Steve Katz, World's First CISO, Dies in Hospice CareFormer Banking CISO Remembered as Pioneering Leader, Generous Mentor and Colleague
Steve Katz, the world's first CISO, died Saturday night while under hospice care in Long Island, New York. Katz was a pioneer and trailblazer in cybersecurity leadership. He became the first CISO in history when named to the newly created role at Citicorp in 1995.
Katz also worked in security leadership for J.P. Morgan and Merrill Lynch and spent the bulk of his retirement advocating for cybersecurity standards, information sharing and effective leadership. But he also is remembered as a beloved colleague and mentor who generously shared his time and wisdom.
Former CISO Jim Routh recalled how, early in his own career, Katz stopped what he was doing to go to Routh's office to help him with an assignment. Katz at the time barely knew Routh and worked at a different firm, but he was eager to help and even brought along two other CISOs.
"Steve would drop everything he was doing to help someone else, both professionally and personally," said Routh, a former CISO at American Express, JP Morgan Chase, Aetna and MassMutual and former leader at the Financial Services Information Sharing and Analysis Center. "Steve was very consistent in that that was always the way he responded."
Katz would often tell people that the reason he became a CISO was "99% serendipity" and being open to new career opportunities - even when there is no obvious career path.
First in the CISO Role at Citicorp
He began working in technology in the 1970s, using Fortran and COBOL code, and as a consultant. "This was at a time when auditors woke up and said you need to have mainframe security … and anyone that understood that automatically became a security wizard," he told Information Security Media Group in 2010.
Katz was eventually recruited by J.P. Morgan. "By being there in the mid-1980s, I was able to see the advent of midrange-departmental computing - and we had to come up with ways to implement security on DEC VAX and midrange IBM systems," he said. Then, as personal computers began making their way into corporate use, he worked to get antivirus software into place for those products, as well as security for email systems at the firm, he said.
"Fortunately, the need for security just grew and grew," Katz said.
"In the mid-'90s I was one of a few people who had made a career of information security. Initially, I was called a data security officer and then an information security officer."
Around 1994 or 1995, "there were rumors on the street that Citicorp had been hacked, and no one knew whether it was true or not. I got a call from a recruiter that Citicorp was looking to recruit a chief information security officer - and would I be willing to take the interview." That role hadn't existed before.
Katz said he had decided to take the interview primarily because he wanted to see what happened at Citicorp/Citigroup "so that it would not happen" to Chase and J.P. Morgan.
He spent three months interviewing with every executive-level person in Citicorp's technology wing, he said. The company had realized that information security was "as much a business issue as a technology issue," he said.
"Steve contributed to the industry by creating the discipline of the position of chief information security officer. He represented that field, that role, career path for many people as something that had to not just be a cyber worker at the beck and call of the board, but somebody who led the direction of the company from its security standpoint," said Richard Stiennon, chief research analyst at IT Harvest.
"He made sure to highlight to the boards that he worked with the importance of the work that the CISOs were doing."
Katz served as Citicorp's CISO for about six years before leaving in 2001 for the CISO job at Merrill Lynch, where he instituted a companywide privacy and security program. He would later play advisory roles at several other organizations, including Kaiser Permanente and Deloitte, and with his own consulting firm, Security Risk Solutions.
Champion of Information Sharing
Katz would also become a force for raising the profile of information security in the financial sector as well as in the government. He testified before Congress on information security issues in the late 1990s and was appointed the financial services sector coordinator for critical infrastructure protection by the Secretary of the Treasury, later becoming a founder and thought leader at the Financial Services Information Sharing and Analysis Center.
"Steve saw the value in information sharing and collaboration and the benefits that came with it - helping to improve security and resilience across the critical infrastructure sectors while also providing learning and career development opportunities for the individual participants," said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, of which Katz was a board member.
Katz was a big believer in the ISACs, Weiss said. "Well after his retirement and to this day, Steve gave selflessly back to the global infosec community - as just one small example - Steve was an active adviser to the Health-ISAC and our board of directors, attending regular board meetings and contributing on several board committees," Weiss said.
"On a personal level, I and so many others looked to Steve for career development tips and advice on organizational challenges. He graciously mentored dozens of individuals and the global infosec community owes Steve Katz an eternal debt of gratitude for the trail he blazed as the world's first CISO," Weiss said.
Denise Anderson, president of the H-ISAC, also knew Katz from her previous work at the FS-ISAC. "He then graciously served as an adviser to me and the Health-ISAC Board. Steve was a friend, a source of truth and knowledge, a mentor and a tremendous person all-around," Anderson said. "He was so excited about what we were doing in the ISACs, and he gave selflessly of his time to help the community."
'Guiding Light' for Security Leaders
Katz recognized early on the importance of the CISO gaining buy-in and support from other business leaders in an organization. "The head of security can't be the person who only gets to see the business executive just when it's bad news," he would later say. "There needs to be a regular line of communication between the information security executive and the business heads," he said.
"To be a successful information risk executive, you have to believe that you are and that you have a seat at the executive table," said Katz in an interview with ISMG in 2009. While the cybersecurity landscape has grown ever more menacing, that critical advice still resonates for all CISOs today.
"Make sure that the other executives in the corporation realize you belong there. Go to them and say, 'There are risks that have to be addressed. Let me understand the risks you're dealing with. Let's understand what I can do to meet your needs, and let me explain to you what information risk is all about,'" he said.
Katz was a visionary, said Chenxi Wang, managing general partner at Rain Capital, who worked with Katz at Citigroup in the mid-1990s. "At that time - 1996 - he was saying that brick-and-mortar banking will be going away," she said.
"We will be looking at digital banking, online banking. And that was such forward thinking back then," she said. "He was saying that the business, the security strategies we put together today, will impact the future. So, I learned a lot from him, both in terms of technology, leadership, collaboration with business as well as vision for the future."
In a 2020 interview with ISMG, Katz said that the industry needs to harness artificial intelligence, machine learning and deception solutions "if we want to have a slight chance of catching up" with the cybercriminals. "If I were starting today," he said, "I would be looking at how the heck I could effectively incorporate AI and ML into my entire cyber risk space."
Other former colleagues of Katz say his legacy as a CISO who built strong security teams is lasting.
"I had the privilege to develop my early career within Citigroup's information security organization that was architected and built by Steve," said Chris Hetner, former U.S. Securities and Exchange Commission senior cybersecurity adviser.
"He was a guiding light for cybersecurity professionals and the industry as a whole," Hetner said. "The organizational construct developed by Steve transcends industries worldwide. Steve always spared his precious time to mentor myself and others."
But as devoted as Katz was to world of cybersecurity and its demands as a leader, he was grounded on a personal level.
"I recall a discussion with Steve addressing the challenges with work and family life balance," Hetner said. "He was a thoughtful and moral man. He will be missed."
Katz was also a frequent speaker and contributor to Information Security Media Group. ISMG CEO Sanjay Kalra called Katz, whom he has known for several decades, "a lifelong student of cybersecurity, a friend, a mentor, and a confidant when I needed him the most."
"Every interaction was a lesson of a lifetime. Of course, there were cybersecurity discussions during those meetings, but above all, there were some common themes that were present during all of our conversations. It was the respect for the community that he was so part of. It was the desire to help anyone who asked for a hand. It was the thorough understanding of the human relationships, irrespective of who he had on the other end, and it was the love for the family - both at work and at home," Kalra said.
Mentor to Many CISOs
Zscaler CISO Sam Curry said he will never forget his first trip to New York to try to make business contacts in the banking industry. Katz was the only CISO willing to meet with him, and it started a friendship that lasted the rest of Katz's life.
"I remember talking to him when I first became a CISO, and his advice still sticks with me today: 'Sam, make sure you understand your business and the language of the business and you can't really go wrong.' To this day, it still underpins most of what I say and do - and pay forward, for that matter," Curry said.
"Very few people leave the world having made such a profound and positive legacy as Steve Katz," said Greg Touhill, the federal government's first CISO and a retired brigadier general and 30-year U.S. Air Force veteran now serving as director of the CERT Division at the Software Engineering Institute. "As the world's first CISO, he blazed a path for others to follow. He was gracious with his time and mentorship as I became the United States government's first CISO, and his impact on the cybersecurity community will be felt for generations to come."