As a CISO, Are You a Builder, Fixer, or Scale Operator?

Security leaders can better navigate their careers by identifying whether their strengths lie in building programs from scratch, fixing broken ones, or scaling established operations. Understanding this professional identity helps CISOs align with the right organizations, articulate their value during job searches, and prioritize their own professional growth.

When contemplating the next step in your career as a cybersecurity leader, understand what you do best and what you enjoy doing. Figuring this out will help you identify organizations and projects that will benefit from your superpowers and accelerate your growth as a professional. As an added bonus, you’ll be more effective in communicating how you bring value to an organization and what distinguishes you in the industry. One approach to understanding and explaining this is to consider whether, as a CISO, you are a Builder, Fixer, or Scale Operator.

(This post was co-authored by Yael Nagler and Lenny Zeltser.)

There are many ways of grouping security leaders. Each approach is helpful for different reasons. Consider the following thoughtful examples:

Jeff Pollard, Jinan Budge, and Paul McKay help CISOs determine if they’re at the right place by identifying over six types of leaders: Transformational, post-breach, tactical, etc.
Helen Patton helps CISOs understand how they should spend their time by discussing seven circles of security: Technology, data, business, etc.
Phil Venables helps CISOs develop leadership qualities by delineating five essential attributes of security leadership: Archeologist, cartographer, explorer, etc.

These are valuable archetypes. However, they aren’t expressly designed to help you identify and arrive at your next role. There’s room for another model for portraying who you are as a security leader.

Our approach to describing the CISO’s professional identity aims to communicate to yourself and others whether you are a person who can build, fix, or scale the security program.

As you reflect on the past few years of work, determine which of the following categories fits you the most:

Builder: You’re great at building a security program (or significant parts of it) from scratch. You enjoy defining the initial structure, standards, templates, processes, guardrails, and metrics. If you’re a Builder, you’re good at deciding what the organization needs and making it happen. You know how to bring in the right technologies to enable your vision for the program.
Fixer: You’re great at coming into a broken, dysfunctional, or suboptimal security program and figuring out what’s needed to improve it. You enjoy revising processes and adjusting how technology supports them to match the organization’s needs. If you’re a Fixer, you’re good at restoring stakeholder relationships and resetting expectations. You’re intentional and methodical at reshaping the program.
Scale Operator: You’re great at optimizing an established and functional security program to evolve its maturity. You enjoy thinking about finetuning the program so it operates as efficiently as possible. If you’re a Scale Operator, you’re good at standardizing and automating security processes. You thrive in larger organizations with complex structures and multiple products. You can handle the politics.

Which kind of CISO are you at this point in time? We change throughout our career. Don’t assume that because you were one kind of security leader earlier, you’re the same today.

Here’s why it matters whether you consider yourself a Builder, Fixer, or Scale operator:

Identifying your next role or project: Once you know what you do well and what you enjoy doing, you can determine whether you want to stay in the same role category or change it. This can help you narrow your target list of companies or projects. If pursuing a new position, you’ll be able to connect your recent experiences to the role in the interviewing process to position yourself as the right candidate.
Securing your next role: Being able to articulate your persona to potential employers and recruiters earlier in the job search journey, will accelerate the (self)selection process and reduce time interviewing in a role that doesn’t fit. Using a simple word or phrase to explain who you are allows you to set the right context for the interactions.
Honing your brand: Once you understand what kind of CISO you are, you’ll find yourself aligning with conferences, peers, headlines, and social media discussions. Using clean and succinct words to describe yourself will help you explain to others who you are and how they should perceive you. You’ll be able to explain what distinguishes you as you connect with others in the industry.

As you consider the next leg in your career journey, understanding whether you’re a Builder, Fixer, or Scale Operator will help you review opportunities at your current employer and consider alternatives at another organization. Either way, knowing your CISO differentiator will enable you to make more intentional decisions about how you operate and how you prioritize your growth and development.

This post was co-authored by Yael Nagler and Lenny Zeltser.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →