Several years into your role as a security leader at a company, you’ll reach a point when you ask yourself, “What’s next for me?” This article discusses three ways to proceed if you choose to stay at your current organization. (It was co-authored by Yael Nagler and Lenny Zeltser.)
At this point in your CISO tenure, you know your way around the company, you’re familiar with the cadence and patterns of the organization, you know what’s expected, and you understand your trajectory.
Consider three paths available to you if you decide not to switch employers. Each path comes with the benefit of allowing you to pursue it in an environment where you already have the ‘map’ of how to navigate, execute, and succeed. You can:
- Keep at it,
- Slow it down, or
- Accelerate.
There are different reasons and times to choose each of these options. No matter which you choose, the most important thing is that you enter into it intentionally.
You Decide to Keep At It
Keeping at it means maintaining your current pace of execution and change. Since you’ve been doing this at the company for a while, you can do this with predictability and reduced cognitive load.
Why choose this:
Decide to keep at it if there’s more for you to get done. You’re excited about continuing to execute the existing plan, and your current approach is working and well received. You’re finding it fulfilling, and the company is supportive of the pace. You aren’t experiencing indicators that the company’s leadership is expecting or needing something more or different.
This is a good choice when the security team is past the forming and storming stages but could be in the norming and performing stages. On a personal level, you may be looking to reduce your work-cognitive load because of factors happening outside of work. Keeping on pace and on track with what you’ve already been doing provides that space.
What it looks like:
Well, more of the same. When you’ve chosen to keep at it, you don’t make big changes to the team structure, the scope of the department, or how it operates. You may find that you or your department are expanding into other company functions and interactions. Perhaps you’ll join another committee or be asked to participate in a cross-functional initiative.
Importantly, you’re doing it well. For example, as you think about your team, you may focus more energy on enabling your team. You’re doing this by increasing their learning opportunities and their cross-functional contribution and involvement.
A caution for CISOs who choose this route–be on the lookout for atrophy and stagnation. You may be at risk if it’s perceived that you or the program is not continuing to deliver the expected level of value.
You Decide to Slow It Down
Slowing it down means intentionally decreasing the pace and scale of security changes and throughput. Selecting this path should be intentional and appropriate for what the company needs at this stage. Importantly, the organization agrees. While slowing it down, shift your focus to succession planning or preventing change fatigue.
Why choose this:
A lot has happened already. Whether it’s a lot of change or other activity, you decide to slow it down. This can be a good option if your organization is experiencing change fatigue and needs time to absorb recent security program changes before you introduce more. Alternatively, you may consider this option for the health of the current team, for example, if the team needs a recovery period after a significant year-long project.
Another reason to consider slowing it down is if you think you’ll leave the company in the next 18 months. Slowing it down allows you to put effort into succession planning to set up your team and the organization for success.
What it looks like:
If you slow it down, you’ll make incremental rather than major changes to the security program. This frees up time for you to work on documentation, reflect on achievements, and focus on professional development or community engagement.
However, when you slow it down, avoid complacency and the perception of being checked out. Set goals and metrics so you remain valuable and continue to fulfill your responsibilities for the organization. Resist the gentle pull of mediocrity.
You Decide to Accelerate
Accelerating means increasing the pace or impact of security initiatives. This may include taking on higher-risk, higher-reward projects or perhaps revisiting previously failed or off-limits initiatives. Perhaps most excitingly, deciding to accelerate may include taking on things you’ve never done before but are now trusted to explore and pursue.
Why choose this:
With several years in the role, you likely have substantial influence and trust. This capital–which you wouldn’t have upon entering a new organization (if you decided to leave)–provides a safety net and permits taking on larger initiatives not feasible earlier.
Deciding to accelerate is exciting, but it’s also higher-risk (for you individually as well as for the company). Before pursuing this option, consider how much organizational support you already have. Timing is equally important as is determining whether this is the right thing for the company based on its business objectives. Don’t accelerate solely because you have the energy if your team or other stakeholders aren’t ready.
What it looks like:
If you’re accelerating, pursue complex, high-impact projects aligned to business goals. Expand into new areas. Pursue passion projects in the context of work projects. Encourage your team to have a growth mindset and share knowledge through conferences, open-source releases, or other community collaborations.
As a caution, when choosing to accelerate, beware of burnout in yourself and others. Define the timeframes, desired outcomes, and success metrics upfront. Accelerating exhilarates, but this mode of operating is unsustainable into perpetuity.
Where Do You Go From Here?
Now you know about the 3 options for security leaders who decide to stay at the organization when they reach an inflection point in their tenure. Recognize when you’ve reached an inflection point in your security leadership tenure. Then, assess your situation to decide how and where to direct your energy for the next phase of your professional journey.
Reflect on your program, leadership, and company (this reflection guide may help) before deciding to keep at it, slow it down, or accelerate your pace. Recognize the unique opportunities of your tenure if you decide not to switch employers and leverage these powers purposefully to maximize impact.
Congratulations on arriving at the inflection point. What you do next is going to be great. How you feel about it will be based on when you decide to lean into it. As you plan your next steps, consider how these decisions may impact your strategy and priorities.
To dig into this topic further, consider watching the recording of a talk that we delivered at the RSA Conference, titled Whoa, You’ve Been the CISO for 3 Years at Your Firm—Now What?
Updated January 18, 2024
About the Author
I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.