"If I Were Starting My Career Today..." - Interview with Steve Katz

Steve Katz was the world's first CISO, and he has unique insight on the information security profession - how it's developed and where it's headed.

In an exclusive interview, Katz discusses:

How the information security role has evolved;
Which trends are changing the role;
The skillsets necessary for today's security professionals to succeed tomorrow.

Katz is a prominent figure in the network security discipline. Since 1985, he has served as the senior security executive for Citibank/Citigroup, JP Morgan, and most recently Merrill Lynch - and has been a force in raising the visibility and shaping the direction of the security industry at industry and government levels.

Deeply respected within both the financial services and security industries, Katz has testified to Congress on information security issues and was appointed as the Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury.

Other credentials include: Founder and Chairman of the Financial Services Information Sharing and Analysis Center; Chairman of the American Bankers Association Information Systems Security Committee; Vice Chair, Financial Services Roundtable-BITS Security and Risk Assessment Committee; member of the New York Clearinghouse Banks Data Security Officers Committee; and member of the Securities Industry Association Information Security Committee.

TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group. We're talking today with Steve Katz about the information security profession, specifically the future of it. Steve, thanks so much for joining me today.

STEVE KATZ: My pleasure. It's an exciting field and gets more exciting every day.

FIELD: Well, it does. You've had a long and distinguished career, and I know you have a lot of thoughts on the information security profession. How has the role changed in the time that you've been observing it?

KATZ: If you look at it on a time continuum, it has gone from being technologically-focused, mainframe security-focused with a strong emphasis on technology and a strong emphasis on access control, to a compliance-focused effort, where it was making sure that you met all the regulatory requirements and what needed to be done to make that happen. You have to do it because it's a compliance need, too much more of a risk-based focus. With the lack of compliance, it's another risk that has to be addressed. It is really focused to where people have to be almost experts in an area, where somebody has to be managerially expert and have strong negotiation skills and strong team-building skills with the role of an information risk to an operations risk kind of role. You have to insure the absolute buy-in of business and executive management. With information security/information risk as a business within a business, your board of directors consists of the people who provide you funding, so if you can't make an executive business case, you're not going to get the funding for it. The security officer has to work with the technology areas. They have to be very confident and comfortable with the business and financial areas. It also deals with trying to figure out why one is better than another and why it's in the company or business' best interest to insure the respective level of security in that business and across the enterprise.

FIELD: That sounds like you're stretching people in ways that they haven't been stretched before.

KATZ: To be a successful information risk executive, you have to believe that you are and that you have a seat at the executive table. Make sure that the other executives in the corporation realize you belong there. Go to them and say, "There are risks that have to be addressed. Let me understand the risks you're dealing with. Let's understand what I can do to meet your needs, and let me explain to you what information risk is all about." Security officers spend a lot of time talking about education and awareness, and it's primarily focused on training and educating. A greater amount of time has to be spent educating and making the executives aware so they understand that information and risk management are providing significant values to their customer base. It really allows them to grow their products and services faster, because you're really coming to them, saying, "We can insure you that we know who we are dealing with. We can assure you that we know the risks that the enterprise is facing, and we will be there, not just during a problem, but we will be there as an executive partner in helping you to deliver effective products and services to your customer base." A challenge we used to face in the compliance area during the technology-focused days was that the information security officer would be the one to dictate what would have to be done and they would show up at the executive door only when there was a problem. Now, it's much more of a partnership between information/risk management and security, and the information organization has to be one that has technological expertise in the organization, having marketing education, training and awareness of the organization, and project management within the organization. And the security executive has to really be exactly that, the security executive.

FIELD: We have a lot of sponsorship for security right now, starting with the Obama administration right through government and business. With this kind of attention that security gets now, what's the future of the information security role going to be? What are the challenges for someone getting into that position now?

KATZ: There couldn't be a better time to be involved in information security. It is getting national attention, it will continue to get national attention, and I think there is a strong understanding that information risk and security has to be at a national, international, and enterprise level. People have to be able to understand what the foundations of information security are and keep on top of the levels of threat that are out there to recognize that there is great strength in numbers and people are working together, trying to help solve problems together. There's a group called "Connective Services Information Sharing and Analysis," that brings together information security professionals. You develop a situation where more people come together. You have to draw on industry expertise, security expertise, and develop a foundational network across the geographical region in which you work. Couple that with negotiating skills and recognize that information security focuses on what has to be done to negotiate with limits in the enterprise to get the resources. Having a strong ability to manage, influence and effectively be a leader within the enterprise, as well as within the information security community, is essential.

FIELD: It just tells me that ten or fifteen years ago, someone might have gone into security from a traditional IT route, and maybe they studied engineering or computer science. But the baseline just seems to be so much higher now for someone that wants to get into this and make it a real profession.

KATZ: You can come into it the same way, but it's recognizing that you have to figure out where you want to be. There is room in information security for the strong technologist. The question is if you want to go into the executive security role, going back to school or work within the corporation to expand your knowledge. Knowledge of finance is incredibly important. Where I find it intriguing is that often you speak to a security officer and they really don't have a firm understanding of the products or services that their companies are offering. Know your company. Know your business. I'm not saying don't maintain your technological, engineering or computer skills, but really understand what skills you are lacking, what education you need, and then go after it.

FIELD: That makes sense. Steve, if you were to start over today, what would you emphasize in starting your career?

KATZ: I was fortunate that when I started in information security, there wasn't anything. Whatever I did was pretty much a green field. Today, it is recognizing that there is a profession out there called information security or information risk management, and you can make a choice to be part of it. There are certainly excellent educational opportunities, and I'm a firm believer in the program that Gene Spafford offers at Purdue. George Mason has some pretty good programs. Get a solid academic grounding in what it is you're supposed to be doing and say, "Is this a career choice I want to make?" Because it is a choice, it is an opportunity that will take you from entry level to some very challenging, very high-paying professions in very large enterprises.

FIELD: Very good, Steve. Thanks for your time and insight on careers.

KATZ: My pleasure.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.