Steve Katz is widely known as the world’s first Chief Information Security Officer (CISO). He has had some involvement with security concepts since the 1970s, became an early head of a security department in the 1980s, and became a CISO in the mid 1990s. Although early, his journey will resonate with all contemporary CISOs.
The road to CISO
If you ask Steve Katz how he got into ‘security’, he will probably say ‘serendipity’. “I was in the right place at the right time, saw the opportunity and took it.”
More specifically, the road started at Citibank. In the 1970s, he had an internal consulting role. He played at the edge of security before security existed – he worked on product lifecycle and quality assurance, and included a requirement for an ID and password module in COBOL and FORTRAN.
But security soon became an issue – and he was one of very few who had any sort of experience. In 1984, he was recruited by Morgan Guaranty, now JP Morgan Chase, to set up and lead a new security department.
In 1995, he was recruited by Citicorp, the parent company from where he started. Following a significant hack, Citicorp’s board instructed its CEO to recruit a security executive. That person was Steve Katz, and he became the world’s first CISO.
Morgan Guaranty and the beginning of the journey
Katz started in security leadership from the position that modern CISOs are striving to reach. Ask any CISO today, ‘what is the most important thing you can do?’, you will probably be told, ‘understand the business and be able to talk to the business leaders’. It’s as if this is a new realization – but it is not. By the time Katz became a security leader, he was already convinced that his role was to serve the business, not the IT department.
“The role is all about business risk,” he told SecurityWeek. “If I had my way, the modern title would be Chief Information Risk Officer rather than Chief Information Security Officer. Cyber security is a tool for managing business risk – it is not an end in itself.”
He tells a story that explains his view of security’s role in business and how to ‘sell’ the role to business leaders. By this time, he was head of the security department at Morgan Guaranty. New-fangled PCs were finding their way into organizations, and new-fangled computer viruses were finding their way into the PCs. Katz was aware of the possibility and spoke to one of the early anti-virus firms. A demonstration found virus-infected PCs in Morgan Guaranty.
The next day he spoke to the board. The members had no understanding of security or viruses. Katz did not try to explain the technology. Instead, he said: ‘You are sitting in a trading room at a trading terminal and before your eyes, sixes and sevens become nines, fives become eights, and threes become zeros. What does that do to your trade?’”
The board asked if anything could be done. Katz said he had seen a product that could help. They said, “How much?” He said, “$400,000.” They said, “Go and get it.”
The story explains much of Katz’ view of being a security leader. The role is all about mitigating business risk. Getting rid of the viruses is merely part of mitigating business risk. Getting the business leaders on board requires talking to them in a language they understand. It is not about the technology underlying PCs and viruses, but about the business risk posed by the viruses, and how to mitigate that risk.
In fact, he goes further. He believes the CISO could be a pure businessman so long as he understands technology and surrounds himself with security technologists.
From head of department to the world’s first CISO
In the mid-1990s, while Katz was still with Morgan Guaranty, rumors emerged that Citicorp had been hacked. The hack was discovered in June 1994 – but the bank did not go public. It became public when the FBI sought the extradition of their prime suspect, Vladimir Levin, who was being held in the UK.
The hackers broke into Citicorp’s electronic funds transfer system, which allowed corporate customers to move money between bank accounts. Levin’s group made illegal transfers of around $11 million. They were quickly detected, and the receiving banks were notified. In the end, only $400,000 was lost.
Nevertheless, it was an early and major hack that was about to become public. The reputational damage to Citicorp could be severe, and the board decided that serious action was necessary. They instructed the CEO to find and install a cyber security executive to prevent it happening again.
Katz was already known in the finance sector as one of the few experienced and knowledgeable security leaders. He was invited to talk to Citicorp. “I agreed,” he told SecurityWeek, “but at the time my main motive was to learn what had happened to Citicorp so that I could stop it happening to Morgan.”
But things change. After a few months of discussions with Citicorp he was offered and accepted the position of Citicorp’s security executive; that is, he moved from being head of Morgan’s security department to the executive responsible for security at Citicorp: he became the world’s first Chief Information Security Officer.
His first task was to prevent reputational damage and loss of major corporate clients. He went on a world tour, visiting Citicorp’s 20 biggest customers. He openly explained what had happened, what the bank was doing to prevent it reoccurring, and what he would be doing to improve security going forward.
He also suggested that Citicorp’s customers should ask their individual banks what they were doing. Several customers called him later to say their banks refused to talk about their own security – which astonished Katz. “You are the customer,” he said. “You have the right and a need to know how they will protect your money.” Awareness of supply chain issues is not a new concept.
His tour was successful. Despite the hack, Citicorp did not lose a single customer. And the key elements of Katz’ view of a CISO were already set: it’s all about business risk mitigation, and should involve communication and transparency with and from the business leaders.
What went wrong?
So, what went wrong? Why is the modern CISO only now reasserting the role as requiring integration into the overall business risk?
When you talk to Katz, you get the strong feeling that the problem is and always has been the common relationship between the CISO and the CIO. Reporting to the CIO is still the most common reporting hierarchy for the CISO, but it leads to a subtle belief that security exists to support IT rather than the business.
The problem here is an inherent conflict between the CIO and the CISO. The CIO’s purpose is to introduce new infrastructure, applications and processes to improve the functioning of the business. Unfortunately, improved functioning is often at the expense of security. But with the CISO reporting to the CIO, the CISO will often take the back seat in any shooting match. At the bottom line, the CIO can fire the CISO – or at the least, make effective functioning very difficult.
Katz would prefer that the CISO be renamed the Chief Information Risk Officer, and report to the CRO, if not the CEO.
To be fair, Katz started his career in security leadership when there was no career in security leadership. He was able to define his role himself. He was recruited by the business, not the CIO. Today, organizations believe they understand the need for a CISO, and understand the role of the CISO – and that usually means a close and probably subordinate role with IT. The role of the CISO has been defined; but the problem with definitions is they limit scope to that definition. The modern CISO is faced with breaking out of the limiting definition that has evolved since Katz first started.
The security team and employing an ex-hacker
Katz’ second task as the new CISO at Citicorp was to build a security team. He employed around 600 full-time and part-time staff around the world. Apart from technological expertise, he always looked for and stressed the need to be able to communicate with and integrate into the business. “I developed half a dozen or so key questions for everyone to keep in mind,” he told SecurityWeek.
“They were things like: Do you care who you do business with? Do you want to control what they can do? Do you want to control lending limits, spending limits and trading limits? Do you need receipts? Do you want to know about problems – and if so, how quickly? If downtime cannot be avoided, what are the acceptable durations for which systems?
These questions became the foundation of his security policy – but the interesting aspect is that it doesn’t include questions about EDR, XDR or zero trust. The important point is to define the business risk. Security tools are merely the method for mitigating business risk.
We asked if he would employ a reformed hacker to help understand the hacker’s perspective? Many modern CISOs say they would, if only for the extra perspective that a hacker can bring to threat hunting. For Katz, the answer is half moot, and half clear. It is moot because he was CISO in the finance sector. While the precise regulations may differ between different states, in general, the finance sector will not or cannot employ a convicted felon. But it is also clear because he would not anyway. “If a bad guy turns good, there is nothing to say he will not turn bad again,” he said. Since his job is to mitigate risk, this is one risk that can simply be avoided.
Key to being a CISO
We also asked him, ‘what is the most important characteristic for a CISO?’ He replied simply, ‘Passion!’ The CISO should wake up in the morning and be enthused to get on with the job. Katz often starts work at 7:30 am; but he always finishes at 5:30 pm.
This is a bit simplistic. When you talk to him, there are other obvious traits. Having courage in your convictions is one, but it is allied to a willingness to stand up for them. He tells a story that may be apocryphal in origin, but is nevertheless indicative. He had a dispute with a CIO to whom he reported. The CIO wanted to put in a new system. Katz told him he couldn’t do that for good business risk reasons. The CIO insisted, but so did Katz.
“We’re going to do this,” said the CIO, “because I’m your boss and we’ll do what I say – or I’ll fire you.” Katz replied, “Fine. You can fire me. But it won’t be until after I have spoken to the board – and you will have to explain why you refused the security advice of the Chief Information Security Officer.”
It’s not all bombast. It is equally clear that Katz also believes in communication and transparency, and being surrounded by people you trust and can rely on.
What about the future, we asked? “What are the main threats that the CISO will need to face over the next few years? Ransomware, he said. “That goes without saying. But really, the biggest threat is the ever-increasing expertise of the hackers.”
It is an irony that has been noted before. Increasing the sophistication and effectiveness of security defenses merely spurs the bad guys into increasing their own sophistication and effectiveness. It’s a never-ending cycle of strong defense and even stronger attacks. It’s problematic for business, but reassuring for the CISO career.
Katz – the first but very modern CISO
Steve Katz was the world’s first CISO. He was a CISO a quarter of a century ago. Surprisingly – and perhaps disappointingly – his early views on the role of the CISO remain very modern. It’s all about business risk mitigation. Cyber security is merely the method used to mitigate business risk based on business information.
The role, in Katz’ view, is more aligned to the Chief Risk Officer than to the Chief Information Officer. The CRO allows the concept of security to expand across the whole business. The CIO has a more constraining effect, focusing security on the IT infrastructure. The modern CISO understands this, but is forced to struggle to return security to its business risk mitigation origins.