The evolution of the Chief Information Security Officer (CISO) role.
In the face of a cyber security disaster, who is first in line from an organisation’s cyber security team to deal with this issue? The answer, in most cases, is the Chief Information Security Officer (CISO). While the Chief Information Officer (CIO) and Chief Technology Officer (CTO) play crucial roles, it is the CISO who steps forward and provides a detailed explanation to the Board in the event of a cyber attack.
What many fail to realise is that the CISO role is not a recent development. Its origins can be traced back decades to the emergence of modern cyber crime, a time when the internet was more of a concept than a widely used global tool.
The birth of the CISO era
In 1994, a pivotal event took place that would change the course of cyber security forever. Citicorp, a prominent U.S. financial services company, fell victim to a computer attack in June of that same year. This incident, now recognised as one of the first significant cyber attacks against a business, foreshadowed the challenges we face today.
During the attack, a hacker managed to steal $10.7 million (equivalent to $22 million in today’s market) by exploiting the dial-up system used for wire transfers by Citicorp clients. This breach was unprecedented and sent shockwaves throughout the industry. It was later discovered that the perpetrator was a Russian hacker named Vladimir Levin. More than a decade later, another Russian threat actor, known as the Russian Business Network (RBN), targeted Citicorp (now Citigroup) with a similar attack, highlighting the recurring nature of these cyber threats.
However, what truly matters for this article is what transpired after the initial attack. Recognising the need for a dedicated security function, Citicorp appointed Steve Katz to lead their efforts. Steve Katz became the world’s first named Chief Information Security Officer (CISO), a title that would soon become synonymous with protecting businesses from cyber threats.
Citicorp’s proactive approach in appointing a CISO demonstrated its commitment to preventing future security breaches. However, not all organisations followed suit immediately. Over time, numerous companies of all sizes have recognised the importance of this role and have since appointed their own CISOs to safeguard their digital assets.
The role of a CISO today
Fast forward to the present day, and the role of the CISO has become indispensable in ensuring business continuity and protecting sensitive business information. CISOs are responsible for establishing robust security measures, implementing effective cyber security strategies, and educating employees on cyber security best practices.
As cyber threats continue to evolve and grow in sophistication, organisations across industries are realising that investing in a dedicated CISO is no longer an option, but a necessity. The CISO’s expertise and leadership are vital in mitigating risks, responding to incidents, and maintaining trust with stakeholders.
What qualifies someone to become a CISO?
The role of a Chief Information Security Officer (CISO) is undeniably crucial, yet it doesn’t have a strict educational requirement. This raises the question of how individuals can demonstrate their readiness for the role, particularly if they haven’t been in the field for decades.
One path to establishing CISO qualifications is through certification. In the past, this typically meant obtaining a degree in computer science or a related field, but increasingly, professional certifications have taken precedence as the primary measure of competence. However, selecting the right certification can be a complex task. Here are some notable options:
- ISC2’s Certified Information Systems Security Professional (CISSP): Often considered the gold standard in the CISO profession, CISSP has been around since 1994. Candidates need a computing-related qualification (like a degree) and at least five years of full-time employment in the field. Additionally, they must renew their certification every three years by earning 120 Continuing Professional Education (CPE) credits.
- ISACA’s Certified Information Security Manager (CISM): While less technically demanding than CISSP, CISM is still highly regarded as an essential qualification. CISM can be viewed as complementary to CISSP.
- EC Council’s Certified Chief Information Security Officer (C/CISO): This relatively new certification is designed to encompass cyber security skills from a managerial perspective, covering areas such as finance, third-party management, and procurement—topics not as extensively addressed by CISSP.
- In the UK, the replacement for the current Cyber Certified Professional (CCP), inspired by the National Cyber Security Centre (NCSC): This replacement aims to provide cyber security professionals with a chartered status akin to professions like accountancy. As of mid-2023, the final details were still in progress.
An important facet of these certifications is the commitment to continuous skill enhancement. Like many professional certifications, CISOs must consistently update their skills and knowledge as the cyber security landscape evolves.
The rise of the modern CISO role can be traced back to the early days of cyber crime. As businesses face increasingly complex cyber threats, having a dedicated CISO has become paramount. By appointing these professionals, companies demonstrate their commitment to protecting their assets, with the aim to ensure a secure digital environment for all stakeholders. The role of the CISO will continue to evolve in line with cyber threats, making it an integral part of every organisation’s cyber security strategy.