Introduction
The first Chief Information Security Officer, or CISO, was named 29 years ago: After Russian hackers infiltrated financial services giant Citicorp (now Citigroup) in 1995 and stole more than $10 million, the Citigroup Board instructed the company’s CEO to recruit a security executive to improve the company’s digital defenses. That person was Steve Katz, and he became the world’s first CISO.
Five years later, in 2000, the software company JD Edwards appointed its first CISO. That person was me.
After 24 years of working as a CISO, and three years serving as CISO at F5, I’m preparing to retire. Over the course of my career, I’ve seen tremendous changes not only in the cybersecurity landscape that organizations face, but also an evolution of the CISO role in today’s organizations.
A CISO’s primary responsibilities are to develop and implement information security policies, manage cybersecurity programs and compliance, and ensure the protection of sensitive data within their organization. Over the years, the level of cyber risk has vastly increased, with cybersecurity advancing to keep ahead and maintain resilience in an ever-expanding arms race with cybercriminals—with the understanding that threats (and mitigations) will never stop evolving.
As cybersecurity has become an essential business requirement, with security compliance in many industries now mandated by governmental agencies, the CISO role has expanded beyond its original preventative security focus toward a more strategic and business leadership position involved with identifying and managing risk. As I will discuss later, with these enhanced responsibilities has come increased, and perhaps unclear, levels of accountability.
It’s illuminating to look back at the forces and inflection points that have impacted cybersecurity over the past quarter century and understand how they have shaped the CISO function over time. I have seen significant change over the course of these 24 years, so let me share a synopsis of that journey.
Birth of the CISO Role
There’s no mystery why CISOs came into existence around the turn of the 21st century.
The era of the fortress data center was ending, when computer networks were mostly internal to the organization and perimeter defenses like firewalls and intrusion detection systems could keep the bad guys out. In a span of just a few short years, personal data and financial information went from stored on paper documents in filing cabinets in locked offices to shared digitally across networked systems and accessible at your fingertips on mobile devices.
The late 1990s saw the first boom of the Internet and world wide web. By 1997, Amazon had 1 million customer accounts and eBay had gone public. The dot-com bubble ensued, with a surge in online shopping and unbridled e-commerce. The Stanford Federal Credit Union in California became the first financial institution to offer online banking in 1994 and offered online bill paying in 1997. A bit later, in 2003, the Institute of Medicine released a study establishing the key capabilities for electronic health record systems.
With these advances, the reality of data privacy shifted as our banking information, credit card numbers, medical records, and other personal identifying information were digitized and shared across networks.
There were initially limited protections for data and personal information in these increasingly interconnected networks. The first distributed denial of service (DDoS) attack occurred in 1999, followed by Code Red and Nimda worm cyberattacks that targeted web servers in 2001, and SQL Slammer in 2003 which spread rapidly and brought focus on the need to patch vulnerable systems.
The end of the millennium also brought Y2K and the Millennium Bug, which exposed the vulnerability of existing computing infrastructures that formatted dates with only the final two digits and raised the profile of CISOs and other security professionals. Organizations recognized the necessity of dedicated executives responsible for managing cybersecurity risks. The CISO role became increasingly strategic, responsible for developing and implementing information security policies, and enacting IT risk assessments and business continuity plans to address potential disruptions of normal operations.
A Changing Cybersecurity Environment
CISO responsibilities shifted again in the 2010s with the rise of cloud computing and prevalence of mobile devices. Network perimeters become more fluid, with CISOs now required to secure data and access across dynamic and distributed environments and a wider range of devices and technologies.
Cloud computing meant new responsibilities for CISOs: Storing and processing data in third-party clouds and data centers meant that sensitive data had to be protected during transmission and processing. For the CISO, this involved implementing enhanced encryption and access controls for data and taking responsibility for vendor risk management for cloud service providers.
COVID-19 significantly reshaped workplace and IT priorities and highlighted the need for adaptive and resilient cybersecurity measures in the face of unprecedented business disruption. The global pandemic made work-from-home the new normal, and CISOs focused on policies for securing remote endpoints, implementing secure access controls, vetting remote collaboration tools, and educating employees about best practices for remote work security. More than ever, the CISO’s responsibilities were business critical.
Workplace disruption was also catnip to malicious actors, and rates of cybercrime soared during the early COVID years; the FBI reported that 2020, the first year of the pandemic, saw a 69% increase in Internet crime over 2019. Our 2020 Phishing and Fraud Report showed that phishing incidents rose 220% in 2020 compared to the year before. CISOs had to contend with a surge in cyberattacks, ransomware incidents, and other malicious activities targeting remote workers and organizations adjusting to new working environments.
Looking forward, the rate of technological change is accelerating and emerging technologies are poised to again impact CISOs and make cybersecurity more challenging.
Like many other technologies, Artificial Intelligence (AI) can be used for both legitimate and malicious purposes. Advanced AI and machine learning are now in use in cybersecurity systems to identify anomalies and potentially fraudulent activities. On the other hand, bad actors also harness powerful and ubiquitous AI to create more sophisticated and effective cyberattacks. Deepfake spear-phishing attempts, ransomware attacks, and social engineering scams can easily bypass traditional security measures.
Easy access to powerful AI is also lowering the barriers to entry for cybercriminals, allowing them to more easily conduct sophisticated and damaging data breaches and fraudulent activity.
With Greater Responsibility Comes Greater Accountability
CISOs are also responsible for understanding their organization’s regulatory landscape and ensuring compliance with required mandates and reporting, an area that has also evolved greatly over the last 24 years. Governments and enforcement bodies are increasingly putting organizations on notice that cybersecurity is an important business issue and that companies need to pay attention to the accuracy of financial reporting and how they are securing the privacy of the personal data they process and store.
Over the years, CISOs have had to ensure compliance with a battery of regulations and standards. In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) of 1996 enshrined the privacy and security of personal health information whether stored on paper or a digital record. The Sarbanes-Oxley Act (SOX) of 2002 sought to protect investors from fraudulent financial reporting by improving the accuracy of corporate disclosures. In the wake of the 2008 financial crisis, the Dodd Frank Act enhanced reporting and regulatory oversight in the financial sector. Within entities governed by these regulations, CISOs played an enhanced role in ensuring that their organizations comply with these regulations by implementing appropriate security controls and reporting mechanisms.
Globally, regulatory bodies have also enacted laws that require the safeguarding of personal information that, in many cases, also limits where that information can be processed and/or stored. This landscape of multiple cybersecurity laws across many jurisdictions is challenging for any CISO leading an organization operating in countries around the world.
With this higher-profile role, CISOs gained growing accountability, with the need for greater transparency in their decision-making, particularly for situations involving data breaches or other security incidents.
CISOs were soon making the news, and not always in a good way. Former Uber CISO Joe Sullivan was found guilty of felony obstruction of justice and concealing a data breach in October 2022. The following month, CISO Lea Kissner of Twitter (now X) resigned along with the company’s chief privacy officer and its chief compliance officer over concerns that Twitter’s new leadership was pushing for the release of products and platform changes without effective security reviews.
However, the degree of CISO accountability for cybersecurity compliance is unclear. Though CISOs may have responsibility for an organization’s cybersecurity, they aren’t usually members of the executive team, which has the ultimate decision-making authority to fund or implement CISO recommendations. CISOs don’t generally control corporate priorities, resources, funding, or investment decisions at the executive level, so their true accountability for enforcing organizational compliance with cybersecurity mandates is open to question.
Two new federal compliance requirements may point a way forward toward better understanding the CISOs’ evolving role within an organization’s governance structure. These regulations increasingly place companies on notice that cybersecurity is an important business issue and accountability for it belongs at executive levels of the organization.
CISOs are on the frontline of compliance with new cyber disclosure rules from the U.S. Securities and Exchange Commission (SEC) that detail cybersecurity risk management responsibilities and obligations for publicly traded companies. These rules, which went into effect in December 2023, require greater transparency and specificity around cyber events, compelling companies to report material cyberattacks within four business days and make yearly disclosures about their cybersecurity risk management, strategy, and governance.
How and when CISOs disclose security events has become an increasingly important aspect of the CISO’s job, as agencies such as the SEC begin to question generic or boilerplate disclosures about breaches.
To disclose or not to disclose will increasingly become a challenging decision for CISOs, as disclosure documents are usually reviewed and approved by executive team members before public release, muddying the CISO’s accountability if statements made in the disclosure don’t reflect the CISOs point of view. CISOs will need to develop greater coordination with other teams and individuals (legal, finance, business, communications, board members) to ensure prompt and accurate decisions about the materiality of incidents.
Upping the ante is a revised draft of the U.S. federal government’s Secure Software Development Attestation Common Form distributed by the Cybersecurity and Infrastructure Security Agency (CISA) as part of the federal government's implementation of President Biden’s Executive Order "Improving the Nation's Cybersecurity", issued May 2021. The form requires vendors providing software to the federal government to attest that the software they produce is developed in conformity with specified secure software development practices.
The previous draft required the form to be signed by the software producer’s CEO "or their designee," which in many cases was the company’s CISO. The new draft designates that the form must now be signed by the company’s CEO or COO, firmly placing accountability for software security attestation and accountability with the company’s top executives.
Moving forward, cybersecurity disclosures and attestations, especially those that involve a security incident or attestation, should be discussed and resolved with executive leadership and board approval in addition to guidance from the organization’s CISO, who may be legally accountable for its impact. Greater transparency across leadership will be valuable should the decision be questioned at a later time.
Conclusion
A CISO’s most essential responsibility is to be prepared on multiple levels for events or situations that could compromise the security and integrity of an organization's digital assets. Over the years, this has meant that the CISO role has evolved from IT problem solver to a strategic business leader whose duty is to meet the challenges of an ever-changing cybersecurity landscape.
CISOs should now work alongside other executive-level leaders, board members, and department heads as they together help safeguard their organizations from a wide range of cyber risks, negotiate compliance and regulatory requirements, and prepare for cyber resiliency. Organizations that come out positively on the other side of a cyber event are those that are well prepared, with open communication among business and technology leaders, and accountability placed with true decision-makers.
I have truly enjoyed the challenges I have faced over these last 24 years as a cybersecurity leader. While retiring from the full-time (and then some) daily role of CISO, I plan to stay active in the cybersecurity community to drive continuing maturity of the profession through mentorship and my passion to accelerate diversity and inclusion for future cyber leaders.
Please feel free to connect with me on LinkedIn: linkedin.com/in/gail-coury
