whom his people interact twice a year. He feeds information about their strengths and weaknesses back into the succession planning funnel to determine their progress and the areas where they may need improvement.

Giving employees global exposure is also critical. Merck is part of the Customs-Trade Partnership Against Terrorism (C-TPAT), a joint initiative between the U.S. government and businesses to protect the security of cargo entering the United States. And with far-flung operations around the world, it's important that Merck's security executives have a global perspective. To that end, Moore is sending three global staff members to Europe, along with a senior security executive, to work on C-TPAT compliance issues. Aside from the project work, his other motives are to give these employees some valuable experience, and to see how these three individuals will fare. "I'll get an assessment of who adapted better to working in a non-U.S. environment and how they dealt with jet lag, language issues, the vagaries of international travel and business. You have to do these things to give them a 360-degree view of the world and the company. They won't get that unless they get out there and mix with other regions and people."

Establishing mentoring and coaching relationships is another way to build employee skill sets, whether you are setting security managers up with executive coaches or with each other. Barton suggests a practice that he calls "talent networking," where high-performing employees identify two skills that they feel are their strengths and two that could use further development. High-performers are then matched up by complementary strengths and weaknesses to create mentoring relationships that enable them to grow in the areas they need to while leveraging their own expertise to help someone else.

Leadership opportunities don't just exist in the corporate setting. Saenz encourages his Levi Strauss security staff to create their own leadership experiences in everyday life, noting that the political dynamics of the corporate world aren't always conducive to a good learning environment. He advises CSOs to encourage their people to "look for opportunities to practice leadership in the community. Whether it's with a nonprofit, serving on the city council or on a board of directors, those experiences will broaden their horizons," says Saenz. It's no different than learning any other kind of activity or skill; the key is practice. "I take a piano lesson every Saturday," he says, "and if I don't practice, it's not a lot of fun when I see the teacher. But if I work a little bit every day, then next time I sit down with the teacher, I'm ready to move on to another level."

Finally, to develop their leaders, CSOs can focus on the growing number of educational programs springing up that address the needs of would-be security executives. Programs like the ISMA Leadership course at Georgetown are building their syllabi around the future skills that will be essential for CSOs. Encouraging active membership in groups like ISMA and ASIS, and the continued pursuit of appropriate certifications can also ensure that your staff keeps learning and developing the right skills for the future.

Create Accountability

If it hasn't occurred to you already, leadership development is almost a full-time job in itself. Even CSOs who are serious about succession planning acknowledge that it's often difficult to find time to stay on top of it. Saenz tries to meet once a month with each of his direct reports to check in with them, although sometimes his workload makes that impossible.

At Wells Fargo, Wipprecht's biggest complaint about the company's succession planning and Talent Review process is the time it takes to get through what he calls the bureaucracy. He has to assess each direct report, his current abilities as a security agent and what he needs to do in the next year to move up in the management hierarchy. The Talent Review then informs the succession plan. "It takes a lot of time," says Wipprecht. "I have to think about each individual, what he does well and what we can give him to create a better organization one year from today."

Building (and then consistently updating) targeted growth plans for each employee makes it easier to keep track of individual progress and to keep a succession plan alive. The danger with succession planning is that good intentions can succumb to the everyday pressures of the CSO workload. "Two out of three companies just have a bunch of development crap wrapped in their succession plan that doesn't add value," says Barton.

Though Wipprecht laments the amount of work that goes into succession planning, he crows over its results. "I have four directors, and any one of the four is smarter than I am and can do a better job than I'm doing," he says. "But that drives them on. They work hard every day and, from a competitive standpoint, all four know they have an opportunity at this position."

The lesson is simple: Treat succession planning as a regular part of operations, and the benefits will go far beyond the security of knowing that the future leadership of your business unit is assured. Your tenure as CSO will also be a more successful one. "You'll have a stronger organization with a lot more loyalty and buy-in from people," says Moore. "And at the back end, you're going to put out a better and more professional product for senior management."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CherryKorn/FerryLevi StraussMcDonald'sWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Daintry Duffy

Latest Videos

More videos

Blog Posts