EXECUTIVE SUMMARY
Steve Katz, recognized as the world’s first Chief Information Security Officer (CISO), shares insights into the evolving role of CISOs, which he pioneered in the 1990s. Katz’s journey began at Citibank in the 1970s, where his early work in internal consulting paved the way for a career in security leadership. He established a new security department at Morgan Guaranty in the 1980s and later became Citicorp’s first CISO in 1995 after a major hack exposed vulnerabilities in the bank’s systems.
Â
Katz emphasizes that the role of the CISO is about managing business risk rather than solely focusing on IT security. He believes that cybersecurity is a tool for mitigating business risks, not an end in itself, and advocates for CISOs to communicate with business leaders in terms of risk rather than technology. He suggests that CISOs should report to Chief Risk Officers (CRO) rather than Chief Information Officers (CIO) to avoid conflicts of interest, as the CIO often prioritizes innovation over security.
Â
One of Katz’s key strategies was to build a security team that integrated with the business, ensuring that security policies addressed business needs rather than just technological concerns. He also rejected the idea of employing reformed hackers, viewing it as an unnecessary risk.
Â
Katz concludes that the modern CISO must be passionate, courageous, and committed to transparency and communication. He predicts that ransomware and the growing expertise of hackers will be among the biggest challenges for future CISOs, highlighting the ongoing arms race between security defenses and cyber threats. Ultimately, he stresses that the role of the CISO remains grounded in business risk mitigation, a concept he pioneered decades ago.
