In Depth
Evolution of the CSO
From incident reaction to proactive risk assessment, the CSO role has evolved dramatically. Next stop: new services and business operations intelligence.
By Joan Goodchild, Senior Editor
"Clients are getting more sophisticated in what they are looking for and what they need," says Lenzner. "Now we are in the second and third generation of these roles. Some companies are looking at these areas for the first time, but, by and large, companies are filling roles for people who had been there previously."
From Techie to Business Executive
In the early days, information security professionals were viewed as two things, according to Steve Katz.
"Highly technical, and the people who consistently said 'no'," he says.
Katz, considered by many to be the first person to hold a chief information security officer position, began to debunk the notions around information security when he was recruited in 1995 by Citicorp (now Citigroup). The company hired Katz after a hacker broke into Citibank' cash management system and siphoned $10 million into his own accounts. Much of the money was not recovered. The theft brought information security to the forefront for Citibank, and the company wanted someone to minimize the risk that such a breach would occur again. Katz's CISO title was created by a board headed by former Citicorp CEO John Reed.
"His view was: Let's bring a business perspective to information security," says Katz. "[Reed] said, 'Citicorp sells two things: money and trust.' As security, we were there to help them deliver on the trust component."
Katz says he spent much of his first year traveling to meet with Citi executives around the world. His mission was to put a face on security and figure out what needed to be done to protect the company. He asked executives, "Do you care about who you transact with? Who are your customers?"
"Technology wasn't part if it," says Katz. "It was simply, 'Do you care about keeping information confidential and private."
In turn, Katz began to introduce concepts such as identity, and company officials began "shaking their heads and saying 'Yeah, that makes sense,'" says Katz.
Katz, who now runs his own consultancy, continues to meet with CSOs and CISOs and does some mentoring as well. When he is giving career advice, he urges up-and-coming security professionals to hone their understanding of business and risk if they want to be successful in today's corporate climate.
"The role is becoming a technical- and business-risk effort much more than it is viewed as a security role. The requirement to work with business professionals is probably the greatest hurdle security professionals have to face. If you aren't at home working with people at the executive level of a corporation, you will be relegated to a much smaller role in the company."
cso
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
