30 years of the CISO role – how things have changed since Steve Katz

Original Source: CSO Online

The first-ever CISO was mostly a technically oriented executive. They’ve since evolved into masters of risk management, threat mitigation, regulatory compliance, data privacy, and much more.

When Steve Katz became the first-ever CISO in 1995, Netscape Navigator was the world’s most popular browser, Mark Zuckerberg was in middle school, smartphones were a decade away, and SSL 2.0 was brand new.

Katz was offered the job of chief information security officer (a brand-new position that had never existed before) by Citicorp while the bank was still reeling from an incident the previous year in which hackers tried to steal $10 million through fraudulent international fund transfers. The cyber crooks made off with $400,000 before Citicorp foiled their scam. “It was two Russian kids out of St. Petersburg who were trying to find a way to get free telephone service,” Katz recalled in a 2021 interview for author Todd Fitzgerald’s CISO Stories podcast.

In the ensuing fallout, Citicorp created the CISO position and offered it to Katz. He accepted the groundbreaking gig, walking away from his job as head of information security at J.P. Morgan and into the annals of cybersecurity history.

When Katz passed away in December 2023 at the age of 81, infosec colleagues paid tribute to him as “the father of cybersecurity.” Laura Deaner, CISO at Milwaukee-based financial services firm Northwestern Mutual, remembers him as a generous mentor. “We have a hard job. But he was willing to just jump on a call and talk to you if you were struggling with something in particular. He gave me his personal phone number. He gave me his wife’s number! He was just a very positive person in general,” Deaner tells CSO.

As Deaner and other CISOs take up the torch that Katz first lit, here’s a look at how the role has evolved in the three decades since he originated it.

The CISO’s role moves from tech skills to soft skills

Katz had no idea what the CISO job was when he accepted it in 1995. Neither did Citicorp. “They said you’ve got a blank cheque, build something great — whatever the heck it is,” Katz recounted during the 2021 podcast. “The CEO said, ‘The board has no idea, just go do something.’” Citicorp gave Katz just two directives after hiring him: “Build the best cybersecurity department in the world” and “go out and spend time with our top international banking customers to limit the damage.”

The CISO job has since become far more complex. According to Fitzgerald’s 2019 book “CISO COMPASS: Navigating Cybersecurity Leadership Skills with Insights from Pioneers”, Katz’s hiring kicked off the first CISO era from 1995 to 2000, when CISOs focused on passwords and log-on security. Fitzgerald divides the changing roles into a timeline of subsequent eras:

  • 2000 to 2004: Regulatory compliance CISOs
  • 2004 to 2008: Risk-oriented CISOs
  • 2008 to 2016: Threat-aware cybersecurity CISOs (social/mobile/cloud)
  • 2016 to 2022: Privacy and data-aware CISOs
  • 2022 to 2027+: The integrated, business-resilient CISO

Fitzgerald tells CSO the position was originally considered to be a technical one but now features a greater emphasis on business strategy. “There’s a lot more focus today on the soft skills, on being that business partner and being that executive,” he says.

Over time, the CISO’s job has morphed from literally understanding the nuts and bolts of the company’s IT network to understanding how to pick up the pieces (both literally and figuratively) in a cybersecurity crisis, says Yael Nagler, CEO of Yass Partners, a CISO coaching and consulting firm in Washington, DC These days, she adds, the CISO should act as a strategic partner within their organization.

“As the role has evolved, it’s actually moved further away from the keyboard of technology and more into the executive meeting room. So, the CISO’s skills have evolved but their interactions have also really shifted.” Nagler says those interactions include collaborating with units such as technology, finance, audit, legal, and compliance. According to Gartner Research, this type of cooperation beyond the IT sphere is critical for modern CISOs. After Gartner analyzed the performance of 227 CISOs from 2020 to 2023, it concluded “the most effective CISOs” regularly meet with three times more non-IT stakeholders (like sales heads, marketing heads and business unit leaders) than core IT stakeholders.

CISOs have learned to relay risk in business terms

With all that collaboration, today’s CISO must be able to communicate cyber threats in terms that line of business can understand almost instantly. “It’s the ability to articulate risk in a way that is related to the business processes in the organization,” says Fitzgerald. “You need to be able to translate what risk means. Does it mean I can’t run business operations? Does it mean we won’t be able to treat patients in our hospital because we had a ransomware attack?”

Deaner says CISOs have an obvious role to play in core infosec initiatives such as implementing a business continuity plan or disaster recovery testing. As digital transformation weaves technology throughout the fabric of every organization, she adds, the CISO must also break cybersecurity out of the traditional tech silo. “It’s important to ensure that security is a big part of the company’s culture and that you’re hearing about it from the top down,” Deaner says.

Today’s CISO is overloaded, stressed, and full of angst

A 2023 study by Cybersecurity Venture estimated there are currently about 32,000 CISOs worldwide. As the number of CISOs has grown, however, so has their collective sense of angst. In January 2024, a joint IANS/Artico survey of 663 CISOs in Canada and the US found that 75% were open to changing jobs, up from 64% a year earlier, and the number of CISOs satisfied with their job and company fell from 74% to 64% over the same period.

“CISOs are experiencing a duality of anxiety and opportunity, which is attributed to reduced cybersecurity spending, increasing cyber breaches, the rise of generative AI tools, and stricter cybersecurity rules emphasizing disclosure requirements,” the study stated.

The fraught psyche of today’s CISO is no surprise to Fitzgerald. He points out that none of the core responsibilities required for CISOs in previous eras have become less important. Instead, CISOs are now expected to address all of them: risk management, staying on top of emerging threats, regulatory compliance, data privacy, and building business resilience by integrating cybersecurity throughout the organization’s culture and operations. “None of these things in the prior stages went away. They didn’t get replaced, they got added to,” says Fitzgerald.

Liability has emerged as a new worry

Adding to the pile-on effect is a tightening regulatory environment around the globe, including the European Union. In the US, former Uber CISO Joe Sullivan was convicted in 2023 of failing to disclose a data breach; that same year, the Securities and Exchange Commission filed charges against SolarWinds CISO Timothy G. Brown in relation to a 2020 cyberattack.

“People in CISO circles absolutely talk a lot about liability. We’re all concerned about it,” Deaner acknowledges. “People are taking the changes to those regulations very seriously because they’re there for a reason.”

In Nagler’s view, more defined regulatory parameters might actually turn out to be “the best gift” for CISOs. “Leaders are taking notice and hopefully it’s driving more thoughtful action and responsible (cybersecurity) program development in organizations. It’s a great opportunity for CISOs to evolve their role and their value to the company beyond just the technology and into being a strategic partner,” she says.

That could require more frequent — and meaningful — facetime with the C-suite. Yet the IANS/Artico study indicated:

  • Only 20% of CISOs are regarded as C-level execs at their organizations.
  • Just 50% of CISOs engage with their board quarterly.
  • Although 85% want clear guidance on risk tolerance from their board, only 36% get it.

“A lot of times CISOs are still reporting to the CIO or CTO, the technical part of the organization. So as much as they should be reporting to the CEO, a lot of them still aren’t,” Fitzgerald says.

Reframing the CISO position for the future

In the face of constantly emerging cyber threats, AI advancements that seem to spring up overnight, and a shapeshifting legislative landscape, what’s a CISO to do in this day and age? In a 2022 research note that declared CISOs are simply “burnt out,” Gartner’s Sam Oyaei argued the role needs to be reframed entirely: as a leader of shared risk management, not the singular goalkeeper tasked with preventing breaches. “[The job] must evolve from being the de facto accountable person for treating cyber risks to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,” wrote Olyeai, VP of cybersecurity advisory at Gartner.

Echoing that, Nagler urges today’s CISOs to “recognize it’s not their sole responsibility” to balance the delicate dualities of managing risk and enabling business growth. Rather, she says their duty is “to make sure the leadership team is equipped to balance that: by threading the needle, by explaining things, by anticipating, by understanding where it’s going.”

Fitzgerald advises the current crop of CISOs to focus on strategy and governance, “making sure all the right things are being done and that ownership of security around the organization is being accomplished, not just the technical pieces of it.”

The last word goes to the very first CISO. In 2021, when Steve Katz reflected on his trailblazing job at Citicorp in 1995, he presciently described his approach to the position in very similar terms. “IT departments were the smallest part of the issue,” Katz said. “From day one, the underlying philosophy was that information security is a business risk issue — it’s a business risk management issue.”

Source URL: https://www.csoonline.com/article/1310847/30-years-of-the-ciso-role-how-things-have-changed-since-steve-katz.html

Author: CSO Online

Leave a Comment