How has the CISO function changed through the years?
Having an executive team to manage specific functions of an organisation goes back to the introduction of formalised businesses. In the United States it’s recorded that the oldest corporation is Harvard and Henry Dunste was appointed the first CEO back in 1650.
So, it may come as a surprise that one of the most important executive roles to grace the management team today is relatively very young by comparison. While we now rely heavily on the position of Chief Information Security Officer (CISO), that wasn’t the case just over 25 years ago.
The First CISO
In 1994, Citibank in the US had a significant cyber event (read: they were hacked). That event precipitated over $10 million in potential losses as well as the introduction of a new executive at the senior table. And that is why Steve Katz is widely recognised as the first Chief Information Security Officer. The story goes that:
At that point, $400,000 was already lost. Roughly another $10 million went across the wires but wasn’t lost. As people came into the bank to pick up the money, they were arrested. The matter was significant enough that the board directed the CEO to go get a security executive, put that person in place and make sure it didn’t happen again. Katz took the job, becoming the industry’s first Chief Information Security Officer, reporting to the CTO, who reported to the CEO.
25 Years Later in Australia
The good news is that this critical role spread quickly and Australia is catching up. In January 2018 executive search firm Johnson Partners wrote in Tomorrow's Chief Information Security Officer:
"In the past 18 months, CISO appointments within the ASX100 has seen unprecedented growth. AGL, ANZ, Qantas, Telstra, Tabcorp, National Australia Bank, Commonwealth Bank of Australia, REA Group and Medibank, to name just a few – all have appointed CISOs. In many instances, these were ‘first-time’ appointments for the company in question."
There is rarely a month that goes by when an Australian enterprise announces a search for their ‘first-ever’ CISO – in mid-2019 both Monash University and NSW TAFE are seeking theirs.
Governments have been slow to adopt the role. It took another 22 years from the time Citibank appointed Steve Katz before the US government followed suit. In September 2016 the White House issued a press release announcing the First Federal Chief Information Security Officer reporting:
In his new role as Federal CISO, Greg [General Touhill] will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies.
In the Australian Government Information Security Manual (first published in December 2018, updated August 2019) the role of the CISO is clear:
"To provide cyber security leadership within organisations, it is important that each organisation appoints a Chief Information Security Officer (CISO)... The CISO within an organisation is typically responsible for providing strategic-level guidance for their organisation’s cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. They are likely to work with a Chief Security Officer, a Chief Information Officer and other senior executives within their organisation."
The NSW Government appointed Maria Milosavljevic its first CISO in May 2017 – charged with reaching out across both the public and private sectors to build a strong cyber regime for the state. The same October, former ANZ Bank information and technology risk senior manager John O’Driscoll became Victoria’s first whole-of-government CISO.
Exchange between the public and private sector works both ways; Lynwen Connick, former Department of Defence CISO and adviser to Malcolm Turnbull on cyber security issues, joined the ANZ Bank as CISO in 2017.
Today there are millions of people around the world who hold the title of CISO and thousands of open positions looking for the ideal candidate. It is clearly not a matter of if, but when a company adopts this mission-critical role in their organisation.
A CISO’s Tool Chest
In addition to wisely choosing a team that can handle the rigors of threat prevention, protection, privacy and disaster recovery as well as reporting and compliance, a CISO sets the strategy for technology selection. Selected technologies must evaluate every line of code, making well documented evasion techniques ineffective.
It should be agnostic to file type, client-side application type, or the client operating system used within the organisation. It should provide protection regardless of operating system, CPU architecture, and function (client, server) of the targeted machine.
The future CISO
According to Johnson Partners, the CISO role – like security itself – is constantly evolving:
"The future CISO will need to be prepared to take on more responsibility as breaches will only grow in complexity and magnitude. To meet the future the CISO will need to be a thought leader, always updating their understanding of the avenue available for cyber threats. Today, this is Blockchain, the Internet of Things and Cloud Computing. Tomorrow? The future CISO knows."
Watch this space...