Part I: A Lesson from the World's very First CISO
Updated: Mar 10, 2020
It was 10p.m. in the evening as I got ready for a very important call. In the last few years, I have spoken to more than 70 C-Suite leaders around the world for the newly published edition of my book Cyber Risk Leaders. I have now met with global Chief Information Security Officers (CISOs) from multinational corporations, big banks, government CISOs, critical infrastructure, all the way through to the ex-FBI, Navy Seal, and NSA, etc.
Yet, I still found myself getting excited about this impending call to New York. This CISO on the other line was going to give me a peek specifically into the corporate world of cybersecurity, which he has been living in for more than 30 years. "Hello!" I started.
"Good morning, Shamane!" Steve Katz piped in, "it must be late over there."
Brownie points for those who immediately recognised the name.
Yes, Steve Katz is a legend in the field of #cybersecurity #infosecurity #ITsecurity. He is publicly known as the world's first CISO. Since 1985, he has served as the senior executive for Citibank/ Citigroup, JP Morgan, and Merrill Lynch.
Steve was so good to talk with. We probably could go on for hours, but had to stop at an hour and a half. From telling me he still has a little merlion sitting at his desk from his trip to Singapore more than 15 years ago, to his fond memories of being in Australia, I felt like I was speaking to a friendly mentor. I realised how passionate he was when we started diving deeper into the questions that I had for him.
I quickly became aware that I might need to have a second print of my Cyber Risk Leaders book ready as I was not going to want to keep all these insights to myself. Right after our conversation, I was inspired to start writing again.
But first, my biggest takeaway from speaking to Steve is that he exemplifies information security as a business risk. It was never just about security or technology for him. Then, there is also the fundamental value that he operates by:
"There's a time to get paid to make a recommendation, and there's time to get paid to make a decision. If you get fired, get, get fired for doing the right thing. But make the right decision."
I love it! Here was a man who was unafraid of the consequences. As long as his conscience was clear. And this empowered and enabled him to think creatively and find genuine solutions which led to one of the greatest achievements in history: in dealing with the Citi Corp's first hack by a Russian group back in 1994, and saving the global bank from losing a single customer out of their top 20 international banking customers. What a story. I can't wait to feature them in the next 2nd edition!
Steve was very obliging in sharing his thoughts whenever I threw different questions his way. I marvelled at the fact that when you fast forward into the year 2019, almost 30 years later, the mantra that information security is a business management risk issue is still very current and relevant. Back then, Steve demonstrated an incredible amount of foresight and forward-thinking to focus on working on addressing and resolving business issues.
As part of building the cybersecurity ecosystem and sharing information, I would like to ask this of my network: "What are some of the creative yet effective ways you have talked to the business and got your points across? Any success stories to share?"
Please share them in your comments below. I am looking forward to reading them!
About the Author
Shamane Tan is a published Author of Cyber Risk Leaders and the APAC Executive Security Advisor at Privasec, a leading and independent Security Consulting Firm. She has worked with exciting start-ups all the way to global organisations extensively in the Asia-Pacific region. Shamane advises the C-Suite and IT Executives on their business security posture to the reality of the challenges they faced from regulatory issues and cybercrime. She is also the founder of the Cyber Risk Meetup which is in four major cities in Australia, as well as Singapore. Her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights.