Steve Katz, the first CISO in the history of cybersecurity

In the 1990s, information security was little more than a technical chapter in IT manuals.
Companies were digitalizing processes and infrastructure, corporate networks were beginning to connect to the outside world, but cybersecurity was not yet seen as a matter of governance.
Data protection was considered an operational task: updating systems, closing network ports, applying patches — all aimed at preventing disruptions rather than enabling resilience.

Yet, in that same decade, something happened that would change the perception of digital risk forever.
An event that led to the birth of a now indispensable role: the Chief Information Security Officer, or simply CISO.

1995: The Attack That Shook Wall Street

In 1995, the American multinational Citicorp, at the time one of the world’s most influential banks, suffered a cyberattack that made history.
A group of Russian hackers managed to penetrate the company’s systems and steal over ten million dollars.
The incident shocked the public and raised questions about the security of the entire international banking system.

What truly alarmed Citicorp’s executives was not the financial loss, but the realization that followed: despite heavy investments in IT, no one was actually leading security.
There were teams, tools, and procedures, but no central vision, no coordination between technology, risk, and business strategy.

A concept that seems obvious today was revolutionary at the time.
Back then, security was seen as a purely technical function, far removed from management decisions.
That attack revealed how dangerous that lack of vision was: even a global institution could be brought to its knees by a single blind spot.

For Citicorp, it was a wake-up call and a turning point.
The company realized that defending systems was no longer enough: security had to be governed, evolving from an operational task into a managerial responsibility.
A new awareness that would forever change how organizations understood cybersecurity.

The Birth of a New Role: The Chief Information Security Officer

From that crisis came an intuition that would change the history of cybersecurity.
Citicorp understood it needed a figure capable of guiding security at a strategic level, with a vision connecting technology, risk management, and business goals.

That person was Steve Katz, who had previously overseen Citicorp’s information systems.
He was a rare professional for the time, technically skilled, visionary, and sensitive to organizational dynamics.
Having started his career in the 1970s programming in Fortran and COBOL, Katz had witnessed the rise of mainframes and gained hands-on experience in managing system security.
What set him apart was his ability to elevate security to the board level, transforming it from a reactive function into a strategic, measurable, and cross-functional discipline.

His appointment marked the official birth of the Chief Information Security Officer role.

From Technician to Strategist: How Katz Redefined Corporate Security

Steve Katz was the first to give substance to the principles that would later define modern cyber governance.
He understood that security could no longer be confined to IT operations, it needed to become an organizational responsibility.

Under his leadership, Citicorp introduced one of the first coordinated security models, encouraging closer collaboration between IT, risk management, and corporate leadership.
Katz promoted shared policies, launched awareness initiatives, and brought security discussions into management meetings.

At a time when cybersecurity was still viewed as a technical issue, Katz reframed it as a matter of leadership and corporate culture.
His vision laid the foundation for concepts that now seem self-evident: risk governance, cross-functional collaboration, and the human factor as a key element of defense.

Citicorp and the Dawn of Cyber Governance

Katz’s approach proved successful.
Citicorp not only regained the trust of its customers but turned the crisis into a competitive advantage.
Security became a strategic pillar of the business, embedded in investment, innovation, and growth decisions.

The Citicorp model soon spread.
Within a few years, dozens of major companies, from global banks to energy multinationals, introduced the role of CISO into their structures.
This era marked the beginning of formal Information Security Management, and the birth of foundational frameworks like ISO 17799 (later ISO 27001), NIST, and COBIT.

From Katz’s Legacy to the Modern CISO

Thirty years later, the landscape has changed dramatically.
Digital transformation, IT/OT/IoT convergence, and the spread of cloud computing have expanded the attack surface and increased complexity.
Yet Katz’s lesson remains valid: security must be governed, not just implemented.

Today’s CISO is no longer a “server guardian” but an architect of digital resilience, orchestrating people, processes, and technologies through a data-driven approach.
They measure risks and impacts to guide investment, compliance, and continuity decisions.
European regulations such as NIS2 and DORA have merely formalized this evolution: security as a matter of governance, not technical maintenance.

Looking back, a clear red thread connects Katz’s intuition to the CISO’s mission today: the understanding that security is not a static goal but a continuous, adaptive process.
Organizations are now embracing this approach, building integrated, measurable systems capable of transforming complexity into clarity, and clarity into decision-making.

Conclusion

When Steve Katz accepted the role of CISO at Citicorp, the title didn’t even exist.
There was only a major problem, a reputational crisis, and an intuition: security had to become a business priority.

Today, every CISO who measures risk in real time or leads a resilience program continues that same story, one that began in 1995 with a man, a bank, and a new idea of security:
that digital trust is the first asset worth protecting.