Evolution of the Chief Information Security Officer

In 1995 a new executive title was introduced into business: Chief Information Security Officer (CISO). The CISO role was designed as a response to the ever-increasing need to maintain the security of information and operations contained within the internal technology infrastructures upon which corporations relied. Steve Katz, widely recognized as the first CISO, joined Citicorp/Citigroup in 1995 and was appointed to the CISO role there (he later joined Merrill Lynch as their chief information security and privacy officer).

The original CISO was not to last. Like the railroads and telephone systems of earlier decades, the Internet altered business processes, management methodologies, and product strategies—and with them, the role of the CISO. By the year 2000—and its Y2K work—the CISO’s responsibilities extended beyond the corporate boundaries to include e-business partnerships, mirroring institutional changes. With an emphasis on cross-institutional data exchanges, the CISO’s role evolved into a secondary relationship with customers, suppliers, and partners, but still reported to the Chief Information Officer (CIO).

The economic downturn of late 2001 and the abrupt reversal of fortune for many technology giants brought another dramatic shift in the role of the CISO. The security of a net-based system of interrelated services was still at risk, yet corporate emphasis on cost reduction steadily increased, snowballing the risk. Those CISOs who had solely focused on making the technology secure were now at risk, as they represented an irrational investment (to their executive teams and directors, at least) that had yet to demonstrate a tangible need that justified the investment. And those executives who remained “hands-on” managers of their institutions’ infrastructure operations found themselves without budgets, losing employees, and as the recession impacted revenue streams, numerous companies removed the position of CISO entirely.

In each business and historical phase, the position of CISO has been a mirror of the broader environment within which it operates. Therefore, the changing role of information systems becomes a map for the broader transformations in cyber security – in our commerce, in our culture, and in our socioeconomic relationships. By better understanding the changing role of the CISOs in these institutions, we can better understand the institutions themselves and the inherent threat that is posed to them.

Indeed, the changing landscape of Cyber and the CISO’s charter, which evolved to become a portion of audit, is an excellent metaphor for commercial society, including the business leaders, citizens, and participants in the broader communities these institutions serve. Examples can be found in every segment of our economy. Financial institutions now rely upon 24/7 derivative calculations and zero-latency reporting, federal institutions are tasked to become interoperable with state and local efforts because of eGovernment requirements and “homeland security” imperatives, technology vendors are constructing virtual (electronic) marketplace networks, and manufacturing companies are refining their supply chains and service provider networks.

In every business and every social organization, we witnessed a dramatic shift in the universe of our jobs, and this was prior to the Covid-19 pandemic, which is certain to accelerate additional changes. Parents send urgent messages to kindergarten teachers via email or phone text. People find a special color or size in their franchise locations around town or simply make an on-line purchase. Craftspeople in Africa sell their wares directly into New York homes. Midwives in India obtain immediate triage assistance from the emergency pediatrics specialist at the University of Maryland.

The “extended enterprise CISO” is a guardian in a networked community designed to deliver systems and services, with reduced risk, between customers, vendors, and partners, a matrixed role in a network of associations for which some executives are suited and others are not. The position of the CISO within the corporate structure is changing. Most still report to the CIO, while others now report to CEOs and in some cases a board member but in all cases, an organization’s ability to hire the right person for this role is fundamental to its success. It is why The Institute of World Politics teaches a webinar on the Cyber Intelligence Professional (insert link - https://www.eventbrite.com/e/cyber-intelligence-professional-tickets-104087203628 ) because filling this position correctly is so vital.

CISOs at every level of business and trade have become responsible for the security this interconnectedness of daily life. These changes, indeed, are not temporary. The Cyber threat continues to grow and is ever present. Employees responsible for Cyber Security must remain vigilant. This requires continued education as we cannot stand still while adversaries persist and learn from their efforts. The future of improved security for CISO’s and their employees is couched in continuous learning and improvement.