The Evolution of the Chief Information Security Officer



Cyber risk has evolved from being considered an IT issue into a top board priority. Cyber-attacks have been on the risk radar since 1988 when Robert Tappan Morris accidentally executed the world’s first Distributed Denial of Service (DDoS) attack. Back then – and for a long while after – cyber-attacks were only viewed through a technical lens.

Powered by the rapid growth of the internet in the 1990s and beyond – and our subsequent reliance on it – cybercrime has evolved into the world's biggest criminal growth industry. No longer avoidable mistakes, cyber-attacks are a sophisticated and coordinated assault on business data – and the consequences are potentially crippling: reputational damage, financial loss, reduction in shareholder value, legal action, and fines. This innate ability to grow in sophistication and scope has meant the strategies and tools used to prevent it must keep up. 

To match cybercriminals’ stride for stride and avoid falling off the pace, businesses are adopting a holistic approach that looks beyond just implementing technical risk controls – a shift that’s reflected by the evolution of the Chief Information Security Officer (CISO)


The first CISO

Steve Katz can rightly claim to be the world’s first CISO. In 1994, after financial services multinational Citicorp was hacked by cybercriminals, the company decided to take the bold step of creating a new C-level position to reinforce it against future attacks – and so the CISO was born. The man tasked with this trailblazing role was information security guru Steve Katz – a role that has had to keep pace with the digital revolution in the intervening years.


The early years

This brave new dawn in the battle against cybercrime was a step in the right direction, but its remit was narrow. To become one of the first CISOs, applicants – who typically hailed from technical positions within corporate companies, law enforcement or the military – didn’t need a diverse skillset; they just had to prove they were proficient in networking and operating systems. Once in post, they rarely interacted with old-school CEOs who failed to recognise that information security is a business risk issue, not just a technology issue – a short-sighted view that still plays out to this day.


The modern CISO

Fast-forward 28 years and the business landscape has been completely reshaped by organisations’ reliance on data and IT systems. However, this explosion in digital connectivity has created an attack surface so wide for cybercriminals that it’s estimated that global cybercrime costs will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015.

To remain effective, the scope of the CISO role in this dynamic risk landscape has had to grow with the evolving threat of cybercrime. Consequently, the traditional technical approach to information security has been augmented with a business-focused, risk management mindset. The modern CISO’s ability to monitor, mitigate and respond to cyber threats, while meeting regulatory obligations, is now dependent on soft skills such as communication as much as hands-on technical experience. 

Steve Katz embodies this shift – according to the godfather of CISOs: “The absolute best CISOs are those who can thoroughly understand security, understand technology but be incredibly adept at regularly meeting with business leadership and the board.”

The CISO is no longer just a member of the IT department; they have cast off the shackles and embraced the wider business. Today they are strategic business leaders who integrate at all levels of the organisation. This holistic approach has empowered them to add value by building trust and fostering a culture of shared cyber risk ownership across the business. So, if you’re working as a CISO or have set your sights on climbing the cyber security career ladder to this level, channel your inner Steve Katz and become a vital layer in the fight against the escalating and constantly evolving threat of cybercrime.



Back to article list