As part of our Women in Cybersecurity Month, we are highlighting women and their careers, accomplishments and passions. This spotlight features Gail Coury, CISSP who describes her cybersecurity career journey including more than 25 years as a CISO.

Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Looking Forward, Looking Back: A Quarter Century as a CISO

Gail Coury, CISSPThe first chief information security officer, or CISO, was named 30 years ago. After Russian hackers infiltrated financial services giant Citicorp (now Citigroup) in 1995 and stole more than $10 million, the Citigroup Board instructed the company’s CEO to recruit a security executive to improve the company’s digital defenses. That person was Steve Katz, CISSP, who became the world’s first CISO. Five years later, in 2000, the software company JD Edwards appointed its first CISO. That person was me.

After 24 years of working as a CISO and three years serving as CISO at F5, I retired just one year ago. Over the course of my career, I’ve seen tremendous changes not only in the cybersecurity landscape that organizations face, but also an evolution of the CISO role in today’s organizations.

A CISO’s primary responsibilities are to develop and implement information security policies, manage cybersecurity programs and compliance, and ensure the protection of sensitive data within their organization. Over the years, the level of cyber risk has vastly increased, with cybersecurity advancing to keep ahead and maintain resilience in an ever-expanding arms race with cybercriminals – with the understanding that threats (and mitigations) will never stop evolving.

As cybersecurity has become an essential business requirement, with security compliance in many industries now mandated by governmental agencies, the CISO role has expanded beyond its original preventative security focus toward a more strategic and business leadership position involved with identifying and managing risk. With these enhanced responsibilities have come increased, and with it perhaps unclear, levels of accountability.

It’s illuminating to look back at the forces and inflection points that have impacted cybersecurity over the past quarter century and understand how they have shaped the CISO function over time. I have seen significant change over the course of these 24 years, so let me share a synopsis of that journey.

My Journey

As CISO for JD Edwards, I worked to establish security policies and controls for a new public company. In 2003, the company was acquired by PeopleSoft and I stayed on as the CISO there. It was a tumultuous time as Oracle early on announced that it intended to acquire PeopleSoft. After 18 months of court battles, shareholder votes, etc., an agreement was achieved. In 2005, PeopleSoft became part of Oracle. I remained with Oracle for 13 years, leading various security teams and ultimately was CISO, Oracle Cloud. In 2018, I joined F5 as the GM of Silverline, F5’s cloud-based security services business. After three years of multiple acquisitions by F5 and consolidation of their services offerings, I stepped back into the global CISO role until I retired in March of 2024. 

Birth of the CISO Role

There’s no mystery why CISOs came into existence around the turn of the 21st century.

The era of the fortress datacenter was ending. Computer networks were mostly internal to the organization and perimeter defenses like firewalls and intrusion detection systems could keep the bad guys out. In a span of just a few short years, personal data and financial information went from being stored on paper in filing cabinets in locked offices, to shared digitally across networked systems and accessible at your fingertips on mobile devices.

The late 1990s saw the first boom of the internet and the web. By 1997, Amazon had a million customer accounts and eBay had gone public. The dot-com bubble ensued, with a surge in online shopping and unbridled ecommerce. The Stanford Federal Credit Union in California became the first financial institution to offer online banking in 1994 and offered online bill paying in 1997. A bit later, in 2003, the Institute of Medicine released a study establishing the key capabilities for electronic health record systems.

With these advances, the reality of data privacy shifted as our banking information, credit card numbers, medical records and other personal identifying information were digitized and shared across networks. There were initially limited protections for data and personal information in these increasingly interconnected networks. The first distributed denial of service (DDoS) attack occurred in 1999, followed by Code Red and Nimda worm cyberattacks that targeted web servers in 2001, followed by SQL Slammer in 2003, which spread rapidly and brought focus on the need to patch vulnerable systems.

The end of the millennium also brought with it the Y2K or Millennium Bug, which exposed the vulnerability of existing computing infrastructures that formatted dates with only the final two digits, raising the profile of CISOs and other security professionals tasked with fixing, ring-fencing or replacing affected systems. Organizations recognized the necessity of dedicated executives responsible for managing cybersecurity risks. The CISO role became increasingly strategic, responsible for developing and implementing information security policies, enacting IT risk assessments and business continuity plans to address potential disruptions of normal operations.

A Changing Cybersecurity Environment

CISO responsibilities shifted again in the 2010s with the rise of cloud computing and prevalence of mobile devices. Network perimeters become more fluid, with CISOs now required to secure data and access across dynamic and distributed environments and a wider range of devices and technologies.

Cloud computing meant new responsibilities for CISOs: Storing and processing data in third-party clouds and datacenters meant that sensitive data had to be protected during transmission and processing. For the CISO, this involved implementing enhanced encryption and access controls for data and taking responsibility for vendor risk management for cloud service providers.

COVID-19 significantly reshaped workplace and IT priorities, highlighting the need for adaptive and resilient cybersecurity measures in the face of unprecedented business disruption. The global pandemic made work-from-home the new normal, with CISOs focused on policies for securing remote endpoints, implementing secure access controls, vetting remote collaboration tools and educating employees about best practices for remote work security. More than ever, the CISO’s responsibilities were business critical.

Workplace disruption was also catnip to malicious actors, with rates of cybercrime soaring during the early COVID years. The FBI reported that 2020, the first year of the pandemic, saw a 69% increase in internet crime over 2019. Phishing incidents rose 220% in 2020 compared to the year before. CISOs had to contend with a surge in cyberattacks, ransomware incidents and other malicious activities targeting remote workers and organizations adjusting to new working environments.

Looking forward, the rate of technological change is accelerating. Emerging technologies are poised to again impact CISOs and make cybersecurity more challenging.

Like many other technologies, artificial intelligence (AI) can be used for both legitimate and malicious purposes. Advanced AI and machine learning are now in use in cybersecurity systems to identify anomalies and potentially fraudulent activities. On the other hand, bad actors also harness powerful and ubiquitous AI to create more sophisticated and effective cyberattacks. Deepfake spear-phishing attempts, ransomware attacks and social engineering scams can easily bypass traditional security measures.

Easy access to powerful AI is also lowering the barriers to entry for cybercriminals, allowing them to more easily conduct sophisticated and damaging data breaches and fraudulent activity.

With Greater Responsibility Comes Greater Accountability

CISOs are also responsible for understanding their organization’s regulatory landscape and ensuring compliance with required mandates and reporting, an area that has also evolved greatly over the last 25 years. Governments and enforcement bodies are increasingly putting organizations on notice that cybersecurity is an important business issue, that companies need to pay attention to the accuracy of financial reporting, along with how they are securing the privacy of the personal data they process and store.

However, the degree of CISO accountability for cybersecurity compliance is unclear. Though CISOs may have responsibility for an organization’s cybersecurity, they aren’t usually members of the executive team, which has the ultimate decision-making authority to fund or implement CISO recommendations. CISOs don’t generally control corporate priorities, resources, funding, or investment decisions at the executive level, so their true accountability for enforcing organizational compliance with cybersecurity mandates is open to question.

How and when CISOs disclose security events has become an increasingly important aspect of the CISO’s job, as agencies such as the U.S. Securities and Exchange Commission (SEC) begin to question generic or boilerplate disclosures about breaches. To disclose or not to disclose will increasingly become a challenging decision for CISOs, as disclosure documents are usually reviewed and approved by executive team members before public release, muddying the CISO’s accountability if statements made in the disclosure don’t reflect the CISOs point of view. CISOs will need to develop greater coordination with other teams and individuals (legal, finance, business, communications, board members) to ensure prompt and accurate decisions about the materiality of incidents.

Moving forward, cybersecurity disclosures and attestations, especially those that involve a security incident or attestation, should be discussed and resolved with executive leadership and board approval in addition to guidance from the organization’s CISO, who may be legally accountable for its impact. Greater transparency across leadership will be valuable should the decision be questioned at a later time.

My Advice to CISOs

A CISO’s most essential responsibility is to be prepared on multiple levels for events or situations that could compromise the security and integrity of an organization's digital assets. Over the years, this has meant that the CISO role has evolved from IT problem solver to a strategic business leader whose duty is to meet the challenges of an ever-changing cybersecurity landscape.

CISOs should now work alongside other executive-level leaders, board members and department heads. Together, they help safeguard their organizations from a wide range of cyber risks, negotiate compliance and regulatory requirements, and prepare for cyber resiliency. Organizations that come out positively on the other side of a cyber event are those that are well prepared, with open communication among business and technology leaders, and accountability placed with true decision-makers.

I have truly enjoyed the challenges I have faced over these 24 years as a cybersecurity leader. While I have retired from the full-time (and then some) daily role of CISO, I remain active in the cybersecurity community to drive continuing maturity of the profession through mentorship and my passion to accelerate diversity and inclusion for future cyber leaders.

Please feel free to connect with me on LinkedIn: linkedin.com/in/gail-coury.

Related Insights