Last year's high profile breach of US retailer Target not only cost CEO Gregg Steinhafel his job and caused fourth-quarter profits to fall 46% but it really drilled one thing home – cyber security has the ability to make or break a business. It seems we've come a long way from information security being a hidden and isolated issue, and someone who knows this better than many is Steve Katz, widely credited as being the world's first Chief Information Security Officer (CISO).
He has served as the senior security executive for worldwide financial institutions including Citigroup, JP Morgan, and most recently Merrill Lynch. He started his career at JP Morgan in the days of the mainframe as a data security officer in 1985, and then moved to Citibank, where a major cyber heist saw £6 million vanish from corporate bank accounts. At the time a hack on this scale was virtually unheard of, and the role of the CISO was created as a direct result.
> See also: The rise of the CISO: the time is now
'At Citibank I was given virtually no budget restriction,' says Katz. 'I was told to go out and visit all the top 20 corporate clients around the globe, and let them know how this hacking incident took place, how it was identified what we've done about it. I explained what limits they wanted on transfers, how they can authorise changes, whether they want transfers to be readable or not, and how soon they want to be notificed if something goes wrong. My philosophy on information security is the same now as it was then. It's not a technology issue, it's a business issue.'
In Katz's view every security issue today can be traced back to the days of the mainframe- organisations are still having to ask the same basic questions around the integrity of important information, and the challenge is fundamentally the same as it was 30 years ago.
'What happened recently at JP Morgan was a wonderful reminder that despite all the state of the art tools, there's no such thing as corporate security and there never will be,' says Katz. 'What I dealt with in Citibank was rather primitive, someone got in there by accident, but JP Morgan have invested more heavily in security than any other financial services organisation, and they still got hit. JP Morgan accept that they're managing risk as part of being a bank, and this is just another risk you're going to have to manage. As a security chief your job is to make sure the board understand that you are in a risk environment.'
Katz has always pushed for security heads to have greater credibility within the enterprise. The big challenge going forward, says Katz, will be translating the growing complexity of an enterprise's security needs to the rest of the business.
'I'm not going to be the guy to sit down and say this can't be done,' says Katz. 'When PCs first came into the enterprise, they said 'you can't bring that in here' and now they're saying the same about tablets and mobiles. You can't turn around to an investment banker making the company £30 million a year, and say 'you can't use that.' The discussion is about how we're going to use it and the level of risk.'
Katz' advice for a CISO is to create a system where employees fill out a form explaining why they don't wish to comply with a certain security policy, so that the CISO can recommend an alternative solution, explaining in full why it would be less risky for the business. Part of the soft skills required by the CISO is the ability to communicate the 'whys' as well as the technical hows.
'The complexity is increasing, and you need to be aware that everybody who's a business leader or executive is very capable of understanding a great deal, and it's your job to communicate the reasons for security policies effectively or you will destroy your personal credibility.'
In years to come, Katz believes that the diversity of skills involved will eventually lead to the bifurcation of the CISO role.
> See also: The year for the chief mobility officer
'In the next five to ten years, it will become two roles – the technology expert and the information risk expert,' he predicts. 'The information risk guy will the what and the why. He or she will be the marketing arm, the sales arm, the awareness arm and the budget arm- the bridge to the rest of the business. The technology role will be the 'how'. I think to expect a person to be an expert in both areas will be too much to ask.'
Many of the technical skills traditionally associated with the security chief will have to be given up, says Katz, but the CISO will effectively become the 'CEO of a company within a company,' able to get the message of security across effectively.
'CISOs today are far more skilled and motivated, with better access to funds,' says Katz. 'But it's a wonderful challenge- you will have fun with it until you are 80 years old, because it is always evolving. I had the goal when I set up in at the department in Citibank that I would put myself out of business in ten years – boy was I wrong.'
