CISO: The Evolution of the Species

By Demetrios "Laz" Lazarikos

1980s. Steve Katz implementing the requirement of passwords and user IDs being entered into Cobol and Fortran programs put him into a category that didn’t exist yet: Security. In the mid-1980s, auditors with the “Big 8” firms realized that mainframe systems with Top Secret classified information needed to be secured. By the mid-1990s, Data Security Officer had become a career.

1986. Clifford Stoll discovers that a 75-cent accounting error was related to a user that had accessed the Lawrence Berkeley National Laboratory in California. In Stoll’s book The Cuckoo’s Egg, he details how the hacker in question acquired access to multiple machines all over the world.

Steve Katz, Courtesy  BatBlue

Steve Katz, Courtesy BatBlue

1994. CitiCorp is hacked. This attack made the bank realize that Security was a business issue, not just technology.  The company assembled an executive committee to create a description for the newly created position “Chief Information Security Officer.” CitiCorp recognized that to develop and implement the necessary strategy and policies this would require a new C-level position. After three months of interviewing, Steve Katz accepted the job to put together a program to “make sure Citi was never hacked like that again.” Thirty days later, news of the hack – which had been kept private – hit the newspapers. When asked by reporters how it felt to be in this position, Katz’s quipped he “slept  like a baby”; he got up every two hours and cried. Citi’s strategy centered on privilege and encryption, the development of an Information Security Office organizational structure, and training to support the plan. [i] “I had the goal when I set up in at the department in Citibank that I would put myself out of business in ten years – boy was I wrong,” says Katz.[ii]

2005-2010. The role of the CISO evolves from technical tasks to defining the programs to address the “big picture” risks. Regulatory compliance emphasis moves to enterprise risk management. CISO is now often found reporting to the CIO, CTO, COO, and sometimes General Counsel.[iii]

Mark Weatherford, Courtesy  NextGov

Mark Weatherford, Courtesy NextGov

2008. Mark Weatherford, previously CISO of the State of Colorado, is appointed by Governor Arnold Schwarzenegger to be the first CISO of the California Office of Information Security (OIS), a division of the Office of the Chief Information Officer created in 2007.[iv] In 2009, Weatherford released California's first-ever Information Security Strategic Plan. [v] This plan included the creation of the California Information Security Operations Center to provide real-time notification of cyber-attacks across all state and local government agencies.[vi] In an interview with Government Technology, Weatherford said California state agency CIOs needed an enterprise security strategy to help guide their efforts. "Agency CIOs tell me that's what would help them the most -- consistent policies that let them know the direction the state is heading and what's expected of them," he said.[vii]

2015-2016. The CSO is the “corporate rock-star of the future” possessing stellar technical, political, organizational, communication, progressive thinking and crisis management skills.[viii] Cybersecurity’s visibility has soared and is now on the Board’s agenda, significantly elevating the CISO’s voice. The CISO needs to secure and protect the enterprise assets without impeding the progress of the lines of business.[ix]

To whom CISOs report and what access and influence they have are as important as their qualifications and experience. The role must be senior enough for the CISO to gain the respect of C-level executives and the board.
– The Wall Street Journal

Although CISOs typically have interaction with the board of directors today, more engagement regarding risk is desired. A recent survey indicates that 50 percent of CISOs report to CIOs, 15 percent to the CEO and the remainder to the COO or a risk leader. [x]

PWC’s The Global State of Information Security® Survey 2016 indicates that reporting to the CIO could represent a conflict of interest. “While there are some exceptions, we believe that CISOs and CSOs should be independent of CIOs to better allow for internal checks and balances, as well as the ability to escalate security issues to corporate leadership and the Board.”[xi]

“Boards and C-level executives are now accountable,” said Jim Manico from Anahola, Hawaii-based Manicode Security. Board education and proper reporting structures are absolutely critical.

Eight reasons the CISO should report directly to the CEO and not the CIO:

  1. Security is an issue for the entire company, not just the IT department. As a CISO advisor said, "A CISO's job is not to protect IT – a CISO's job is to protect the business, the brand, investors, and customers – it’s a universal effort, not just for IT."
  2. Organizations where the CISOs report to CIOs have 14 percent more downtime due to security incidents, according to a PwC study.
  3. Organizations where the CISO reports to the CIO have financial losses that are 46 percent higher, according to the same PwC research.
  4. If security concerns threatens to stall an IT project, the CIO might overrule it.
  5. The CIO might be reluctant to approve security projects that hinder IT productivity.
  6. If a security project costs money, the CIO might choose to spend it on IT instead.
  7. Some regulators are beginning to mandate CISOs report to the CEO - and many more may follow. In Israel, for example, there are laws dictating that CISOs report directly to the CEO.”[xii]
  8. From Laz: When presenting to the Board of Directors (BoD), if a CIO presents her/his materials, the security posture of the company may get lost within technical IT information being presented.

Sept. 8, 2016. President Obama announced the first federal CISO, as the latest initiative over the nearly eight years of his administration to 'fundamentally shift the way we approach security in the digital age and raised the level of cybersecurity across the country.' [xiii]

Former Brig. Gen. Gregory J. Touhill, Courtesy  U.S. Air Force

Former Brig. Gen. Gregory J. Touhill, Courtesy U.S. Air Force

An inevitable progression, perhaps long overdue, the establishment of the position validates the integral work IT security professionals do globally.
— Larry Jaffee, An InfoSec Life column editor for ITSPmagazine

Future. Transitioning to the Board of Directors. [xiv]

The future of the CISO role will be one where the company’s security maturity will be evaluated on a regular basis and the board of directors will be routinely involved in the cyber risk discussion and decision-making.

Additional concepts related to the future of the CISO will be delivered in a three-part series here on ITSPmagazine:

  1. The future CISO - who is she/he, what they do, and who will they report to in the organization
  2. Dashboards that work for socializing your ideas for internal buy-in and reporting
  3. Discussing Information Security with the Board, C-Suite, and Investors

Stay tuned for more...

About Demetrios Lazarikos (Laz)

Demetrios Lazarikos (Laz), a recognized visionary for building Information Security, fraud, and big data analytics solutions, has more than 30 years experience in building and supporting some of the largest InfoSec programs for Financial Services, Retail, Hospitality, and Transportation verticals.

More About Laz