nnISC2 member, world’s first CISO, and someone who pioneered what thisnrole has come to mean to organizations across the world.nn
nnSteve Katz, widely celebrated as the first person in the world to have thenjob title of CISO as well as a longtime ISC2 member, has passed away in NewnYork at the age of 78, according to media reports.
nnGrasping the importance of Steve’s career to the history of thencybersecurity profession means travelling back to 1994, the year that whatnwas then called computer security took an historic turn for thenworse. At the time, what we now call cybercrime was downplayed in the medianas being mostly a problem of routine computer misuse by bored teenagers. Thenevent that started to change people’s minds was an attack in that year onnCitibank during whichnnbad actors stolenn$10 million ($20 million in 2023), transferring it to accounts under theirncontrol.n
nnLooking back, what’s striking about this incident is how many of today’sntrends it foreshadowed. The first was that the criminals acted as part of annorganized gang rather than a lone basement warrior. The second was that theynturned out to be based in Russia. This is not to suggest that all cybercrimenbad actors were or are Russian – far from it in fact. But the involvement ofnthe country was a warning that digital systems had serious weaknesses thatnenterprising computer misusers anywhere in the world were more than capablenof spotting and exploiting.n
nnEventually, all but $400,000 of the stolen money was recovered, but thenmanagement of Citicorp was suitably alarmed. They were no doubt privatelynaware that such long-distance heists had increased in frequency that yearnacross financial services.n
nn
nThe CISO is Born
nn
nnKatz had been working in computing since the 1970s, where he seems to havenbecome an experienced jack-of-all-trades with a gift for explaining tonmanagement what computing was really about. This was about to become ancritical function for anyone connected to computer security. Probably notncoincidentally, 1994 was also the year that Steve Katz became an ISC2nmember, where he became a CISSP, a certification he wore as a proud badgenfor the remainer of his professional life.n
nnWorking for Morgan Guaranty (later JP Morgan Chase), in early 1995neverything changed.n
nn“The rumor at the time was that Citicorp had been hacked. I got a call fromna recruiter asking if I’d be interested in a position in informationnsecurity,”nnhe toldnnCybercrime Magazine in 2020. “The job was going to be called chiefninformation security officer, the first time that title had ever been used.”n
nnHis job title was CISO, making him the first person to have that title. Butnthe name was more than corporate happenstance; Katz was the real deal, thensort of CISO who would be as at home today in the unfolding cybersecuritynstorms of 2023 cybersecurity as he was in the security problems of 1994.n
nn“The role is all about business risk,”nnhe toldnnSecurityWeek in 2021. “If I had my way, the modern title would benChief Information Risk Officer rather than Chief Information SecuritynOfficer. Cybersecurity is a tool for managing business risk. It is not annend in itself.”n
nnThis idea that computer security – cybersecurity in today’s parlance – isnreally a business issue manifesting in an engineering form is what Katz willnbe most remembered for. Katz might or might not have been the first personnin computing to realize this, but he was without doubt the first personnexplicitly given the job of doing something about it.n
nnAs an early ISC2 member, he also appreciated the need for the industry tonprofessionalize to take on big problems with no simple fixes. This wasn’t anbattle but a campaign. Meeting this challenge would require a new type ofnsecurity manager, able to think strategically as well as tactically, good atncommunicating complex issues, and willing to constantly challenge andnre-educate themselves as the world changed. In his public speakingnengagements since 1995, Steve Katz more than lived up to this ambition.
n- n
- Recognize a CISO or other cybersecurity leader in your organization by nominating them for a ISC2 Global Achievement Award. n
- Find out more about the ISC2 CISSP certification here. n
- Learn more about translating cyber risk into business language for effective leadership with our skill builder. n