Last week I received an email from my web host. It said that all customers needed to backup and move their data because their hosting services would be shutting down immediately. It was a strange email. After some digging, I found out that the reason for the shut down was that the CEO had just died. There was evidently no one who could step in and take over the business. So the decision was make to close.
Why would the unfortunate death of one employee, even a very high level employee, cause a business to shut down? Simply put, it is the lack of succession planning. What is succession planning and why is it important? Wikipedia has a good definition:
Succession planning is a process for identifying and developing internal people with the potential to fill key business leadership positions in the company. Succession planning increases the availability of experienced and capable employees that are prepared to assume these roles as they become available.
To put it another way, it is making sure that your “bus factor” is greater than 1. The loss of one employee (either though death, retirement, or a new job) should not cripple an organization or a department. This speaks directly to the Availability part of the C.I.A. (Confidentiality, Integrity, Availability) of data security.
What practical steps can we take to ensure at least a basic form of Succession Planning is in place?
Assign Primary and Secondary Roles
If we manage other people, we should designate a primary and a secondary person for each key role. It should never be the case that only one person has all of the knowledge of a certain subject or task in his head. There should always be a backup, someone who can take over when the primary goes on vacation or even leaves the company. The secondary doesn’t need to be an expert, but should at least know the basics and be able to perform most of the day to day tasks.
Cross Training and Knowledge Sharing
This is key for the secondary role to be effective. Again, the goal is to avoid a situation where all of the knowledge is kept in one person’s head. So primary and secondary roles should work together on major projects, troubleshooting, etc. It can also be very effective if the secondary takes the primary’s role for one day. Both will be present. This allows hands on experience to be paired with tutoring from the primary. Thus, the verbal knowledge can be reinforced through work.
Ah, yes. The word all of us dread. Even though it is a tedious process, every member of an IT department can help by documenting his or her regular activities. If you are responsible for a system, create Visio diagrams explaining the architecture. Create a how-to guide for common tasks. Create a basic troubleshooting guide for common problems. Basically, create any documentation YOU would like to have if you were asked to take over this role.
This is something that is very often overlooked in both large and small IT organizations. They do not have all of their administrative passwords stored in one secure, encrypted location. This can cause a lot of problems for an organization. One of the worst examples of this was Terry Childs, the FiberWAN administrator for San Francisco who refused to divulge the admin passwords after he was fired. This effectively locked the city of San Francisco out of their network. They could not perform any administrative functions on their switches or routers. No matter your opinion on the actions of Terry Childs or the city of San Francisco, it is clear that having one person with all the passwords is dangerous.
There are many different password vaults that can be used in any price range. If you have no budget for a password vault, passwords can be stored within a Keepass vault. Keepass is free and an excellent and secure way to store passwords. Of course, it has no auditing capabilities or granular access controls. If you can spare a little money, Manage Engine makes a product called Password Manager Pro that has full auditing, granular access controls, password approval workflows, session recording and a lot more. And, of course, on the high end is CyberArk. But whatever is used, make sure that administrative passwords are available if an employee leaves.
To conclude, succession planning is vital for an IT department. And every team member should ensure that his or her activities can be performed by another employee.
Thanks to BigScoots.com, my new host. They have been great during the sign up and migration process.