CISO at 25

Having an executive team to manage specific functions of an organization goes back to the introduction of formalized businesses. In the United States it recorded that the oldest corporation is Harvard and Henry Dunste was appointed the first CEO back in 1650.  

So, it may come as a surprise that one of the most important executives to grace the management team today is relatively very young by comparison. While we now rely heavily on the position of Chief Information Security Officer (CISO), that wasn’t the case just over 25 years ago.

The First CISO

In 1994, Citibank had a significant cyber event (read: they were hacked). That event precipitated over $10 million in potential losses as well as the introduction of a new executive at the senior table. And that is why Steve Katz is widely recognized as the first Chief Information Security Officer. The story goes that:

“At that point, $400,000 was already lost. Roughly another $10 million went across the wires but wasn’t lost. As people came into the bank to pick up the money, they were arrested. The matter was significant enough that the board directed the CEO to go get a security executive, put that person in place and make sure it didn’t happen again. Katz took the job, becoming the industry’s first Chief Information Security Officer, reporting to the CTO, who reported to the CEO.”

25 Years Later

The good news is that this critical role spread quickly. According to Wikipedia:

“Having a CISO or the equivalent function in the organization has become a standard in business, government, and non-profit sectors. Throughout the world, a growing number of organizations have a CISO. By 2009, approximately 85% of large organizations had a security executive, up from 56% in 2008, and 43% in 2006. In 2011, in a survey by PricewaterhouseCoopers for their Annual Information Security Survey, 80% of businesses had a CISO or equivalent.”

Perhaps a more disconcerting observation is that it took another 22 years before the US government followed suit and named a Federal CISO. On Sept. 8, 2016 the White House issued a press release titled “Announcing the First Federal Chief Information Security Officer” and reported:

“A key feature of the CNAP is creation of the first CISO to drive cybersecurity policy, planning, and implementation across the Federal Government. General Touhill is currently the Deputy Assistant Secretary for Cybersecurity and Communications in the Office of Cybersecurity and Communications (CS&C) at the Department of Homeland Security (DHS), where he focuses on the development and implementation of operational programs designed to protect our government networks and critical infrastructure.  In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies.”

Today there are millions who hold the title of CISO and thousands of open positions looking for the ideal candidate. It is clearly not a matter of if, but when a company adopts this mission critical role in their organization. Once done, it is important that they are equipped with the best tools to accomplish their goals.

A CISO’s Tool Chest

In addition to wisely choosing a team that can handle the rigors of threat prevention, protection, privacy and disaster recovery as well as reporting and compliance, a CISO sets the strategy for technology selection. Selected technologies must evaluate every line of code, making well documented evasion techniques ineffective.

It should be agnostic to file type, client-side application type, or the client operating system used within the organization. It should provide protection regardless of operating system, CPU architecture, and function (client, server) of the targeted machine.

Learn more here.