Honoring Steve Katz: timeless lessons for today’s CISOs

The cybersecurity community recently mourned the loss of Steve Katz, the world’s first Chief Information Security Officer (CISO). 

Steve’s pioneering work and visionary approach to infosec paved the way for today’s CISOs. As we mourn his loss, it’s a time to reflect on the lessons that current and future cybersecurity leaders can glean from his remarkable career.

Speaking the board’s “language”

“Data security, Information security, and information risk is a business risk issue. Not a technology issue. Technology doesn’t have risk. Security doesn’t have risk. Businesses have risk.” 

After the financial firm Morgan Guaranty detected a number of virus-infected PCs, Katz, who was the Head of Security at the time, needed to communicate the impact and remediation strategy to the board of directors; he faced pressure that many CISOs are familiar with today: 

Explain the gravity of what was fundamentally a technical problem, to a non-technical audience. 

In the conversation that eventually secured him a $400,000 budget for a solution, he focused on the business impact of the breach: 

“You are sitting in a trading room at a trading terminal and before your eyes, sixes and sevens become nines, fives become eights, and threes become zeros. What does that do to your trade?’”

Steve Katz's hypothetical scenario about the transformation of numbers on a trading terminal vividly illustrates the potential chaos and catastrophic financial impacts that can arise from a lack of robust cybersecurity measures.

Translating the business impact of technical security flaws was key to acquiring resources for remediation. It’s a skill that Steve championed throughout his career and an ability that continues to define the role of the CISO.

Transparency & accepting risk as part of the role 

The CISO has to be confident enough to say, “Look, I can help reduce risk. I can minimize risk. I can not make it go away”.

CISOs will always face an ever-evolving landscape of threats and vulnerabilities. A key aspect of the role involves not only recognizing and mitigating risks but also transparently embracing risk as part of any digital environment.

This involves being open about the potential risks and vulnerabilities within an organization’s digital infrastructure—and goes beyond just acknowledging the existence of risks. Transparency requires clear communication about their nature, potential impact, and the strategies in place to mitigate them. 

Most importantly (and a key challenge for many CISO), it means keeping a range of stakeholders—from board members to the IT team—up-to-date on security posture and the rationale behind security decisions. 

In any organization, understanding the “why” behind each task is crucial, as it fosters a culture of open communication and trust across all levels. This not only secures buy-in but also underscores the shared responsibility for important aspects like cybersecurity. 

When every team member grasps the reasons behind their tasks, particularly in security protocols, it cultivates a vigilant and proactive environment, essential for identifying and mitigating risks.

Strategically adapting to threats 

Throughout his career, Katz demonstrated an incredible ability to adapt to the rapidly changing landscape of cybersecurity. Responding to the Citibank breach that resulted in millions of dollars being stolen from customer accounts, he: 

• Enhanced security measures: Katz spearheaded the development of more robust security protocols, including advanced encryption for data transmission and improved authentication processes for system access.

• Embraced risk assessment and management: He initiated a thorough risk assessment to identify and prioritize vulnerabilities within Citibank’s systems, ensuring that resources were allocated effectively to address the most critical security gaps.

• Established incident response protocols: Recognizing the importance of swift action in the face of a breach, Katz developed structured incident response strategies to quickly identify, contain, and remediate security incidents.

His actions mark a vital principle for today’s CISO: 

Addressing immediate threats should always be a priority, but laying the groundwork for future security strategies is the key to long-term cyber resilience in the face of advanced threat actors.

Learning from Steve’s legacy

As we honor Steve Katz, let's apply his hard-earned wisdom to the challenges and opportunities that lie ahead. It serves as a reminder that agility, continuous learning, and communication are key components of effective security leadership. 

Rest in peace, Steve Katz. Your lessons and leadership will not be forgotten.

Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors. His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies. In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive. At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs.