Part I: A Lesson from the World's very First CISO
Shamane Tan
Chief Growth Officer, Sekuro | Best-Selling Author, TEDx & Global Keynote Speaker | LinkedIn Top Voice'24 | ARN Shining Star Multinational Winner | 40 under 40: Most Influential Asian-Australian
It was 10p.m. in the evening as I got ready for a very important call. In the last few years, I have spoken to more than 70 C-Suite leaders around the world for the newly published edition of my book Cyber Risk Leaders. I have now met with global Chief Information Security Officers (CISOs) from multinational corporations, big banks, government CISOs, critical infrastructure, all the way through to the ex-FBI, Navy Seal, and NSA, etc.
Yet, I still found myself getting excited about this impending call to New York. This CISO on the other line was going to give me a peek specifically into the corporate world of cybersecurity, which he has been living in for more than 30 years. "Hello!" I started.
"Good morning, Shamane!" Steve Katz piped in, "it must be late over there."
Brownie points for those who immediately recognised the name.
Yes, Steve Katz is a legend in the field of #cybersecurity #infosecurity #ITsecurity. He is publicly known as the world's first CISO. Since 1985, he has served as the senior executive for Citibank/ Citigroup, JP Morgan, and Merrill Lynch.
Steve was so good to talk with. We probably could go on for hours, but had to stop at an hour and a half. From telling me he still has a little merlion sitting at his desk from his trip to Singapore more than 15 years ago, to his fond memories of being in Australia, I felt like I was speaking to a friendly mentor. I realised how passionate he was when we started diving deeper into the questions that I had for him.
I quickly became aware that I might need to have a second print of my Cyber Risk Leaders book ready as I was not going to want to keep all these insights to myself. Right after our conversation, I was inspired to start writing again.
But first, my biggest takeaway from speaking to Steve is that he exemplifies information security as a business risk. It was never just about security or technology for him. Then, there is also the fundamental value that he operates by:
"There's a time to get paid to make a recommendation, and there's time to get paid to make a decision. If you get fired, get, get fired for doing the right thing. But make the right decision."
I love it! Here was a man who was unafraid of the consequences. As long as his conscience was clear. And this empowered and enabled him to think creatively and find genuine solutions which led to one of the greatest achievements in history: in dealing with the Citi Corp's first hack by a Russian group back in 1994, and saving the global bank from losing a single customer out of their top 20 international banking customers. What a story. I can't wait to feature them in the next 2nd edition!
Steve was very obliging in sharing his thoughts whenever I threw different questions his way. I marvelled at the fact that when you fast forward into the year 2019, almost 30 years later, the mantra that information security is a business management risk issue is still very current and relevant. Back then, Steve demonstrated an incredible amount of foresight and forward-thinking to focus on working on addressing and resolving business issues.
As part of building the cybersecurity ecosystem and sharing information, I would like to ask this of my network: "What are some of the creative yet effective ways you have talked to the business and got your points across? Any success stories to share?"
Please share them in your comments below. I am looking forward to reading them!
This is Part I of a Five-Part #CoffeewiththeCSuite Series:
Part II: Coffee with a Former US President's CISO
Part III: The View of Cyber Risk in the Retail Industry?
Part IV: The CISO's Strategy
Part V: Fireside Chats with the Board
To read the entire collection of the CISO kit including global C-Suite insights and perspectives across industries, you can now get your very own Cyber Risk Leaders book in stores or the e-book on Amazon, Kindle or Google Playbooks.
About the Author
Shamane Tan is a published Author of Cyber Risk Leaders and the APAC Executive Security Advisor at Privasec, a leading and independent Security Consulting Firm. She has worked with exciting start-ups all the way to global organisations extensively in the Asia-Pacific region. Shamane advises the C-Suite and IT Executives on their business security posture to the reality of the challenges they faced from regulatory issues and cybercrime. She is also the founder of the Cyber Risk Meetup which is in four major cities in Australia, as well as Singapore. Her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights.
Chief Risk Officer | Risk Management | Digital Risk | Compliance | Controls
5 年What a great opportunity to speak with someone with such a deep cybersecurity knowledge and level of experience. Thanks for sharing this, Shamane!
Senior Business & Technology Executive w/ consulting, operations, presales, & program/project/product mgmt experience.
5 年Steve is not only a great security and business risk leader but more important he is a great person that is always willing to help others.? Citigroup forever will operate its security and risk operations in the model that Steve established and most others have duplicated in one manner or another.? ?Anyone that has the opportunity to work with Steve (he still consults) will be enriched professionally and personally.
Cyber Specialist / Cyber Board Roles
5 年Shamane Tan book will be available for purchase at all sessions during our Oct event! Please promote wacyberawards.com.au
Cybersecurity | JP Morgan | CISSP, CCSP, CISM, PMP, AWS Cert | SG100 WIT 2021 | ISC2 Global Achievement Awards Recipient |Woman of the Year 2023|Top20 Women in Cyber-SG & Asean| Global Top100 Leader in Security | Speaker
5 年Always a delight to read your articles, Shamane Tan. I had so many takeaways from reading your insightful book #CyberRiskLeaders. Pertinent and accepted by all gradually, that information & cybersecurity risk is one of the crucial business risk areas and in no way can these two be disjointed!