When a cyber security disaster strikes, who is the first manager the security team will call? In most cases, the answer is the Chief Information Security Officer (CISO).
The Chief Information Officer (CIO) and Chief Technology Officer (CTO) do a lot of the heavy lifting, but it’s the CISO who will have to stand up in front of the Board and give a more detailed explanation should a cyber attack visit the house.
What’s less appreciated is that far from being a recent fashion, the rise of the modern CISO role goes back decades to the birth of modern cyber crime and a time when the Internet was mostly something people read about in magazines rather than used themselves.
The CISO era begins
The year was 1994, and the history-changing event was a computer attack on U.S. financial services company, Citicorp, in June of that year. This incident – now widely viewed as the first modern cyber attack of any scale against a business – had several elements which eerily predicted the world we live in 30 years later.
During the incident, a hacker stole $10.7 million ($22 million in today’s money) by accessing the dial-up used by wire transfers by several Citicorp clients. At the time, this was shocking and extraordinary. It later transpired that the attacker was a Russian called Vladimir Levin. Over a decade later another Russian threat actor, the Russian Business Network (RBN), returned to haunt Citicorp (now renamed Citigroup), with a similar hack, and so this east meets west history has been on repeat ever since.
But what matters for this article is what happened next. Realising with foresight that the incident indicated a new type of business problem, Citicorp decided to shore up its defences by appointing a man called Steve Katz to lead a new security function. His job title: Chief Information Security Officer, is in effect the world’s first named CISO.
Perhaps Citicorp saw this as a case of problem admitted, problem solved and the CISO was the guy who’d stop such appalling security breaches from happening again. It was a good idea, but it didn’t work out that way for everyone. Many CISOs have been appointed since 1994, indeed no organisations of any size would be without the role, but the workload has only multiplied. Equally, without the CISO function, it’s hard not to imagine that cyber security would have deteriorated even more than it has.
The role of the CISO was seen as being about network security and access control. In time, it became obvious that digital access and the Internet had also hugely expanded what was possible. Digital systems were becoming so inter-connected that security represented a new type of business risk understood today through the modern idea of cyber security.
The new CISO
The early CISOs – that’s probably all experienced CISOs working today – were networking and IT engineers who got into security because only they had the necessary expertise. They were predominantly technical people whose skills and knowledge were seen as a means to the end of looking after computers and network plumbing.
Over time, however, this mainly technical role has evolved into something altogether more diverse and complex. The idea that CISOs were engineering people who reported upward to Boards was a product of an era when cyber security was seen as an IT function. IT itself was seen as predominantly a service for other functions. This has now changed dramatically; IT and cyber security are now strategic investments that protect value within a traditional risk management approach.
In effect, the CISO is a business role that is part of the Board. In the event of a cyber attack today, the CISO won’t be asked for a technical description but to relate what has happened in terms of its effect on the business.
What makes a CISO?
The CISO’s role is pivotal, and yet no single educational qualification is required to become one. This raises the issue of how CISOs prove they’re up to the job, especially if they didn’t start their career 30 years ago and can point to specific experience in the field.
One answer to that question is by becoming certified. This used to be by taking a degree or a master’s in computer science, but increasingly professional certification has taken over from this as the more important measure. The problem is that working out which certification is not always easy. For example:
- ISC2’s Certified Information Systems Security Professional (CISSP). This is the gold standard of the CISO profession which, coincidentally, dates back to 1994. This requires candidates to have a computing-related qualification (such as a degree) and to have completed five or more years of full-time employment. In addition to the exam fee, candidates must be renewed every three years by earning 120 continuing professional education (CPE) credits.
- Probably the nearest competitor to the CISSP is ISACA’s Certified Information Security Manager (CISM). It’s less technically demanding but still seen as an important qualification – they could be seen as complementary.
- The EC Council’s more recent Certified Chief Information Security Office (C/CISO) is designed to cover cyber security skills from a management skills (finance, third-party management, procurement, etc.) perspective not included as part of the CISSP.
- In the UK, the NCSC-inspired replacement for the current Cyber Certified Professional (CCP), will give cyber security professionals access to the same chartered status enjoyed by professions such as accountancy. This had yet to be finalised as of mid-2023.
An important aspect of certification is the commitment to refreshing skills. As with many professional certifications, skills and knowledge must be constantly updated as new knowledge appears.
Are CISOs essential?
The short answer is that while smaller organisations might not need someone with CISO as their job title, they almost certainly need someone who thinks like one. Ultimately, the CISO’s role is about understanding what is really going on and communicating that across the organisation. In almost every organisation that means being someone who can relate technology and how it is used to wider concerns about business risk. It’s taken a generation to understand that this role is central to the future of organisations that are becoming increasingly defined by their digital rather than physical presence.
