Security Risk Solutions, LLC, Owner
Steve Katz is widely known in security circles as the very first Chief Information Security Officer (CISO). As Katz puts it, “I got my start in this business way before there was cybersecurity, and way before there was anything.”
Katz started his lifelong career in security with an internal consulting group at Citi Bank in the 1970’s. “We put together, among other things, a handbook for product lifecycle design and system quality assurance activities. One of the things we included in there was a requirement for an ID and password module in COBOL and FORTRAN programs, which is so primitive by today’s standards, but it was a first step toward securing applications,” says Katz.
Around the same time, mainframe security products were starting to hit the market. “Since I had something that looked like a lot of experience in security – which nobody really had – I was recruited by Morgan Guaranty [now J.P. Morgan & Co.] to help set up a security department,” says Katz. “I eventually led the department at a time when companies were just beginning to install mainframe security products and take them seriously. It meant working with a couple of products in the market at that time—ACF2, TopSecret and RACF. We defined the requirements for configuring RACF and put together a help desk so that when somebody had a problem, we’d be able to deal with it. The help desk was really my admin’s desk telephone. The backup to her phone line was a tape answering machine.”
Hinting at the first FS ISAC
At that time, as it still is today, the financial services industry was on the leading edge of information security. In fact, Katz was involved in forming the precursor of today’s FS ISAC. “We set up a process where the data security officers at all the major New York banks got together every three months,” says Katz. “We rotated which bank would host the meeting. There only two definite aspects to the meeting each quarter. One, the host bank had to supply doughnuts, bagels and coffee. And two, the last item on the agenda was to decide who was going to host the next meeting. Holding these regular meetings was the sensible thing to do. We all got together because we could share problems in this very new area of security. We could talk about what issues everyone was dealing with, and what products were working well for some and not working well for others.”
Katz says this unofficial group was an ISAC before ISACs became a real thing. “It was just a group of between 8 and 12 of us that got together and worked through data security in its very early stages, and every three months we were there,” he says. “When there was a problem, we had everyone’s home number, pager number, and office number. This group was the embryo before what ultimately became the ISAC before anyone even thought of the term ISAC.”
These were all New York banks, making them competitors, but they realized then as today, that the banks may compete for customers and compete in the market place, but security is not where they compete to gain a competitive advantage. Sharing information was something that the banks needed to do for their own benefit as well as the benefit of the business sector. The group members realized early on that if there was a breach in any one of the banks, it could carry over to all of them.
PCs came out in the early 80s. According to Katz, “The rule in IT at the time was ‘thou shalt not bring it up, PCs or Macs.’ That didn’t go over very well, as the staff wanted to use PCs. Then the ruling came down, ‘thou shalt not connect the PCs to anything,’ but that didn’t last very long either.”
Morgan had one of the very early dial-in networks. Pre-internet, it was just direct dial. One of the things people found is that phone hacking was really a big deal. There was something called a war dialer, which, when loaded onto a computer, would dial a phone number. If the computer detected modem tones on the other end, it would just save the number so it could be used later for getting into the system. The war dialer was set up so that if it didn’t get an answer in three rings, it hung up because the hackers wanted to go through as many numbers as possible to find ones that could get them onto the bank’s network. Katz was responsible for security at his bank, so his team set their inbound modems to answer in five rings rather than three. Thus, the auto dialer didn’t have an impact on Katz’s bank. If only it were that easy to defeat attacks today!
Katz’s security team logged all network activities and access attempts. “If there were three attempts at a password and it failed, we’d get a report fairly early on and it became an incredibly good marketing tool for security because we were able to reach out to the bankers and tell them, ‘We think one of your customers is having a problem. You may want to get back with them.’ The mantra that we put together way back then is that information security is a business management risk issue,” says Katz. “People weren’t thinking of security that way. We were really forward-thinking with that thought process.”
Talk business to get your point across
Shortly after PCs became commonplace on workers’ desks, computer viruses like the I Love You virus started to grab the headlines. Katz arranged for the founder of an early anti-virus company to come in and demonstrate the virus detection technology he had developed. He went to a couple of PCs and found there was a virus on them. The next day, Katz was called upon to talk to the bank’s Board of Directors about the threat of computer viruses.
“I walked into the boardroom at Morgan Guaranty Trust. It’s a huge, old-time boardroom with paneled walls and an enormous table, and all the board members were seated around it,” says Katz. “They knew little to nothing about security but I said, ‘You may have heard something about computer viruses. First thing is, you can’t catch them. They don’t hurt humans. I just want you to picture something. You are sitting in a trading room at a trading terminal and before your eyes, sixes and sevens become nines, fives become eights, threes become zeros. What does that do to your trade?’”
“They asked, ‘Can that really happen?’ and I said, ‘You bet.’ There was just a look of shock on their faces,” says Katz. “They asked if we could do anything about it, and I told them I had just seen a demonstration of a product that could significantly minimize the risk. They said, ‘How much does it cost?’ and I said, ‘400 thousand.’ They said, ‘Go get it.’ I think this is a key lesson for any security professional: if you don’t get your message across in business terms, you’re not going to get what you want. The focus is, how do you best translate what you want to say into things that are meaningful to the company you’re working for?”
Katz provides a lesson that all security professionals should learn. “Everyone needs to ask themselves, are you doing something to improve trust in the company? Are you doing something that will enhance the customer experience? Are you doing something that will help control cost? And by the way, when you’re doing all those things, you have to improve security,” he says. “The first thing to think about is, what are the business issues you plan to address and resolve? If you’re not working towards a business issue, then there’s no need for what you’re doing.”
Answering the call at Citi Corp
In about 1994, there were rumors that Citi Corp had been hacked. It was kept very quiet, and no one knew for sure. Katz got a call from a recruiter asking him if he’d be willing to speak with Citi because he was one of the first people around with a lot of knowledge on information security. Going into the meeting, his main purpose was to find out what was happening with Citi so he could make sure it didn’t happen at Morgan.
After three or four months in the interview process, Katz learned that Citi’s development data center for the international funds transfer system had been hacked. “It was a development center but they were doing everything wrong,” he says. “They were using production data—live data and live ID and password files. Once the bad guys got in there and figured out what they had, they then went after the international funds transfer system. Fortunately, an account clerk looking at a printout saw some transactions and said, ‘My customers don’t do this.’ This raised the alarm.”
At that point, $400,000 was already lost. Roughly another $10 million went across the wires but wasn’t lost. As people came into the bank to pick up the money, they were arrested. The matter was significant enough that the board directed the CEO to go get a security executive, put that person in place and make sure it didn’t happen again. Katz took the job, becoming the industry’s first Chief Information Security Officer, reporting to the CTO, who reported to the CEO.
John Reed, Citi’s CEO at the time, was very active with the issue of information security. “The direction was, when this becomes public – and it did three weeks later – to make sure that we had a way of explaining this to our international banking customers so we didn’t lose any, and to go ahead and build the best security program and department that existed anywhere,” says Katz. “It was a wonderful challenge to go do it and do it right.”
Security’s purpose is to solve business problems
As Katz built out his team, he told everyone that everything they did is a business risk management issue. They were there to solve business problems. “When I got to Citi, I put together a set of six or seven questions that I used to talk to the people in the business areas. I called it security in a nutshell,” says Katz. “I asked questions like, do you care who your transactors are? If you know who they are, do you want to be able to control what they do? Do you want to control spending limits, lending limits, trading limits? Is the confidentiality of data important to you? Is the integrity of data important to you? If it’s a transaction, do you want to have a signed receipt going back and forth? If there’s a problem, do you want to know about it? How soon do you want to know about it? If the problem results in technology not being available, what is an acceptable time in which systems are unavailable?” Katz says those questions became the foundation of everything they were doing.
As soon as the hack became public, Katz embarked on a world tour of Citi’s top 20 clients to meet with their heads of trades or heads of finance. “We essentially built a spreadsheet with the questions, the functions, and what Citi was doing at the time to answer those questions. We outlined what we’d be doing in six months, which showed there would be improvement,” Katz says. “Then I suggested to these folks, our customers, to run the same questions by the security teams in their banks, in their own companies, to see how they were doing. I told them to go out and talk to the other banks they were dealing with and have those banks provide the answers to these questions so they would have a framework and a means of comparing one bank to another in terms of online security.”
As a result of those discussions, Katz got phone calls from a number of those major customers who told him the other banks wouldn’t discuss the questions because of security. “My reaction to that was, that’s bogus,” says Katz. “I told them, ‘You are the customer, you need to know this.’ Citi did that with its customers as a result of the hack. It caused Citi to be upfront and forward with, ‘Here’s what happened. Here’s how we’re dealing with it now. Here’s how we’re going to deal with it in six months.’ Giving our customers, this information was just incredibly beneficial.”
Katz then built out his security team, growing it to well over 600 full-time or part-time security professionals around the globe. That was quite a large team at the time. Katz says they embraced new concepts that are now very common, like having business information security officers.
“We had people in each business area as business information security officers,” says Katz. “They were working in the business, understood the business, were getting trained by the business, and based on the business we then trained them in information security fundamentals. They became ambassadors and our eyes and ears into each line of business. We also put together training programs for these people and held an annual retreat to get a bunch of them together. We created a group of well-trained professionals who lived and worked within the businesses themselves, and their credibility became widely accepted.”
Katz says he spent at least half his time, besides being the CISO, as the chief security evangelist. He went from country to country and line of business to line of business, talking about security and embedding a culture of security knowledge within the lines of business.
The team put together sets of security awareness videos. “We had the CEO, John Reed, on the first one saying, ‘Citi Bank sells two products, money and trust. If we can’t sell the trust, we won’t be able to sell the money.’ It became very much a trust focus issue,” says Katz. “We learned early on that business leadership and financial leadership are interested in risk, they’re interested in trust, they’re interested in the quality and integrity of information. They’re not interested in security per se. They’re interested in making sure that nothing is done to hurt the brand or to impact the view of trust that people had going to Citi Bank.”
The real FS ISAC is born
In 1997, President Clinton set up a task force to look at the security of the critical infrastructures within the United States. At that time, they identified eight critical infrastructures, financial services being one of them, and he then directed the particular cabinet secretary to appoint somebody within that cabinet to be the focal point for critical infrastructure protection. Then they wanted to get somebody to be the sector coordinator for critical infrastructure protection for each of the infrastructures that were identified.
Katz was asked to be the sector coordinator for financial services. “They came up with this concept of an ISAC, an Information Sharing and Analysis Center,” Katz explains. “We had a couple of meetings in late 1998, and in April of 1999 we set this thing in motion. The idea was to have an ISAC up and running by October of 1999, in time for Y2K. The same banks that got together in New York became the foundation of what ultimately became the FS ISAC. A number of the banks, Citi included, each put in $150,000 to get the ISAC off the ground. We had the total support of Robert Ruben, who was the Secretary of Treasury at that time.”
From those humble beginnings, the FS ISAC has grown to more than 6,000 member banks today. The banks share information among themselves. They have crisis management phone calls, crisis contact phone calls, and two conferences a year in the U.S. as well as a number of international conferences. From small beginnings, the FS ISAC has blossomed into a large and global effort. What’s more, there has been very close cooperation between the FS ISAC and the U.S. Treasury Department all along.
A CISO for modern times
The security programs of Katz’s early career seem primitive by today’s standards. “If you look at what’s around today, the attack surface itself has increased dramatically, and the bad guys’ skills have increased as well,” says Katz. “Still, the whole idea of recognizing this as a risk issue and a business enablement issue is incredibly important. The best CISOs out there are the ones who are able to work with, meet with business leadership on a regular basis and develop a level of credibility and make sure that the businesses understand that it’s a business risk issue, not a technology issue. The CISOs need to gain their cooperation in buying, in terms of funding, in terms of why there’s a need for security, what it does for the business, what kind of operational improvements this can bring about, what kind of marketing can this bring about.”
Katz says it takes a person who is technologically knowledgeable along with being able to communicate and negotiate and be presentable to the board. The Gramm-Leach-Bliley Act of 1999 requires boards of directors to appoint a CISO, and to have the CISO report on the state of security to the board at least annually. “More and more I think you find that the absolute best CISOs are those who can thoroughly understand security, understand technology but be incredibly adept at regularly meeting with business leadership and the board,” says Katz. “I’ve mentored a number of CISOs and I’ve been doing that for most of my career.”
According to Katz, “The worst bind you can get into is people looking at security and saying, ‘Oh, it’s just technology. Let the technology guys take care of it. That’s a CIO problem, I’ve got a business to run.’ Wrong. Your business has to be available. If confidentiality is important, you’ve got to make sure it’s taken care of. You have to know who you’re dealing with. If what they’re doing is important, you have to make sure that there’s an effective way of doing that. How long can the business survive if your technology is unavailable? You want to give some very interesting kinds of perspective in terms of what’s really important, all the while creating a culture where information risk or technology risk is part of the undercurrent of everything that a company does.”
Four decades and counting
Steve Katz’s long and storied career has already surpassed four decades, but he continues to be involved as a consultant and as an advisor to Deloitte’s security risks practice. His own consulting practice largely focuses on mentoring and coaching security organizations and other companies.
On the personal side, Katz has lived in New York his entire life. He’s married and has a family of five kids and 13 grandchildren. Even with his children and grandchildren, Katz has a lot of talks about the importance of reaching out and helping, the importance of networking and the importance of mentoring. “Whatever we’re telling them, it must be working, because they all look after each other, take care of each, and push one another to be successful.”
It looks like success runs in the Katz family.