When Steve Katz became the first-ever CISO in 1995, Netscape Navigator was the worldâs most popular browser, Mark Zuckerberg was in middle school, smartphones were a decade away, and SSL 2.0 was brand new.
Katz was offered the job of chief information security officer (a brand-new position that had never existed before) by Citicorp while the bank was still reeling from an incident the previous year in which hackers tried to steal $10 million through fraudulent international fund transfers. The cyber crooks made off with $400,000 before Citicorp foiled their scam. âIt was two Russian kids out of St. Petersburg who were trying to find a way to get free telephone service,â Katz recalled in a 2021 interview for author Todd Fitzgeraldâs CISO Stories podcast.
In the ensuing fallout, Citicorp created the CISO position and offered it to Katz. He accepted the groundbreaking gig, walking away from his job as head of information security at J.P. Morgan and into the annals of cybersecurity history.
When Katz passed away in December 2023 at the age of 81, infosec colleagues paid tribute to him as âthe father of cybersecurity.â Laura Deaner, CISO at Milwaukee-based financial services firm Northwestern Mutual, remembers him as a generous mentor. âWe have a hard job. But he was willing to just jump on a call and talk to you if you were struggling with something in particular. He gave me his personal phone number. He gave me his wifeâs number! He was just a very positive person in general,â Deaner tells CSO.
As Deaner and other CISOs take up the torch that Katz first lit, hereâs a look at how the role has evolved in the three decades since he originated it.
The CISOâs role moves from tech skills to soft skills
Katz had no idea what the CISO job was when he accepted it in 1995. Neither did Citicorp. âThey said youâve got a blank cheque, build something great — whatever the heck it is,â Katz recounted during the 2021 podcast. âThe CEO said, âThe board has no idea, just go do something.ââ Citicorp gave Katz just two directives after hiring him: âBuild the best cybersecurity department in the worldâ and âgo out and spend time with our top international banking customers to limit the damage.â
The CISO job has since become far more complex. According to Fitzgeraldâs 2019 book âCISO COMPASS: Navigating Cybersecurity Leadership Skills with Insights from Pioneersâ, Katzâs hiring kicked off the first CISO era from 1995 to 2000, when CISOs focused on passwords and log-on security. Fitzgerald divides the changing roles into a timeline of subsequent eras:
- 2000 to 2004: Regulatory compliance CISOs
- 2004 to 2008: Risk-oriented CISOs
- 2008 to 2016: Threat-aware cybersecurity CISOs (social/mobile/cloud)
- 2016 to 2022: Privacy and data-aware CISOs
- 2022 to 2027+: The integrated, business-resilient CISO
Fitzgerald tells CSO the position was originally considered to be a technical one but now features a greater emphasis on business strategy. âThereâs a lot more focus today on the soft skills, on being that business partner and being that executive,â he says.
Over time, the CISOâs job has morphed from literally understanding the nuts and bolts of the companyâs IT network to understanding how to pick up the pieces (both literally and figuratively) in a cybersecurity crisis, says Yael Nagler, CEO of Yass Partners, a CISO coaching and consulting firm in Washington, DC These days, she adds, the CISO should act as a strategic partner within their organization.
âAs the role has evolved, itâs actually moved further away from the keyboard of technology and more into the executive meeting room. So, the CISOâs skills have evolved but their interactions have also really shifted.â Nagler says those interactions include collaborating with units such as technology, finance, audit, legal, and compliance. According to Gartner Research, this type of cooperation beyond the IT sphere is critical for modern CISOs. After Gartner analyzed the performance of 227 CISOs from 2020 to 2023, it concluded âthe most effective CISOsâ regularly meet with three times more non-IT stakeholders (like sales heads, marketing heads and business unit leaders) than core IT stakeholders.
CISOs have learned to relay risk in business terms
With all that collaboration, todayâs CISO must be able to communicate cyber threats in terms that line of business can understand almost instantly. âItâs the ability to articulate risk in a way that is related to the business processes in the organization,â says Fitzgerald. âYou need to be able to translate what risk means. Does it mean I canât run business operations? Does it mean we wonât be able to treat patients in our hospital because we had a ransomware attack?â
Deaner says CISOs have an obvious role to play in core infosec initiatives such as implementing a business continuity plan or disaster recovery testing. As digital transformation weaves technology throughout the fabric of every organization, she adds, the CISO must also break cybersecurity out of the traditional tech silo. âItâs important to ensure that security is a big part of the companyâs culture and that youâre hearing about it from the top down,â Deaner says.
Todayâs CISO is overloaded, stressed, and full of angst
A 2023 study by Cybersecurity Venture estimated there are currently about 32,000 CISOs worldwide. As the number of CISOs has grown, however, so has their collective sense of angst. In January 2024, a joint IANS/Artico survey of 663 CISOs in Canada and the US found that 75% were open to changing jobs, up from 64% a year earlier, and the number of CISOs satisfied with their job and company fell from 74% to 64% over the same period.
âCISOs are experiencing a duality of anxiety and opportunity, which is attributed to reduced cybersecurity spending, increasing cyber breaches, the rise of generative AI tools, and stricter cybersecurity rules emphasizing disclosure requirements,â the study stated.
The fraught psyche of todayâs CISO is no surprise to Fitzgerald. He points out that none of the core responsibilities required for CISOs in previous eras have become less important. Instead, CISOs are now expected to address all of them: risk management, staying on top of emerging threats, regulatory compliance, data privacy, and building business resilience by integrating cybersecurity throughout the organizationâs culture and operations. âNone of these things in the prior stages went away. They didnât get replaced, they got added to,â says Fitzgerald.
Liability has emerged as a new worry
Adding to the pile-on effect is a tightening regulatory environment around the globe, including the European Union. In the US, former Uber CISO Joe Sullivan was convicted in 2023 of failing to disclose a data breach; that same year, the Securities and Exchange Commission filed charges against SolarWinds CISO Timothy G. Brown in relation to a 2020 cyberattack.
âPeople in CISO circles absolutely talk a lot about liability. Weâre all concerned about it,â Deaner acknowledges. âPeople are taking the changes to those regulations very seriously because theyâre there for a reason.â
In Naglerâs view, more defined regulatory parameters might actually turn out to be âthe best giftâ for CISOs. âLeaders are taking notice and hopefully itâs driving more thoughtful action and responsible (cybersecurity) program development in organizations. Itâs a great opportunity for CISOs to evolve their role and their value to the company beyond just the technology and into being a strategic partner,â she says.
That could require more frequent — and meaningful — facetime with the C-suite. Yet the IANS/Artico study indicated:
- Only 20% of CISOs are regarded as C-level execs at their organizations.
- Just 50% of CISOs engage with their board quarterly.
- Although 85% want clear guidance on risk tolerance from their board, only 36% get it.
âA lot of times CISOs are still reporting to the CIO or CTO, the technical part of the organization. So as much as they should be reporting to the CEO, a lot of them still arenât,â Fitzgerald says.
Reframing the CISO position for the future
In the face of constantly emerging cyber threats, AI advancements that seem to spring up overnight, and a shapeshifting legislative landscape, whatâs a CISO to do in this day and age? In a 2022 research note that declared CISOs are simply âburnt out,â Gartnerâs Sam Oyaei argued the role needs to be reframed entirely: as a leader of shared risk management, not the singular goalkeeper tasked with preventing breaches. â[The job] must evolve from being the de facto accountable person for treating cyber risks to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,â wrote Olyeai, VP of cybersecurity advisory at Gartner.
Echoing that, Nagler urges todayâs CISOs to ârecognize itâs not their sole responsibilityâ to balance the delicate dualities of managing risk and enabling business growth. Rather, she says their duty is âto make sure the leadership team is equipped to balance that: by threading the needle, by explaining things, by anticipating, by understanding where itâs going.â
Fitzgerald advises the current crop of CISOs to focus on strategy and governance, âmaking sure all the right things are being done and that ownership of security around the organization is being accomplished, not just the technical pieces of it.â
The last word goes to the very first CISO. In 2021, when Steve Katz reflected on his trailblazing job at Citicorp in 1995, he presciently described his approach to the position in very similar terms. âIT departments were the smallest part of the issue,â Katz said. âFrom day one, the underlying philosophy was that information security is a business risk issue — itâs a business risk management issue.â