Over the past decade, the role of the CISO has morphed from introverted techie into slick businessperson, reports Dan Kaplan.
The year was 1992 and Howard Schmidt was a cop in Chandler, Ariz. Fellow officers knew him as the Police Department's resident geek, but as a field sergeant in the organized crime unit, he earned his paycheck by working the streets, not the server room.
Then, in March of that year, the Michelangelo virus struck, and Schmidt's career would change forever. While the worldwide effect of the outbreak turned out to be minimal, the Chandler Police Department, which was in the process of transitioning from mainframes to PCs, absorbed damage to some of its machines.
The incident both enraged and motivated Schmidt, a U.S Air Force veteran and lifelong technology hobbyist (he takes a particular interest in ham radio operation). Schmidt sensed a battle brewing and he figured it was up to him and fellow IT enthusiasts to defend their turf from these newfound renegades.
“We all just really enjoyed [technology], and we saw the way other people were attacking the things we enjoyed,” Schmidt, now president of the Information Security Forum, recalls. “That put the impetus on us to go ahead and find ways to stop them.”
After he began investigating computer crimes specific to Chandler – Schmidt remembers one incident in which a crook used a modem to dial into a local credit bureau service to download personal information on customers – he left the department to head the Computer Exploitation Team at the FBI's National Drug Intelligence Center. Not long after, he was tasked with running information security at Microsoft.
At the time, the term “CISO” or “CSO” meant little to most companies – unless their employees were members of the Council of International Student Organizations, or perhaps, if they were partial to astronomy, spent time at the Caltech Submillimeter Observatory. But after infections such as Michelangelo and the arrival of the internet as a crude but reliable and profitable way to conduct business, security as it related to IT rapidly evolved. It would not take long before a brand-new title, chief information security officer, took root at large organizations across the country.
Fast forward to 2009 and the position now comes with considerable clout within many corporations and public entities, as the most successful CISOs are focused not just on keeping intruders out and data safe, but also on business enablement and risk reduction. In fact, it would not be uncommon to walk into the modern-day CISO's office and find an MBA degree hanging on the wall alongside a Microsoft Certified Systems Engineer certificate.
But before one marvels at how far the profession has come in the 20 years that SC Magazine has been publishing, it is necessary to draw on the past to learn just what accounted for the meteoric rise of the IT security executive.
Origin: Information security leaders
Stacey Halota, since 2003 the vice president of information security and privacy for the Washington Post Co., says that in the 1980s and 1990s, information security had little, if any, connection to business. Access, which back then meant ensuring employees couldn't accidentally delete files, was a top priority. The work fell to system administrators, she says.
“We had one of the first Novell servers that was actually hardware-based and I remember my job was setting up different groups of who could have access to what,” says Halota of her work at a small Virginia-based firm called Computer Business Methods, which sells development tools to government and commercial organizations.
Gene Fredriksen, the global information security officer at Tyco International, received a similar introduction to IT security. While at Eaton Corp. from 1981 to 1994, Fredriksen was charged with managing the mechanical engineering group. “Security of information was about locking the door to the print room,” he says.
But when the company began the transition from paper-based to computer-aided design, some of his responsibilities fundamentally changed. “We finally got to a point where everyone had unique logins,” he recalls, recognizing the irony now of considering that an achievement.
Finding himself energized by the discipline in much the same way as Schmidt, Fredriksen left Eaton in 1994 to take a job as supervisor of information security at American Family Insurance. The company, based in Madison, Wis., was seeking to establish an internet presence and was one of the few corporations at the time that looked to hire a designated security professional.
“It was the first time I had ever seen a role that dealt specifically with information security,” he says.
During his four-year stint there, Fredriksen received a crash course in safeguarding an organization. Most of his initial work focused on user administration and firewall deployment, while later he deployed anti-virus to every desktop as the company moved toward a distributed computing environment.
In retrospect, his responsibilities may look like child's play now, considering that these days sophisticated overseas hackers are using surreptitious malware to siphon personal information. But, with no precedent on which to draw, Fredriksen's introduction to the life of a CISO certainly wasn't a cake walk, he admits.
“In looking back now, those were pretty simple times,” Fredriksen says. “But it was uncharted territory. No one knew what impact viruses were going to have or what ports you should open up. We were starting those standards from scratch at American Family.”
Compliance and the criminal threat
If data-deleting viruses and the need to establish a web presence drove security conversations in the 1990s and early 2000s, regulatory demands and the rise of well-groomed cybercriminal gangs catalyzed discussions from then on.
And without them even realizing it, CISOs cashed in due to both drivers. After all, chief executives would rather elevate security as a business priority than face a front-page article in the Wall Street Journal after a data breach, or a trip to federal prison for failing to comply with regulations, such as Sarbanes-Oxley.
“The senior executives are becoming very aware and supportive of security efforts,” Fredriksen says. “I think that's the biggest change I've seen.”
And just as senior management is concerned about the risks, they also realize that to run an effective business in a way that today's borderless corporate environment demands, security must play into that equation, Schmidt says. Business leaders are recognizing that security is an asset, not a liability, he says.
With that recognition, though, comes a burden for the CISO: the need to be business savvy. Dan Lohrmann, the former CISO of the state of Michigan who now serves as its CTO, spent his early days helping to launch the state's award-winning $30 million e-government initiative. He then parlayed that project in making the case to become CISO. To do so, he spoke in business terms, telling senior management that it would be a shame to see millions of dollars go to waste due to porous security. It was a pitch that rang true in a state battered by the economy.
“People forget that in Michigan, we've been in a recession since 9/11,” he says. “We've been struggling. For me, I saw [e-government] as a huge blind spot. They were putting all their risk in this basket, but they were not seeing the protections needed.”
Nowadays, connecting security to a company's bottom line is commonplace, says John Stewart, CSO of Cisco. “Security is now viewed as a critical requirement in the purchase, design, development and deployment of applications and services,” he says. “There has been a shift from the emphasis on predominantly technical controls to risk assessment, policies and user education.”
As the role has been better defined, CISOs are tasked with instilling security best practices, says John Johnson, senior security program manager at John Deere, one of the nation's largest providers of agricultural machinery. With that responsibility comes the need to straddle the line between the IT department and the board room.
“The CISO has to be an interpreter,” Johnson says. “The CISO has to be able to explain the business need to the IT organization in language they'll understand and be able to bring technology security issues to executives in a way they'll appreciate.”
But as much as security has matured within sectors such as banking and health care, its presence within other verticals, such as manufacturing, often remains restrained and limited, says Johnson.
“We don't automatically have somebody sitting at the table as our champion by default,” Johnson says. “We have to build the case, and communicate that effectively up the chain. We're careful not to ask for things that don't directly benefit the company.”
MBAs and the CISO of the future
Still, organizations are valuing information security professionals more than ever before. An Information Security Solutions survey from April, which studied how salary rates of contractors and permanent employees were impacted by the slumping global economy, concluded that 56 percent of respondents experienced a pay increase over the previous 12 months.
“These findings tell us that our profession continues to enjoy increasing influence and impact on the organization, as companies recognize their dependencies on IT and connected business processes,” John Colley, managing director of (ISC)2 EMEA, said in April.
Workers recognize this as well. As a result, some are returning to graduate school to obtain master's degrees in the trade. Others have elected to obtain their MBA, considering the trend toward aligning security with business.
Yet, most experts agree that secondary degrees – or, for that matter, certifications such as the CISSP (certified information systems security professional) – are just one component in a CISO's arsenal. The successful ones will be skilled in people, processes and technology, says Michigan's Lohrmann.
“I've seen business people who have an MBA who really have no credibility because they don't know [for example] what encryption is,” he says. “Maybe they can quote it from a dictionary, but they've never actually secured anything.”
Lee Kushner, president of Freehold, N.J.-based L.J. Kushner & Associates, an executive recruiting firm, says he thinks experience will continue to win out over education. Education is not a guaranteed differentiator, he says. “It might be the ticket to the dance, but it doesn't mean you're coming home with any dates.
Kushner doesn't necessarily foresee a time when all CISOs will earn master's degrees – instead, he says, it will vary from organization to organization depending on company culture.
“If all the members of your executive team have an MBA, your CISO is going to have an MBA,” Kushner says.
Into the future
Going forward, though, as the CISO position assures its foothold in the corporate boardroom, some observers wonder if the function has an infinite lifespan. Considering new technologies, such as cloud computing and the increasing cost-benefit of outsourcing and offshoring, will the CISO role even be needed if external firms are handling the security for a business?
It will, say current CISOs interviewed for this story. But most agree that the position eventually will be absorbed into another business division, likely risk.
And, while the CISO of 2019 may not be charged with operating firewalls and come with a network administration background, they still will be needed to oversee the management of security, doing things such as monitoring service-level agreements with outsourcers or overseeing in-house policies, say experts. In fact, Johnson says he envisions the next iteration of the security executive actually becoming more influential.
“Down the road, the CISO will probably be seen more as a manager of IS risk, rather than just the security manager,” he says. “That is a more empowering role, and I think that security is still seen by many in a limiting way – as a bolt-on solution to ‘fix' specific problems.”
Meanwhile, Schmidt, whose career also has included a CISO position at eBay and a cybersecurity adviser role in the White House, believes the golden age of the security executive is here. As proof, many of today's start-ups are, for the first time, inviting CISOs to join their board of directors to describe how security might impact a fledgling organization.
“That's the bottom line,” he says. “Now we're living in the world where it's not about the technology, it's about the business processes and the business runs on risk management.”
In the beginning: Q&A with Steve Katz
Steve Katz was ahead of the times. When most IT workers with security responsibilities were just learning about viruses, Katz was working with executive management at Citibank to develop a revolutionary strategy on how information security could enable the business. It would take several years for most other companies to catch up; some still haven't. In a special interview to mark SC Magazine's 20th anniversary, Katz, now president of consultancy Security Risk Solutions, reflects on his precocious past, offers timeless tips for his peers and makes some bold predictions about the future.
SC Magazine: You joined Citibank in 1995 and are considered the world's first CISO. Take us through how that happened.
Steve Katz: Citicorp was hacked in 1994 (note: pre-internet) by a group of Russian hackers. Citi became aware of the attack almost as soon as it started and the group was ultimately arrested and prosecuted. Citicorp's executive management team, including the CEO, determined that the company should institute a corporate-wide, global information security program. They also determined that there should be a chief information security officer who would interface with executive level management and would routinely report the “state of security” into the corporate risk management committee.
SC: What were your responsibilities back then and why was the CISO role even needed?
SK: I joined Citicorp in July of 1995 with the charter of building the next generation of information security that would encompass all facets of technology, operations and business functions. We took the perspective that to be successful, information security was fundamental to Citicorp living up to its trust commitment to its customer base. In fact, in one of our early security awareness videos, the CEO, John Reed, made the statement that Citicorp had two products: money and trust. If we didn't provide the trust, we couldn't sell the money.
My focus was on governance, policy and standards, formal risk acceptance for not meeting security standards, technology and metrics. The technology focused on strengthening rules for mainframe security products, ensuring that effective security was put in place for mid-range/departmental processors (VAX, AS400, etc.) and making sure that the burgeoning PC and LAN environments were secure. We also increased requirements for encrypting a number of our networks.
SC: How was the position received?
SK: Like today, not too many executives argue with the concept of providing security. The challenge was turning the concept into reality. I began the program with a small number of major priorities: Bring on a team of top security professionals to help define and build the program; establish effective metrics so we knew and could demonstrate progress; institute a risk acceptance process; roll-out a security awareness program and begin routinely meeting with the top business, operations, technology and audit executives and bank examiners around the globe and across the company. My role was to explain, market and sell the program, while simultaneously ensuring that a world-class program was being developed and implemented.
SC: How have the job functions of the CISO changed over time?
SK: Much of what we did organizationally, functionally and technologically at Citicorp in the 1990s was groundbreaking. Having said that, the threat landscape that we had to deal with was far less severe than what today's CISO has to deal with. Viruses came into companies via disks and email, customers accessed products via direct connections or dial-up, and there was no pervasive use of the internet.
Banks always had to deal with federal and state examiners, but GLBA, SOX, etc., were products of the 2000s. Regulatory scrutiny will only increase. The challenge will be to ensure that there is an effective relationship with regulators and auditors. A tool that I have found to be effective is a rolling 24-month plan similar to a rolling 24-month financial plan. Monthly reporting would include forecasted results, actual results, a variance analysis and extending the plan for the full 24 months.
SC: How did security professionals obtain their positions a decade ago versus now?
SK: Traditionally, information security was integrally embedded in the world of the CIO and many of the heads of information security moved into there by being accomplished technologists, often specialists in mainframe security tools. An alternative path was to move into information security via internal audit. If you go back 15-plus years, people often moved into information security by accident. – Dan Kaplan
Illustration by Chloe Hedden