ISC2 member, world’s first CISO, and someone who pioneered what this role has come to mean to organizations across the world.

Steve Katz, widely celebrated as the first person in the world to have the job title of CISO as well as a longtime ISC2 member, has passed away in New York at the age of 78, according to media reports.

Grasping the importance of Steve’s career to the history of the cybersecurity profession means travelling back to 1994, the year that what was then called computer security took an historic turn for the worse. At the time, what we now call cybercrime was downplayed in the media as being mostly a problem of routine computer misuse by bored teenagers. The event that started to change people’s minds was an attack in that year on Citibank during which bad actors stole $10 million ($20 million in 2023), transferring it to accounts under their control.

Looking back, what’s striking about this incident is how many of today’s trends it foreshadowed. The first was that the criminals acted as part of an organized gang rather than a lone basement warrior. The second was that they turned out to be based in Russia. This is not to suggest that all cybercrime bad actors were or are Russian – far from it in fact. But the involvement of the country was a warning that digital systems had serious weaknesses that enterprising computer misusers anywhere in the world were more than capable of spotting and exploiting.

Eventually, all but $400,000 of the stolen money was recovered, but the management of Citicorp was suitably alarmed. They were no doubt privately aware that such long-distance heists had increased in frequency that year across financial services.

The CISO is Born

Katz had been working in computing since the 1970s, where he seems to have become an experienced jack-of-all-trades with a gift for explaining to management what computing was really about. This was about to become a critical function for anyone connected to computer security. Probably not coincidentally, 1994 was also the year that Steve Katz became an ISC2 member, where he became a CISSP, a certification he wore as a proud badge for the remainer of his professional life.

Working for Morgan Guaranty (later JP Morgan Chase), in early 1995 everything changed.

“The rumor at the time was that Citicorp had been hacked. I got a call from a recruiter asking if I’d be interested in a position in information security,” he told Cybercrime Magazine in 2020. “The job was going to be called chief information security officer, the first time that title had ever been used.”

His job title was CISO, making him the first person to have that title. But the name was more than corporate happenstance; Katz was the real deal, the sort of CISO who would be as at home today in the unfolding cybersecurity storms of 2023 cybersecurity as he was in the security problems of 1994.

“The role is all about business risk,” he told SecurityWeek in 2021. “If I had my way, the modern title would be Chief Information Risk Officer rather than Chief Information Security Officer. Cybersecurity is a tool for managing business risk. It is not an end in itself.”

This idea that computer security – cybersecurity in today’s parlance – is really a business issue manifesting in an engineering form is what Katz will be most remembered for. Katz might or might not have been the first person in computing to realize this, but he was without doubt the first person explicitly given the job of doing something about it.

As an early ISC2 member, he also appreciated the need for the industry to professionalize to take on big problems with no simple fixes. This wasn’t a battle but a campaign. Meeting this challenge would require a new type of security manager, able to think strategically as well as tactically, good at communicating complex issues, and willing to constantly challenge and re-educate themselves as the world changed. In his public speaking engagements since 1995, Steve Katz more than lived up to this ambition.