A detailed history of the Chief Information Security Officer (CISO) role, tracing its origin to Citigroup in 1995 and exploring how it evolved from a technical IT role to a strategic business function. The article examines shifts across decades, global trends, modern challenges, and how the UK has uniquely adopted and adapted the CISO title, often slower and more varied than the US. It concludes that the role remains critical but inconsistently defined, particularly in public and hybrid sectors.

Contents

History

The title “Chief Information Security Officer” (CISO) may seem commonplace today, but its origins are relatively recent in the long arc of corporate leadership roles. Born out of necessity in a time of rising digital threats, the role of the CISO has grown from a narrow technical function into one of the most strategically critical positions in the modern enterprise.

Origins: Citigroup and the First CISO

The term “CISO” is widely believed to have been coined in 1995 when Citigroup (then Citi Corp) appointed Steve Katz as the first person to officially hold the title. Katz was hired following a series of cyber incidents that demonstrated the growing vulnerability of digital infrastructure. His mandate was to centralise and formalise the company’s approach to information security, at a time when IT security was often a reactive afterthought.

While other firms had information security leads or heads of IT risk, Katz’s appointment marked a turning point: an executive-level role dedicated exclusively to safeguarding the organisation’s digital assets.

The 1990s: From Technical Oversight to Risk Awareness

In its earliest incarnation, the CISO role focused primarily on the technical side of cybersecurity:

• Securing internal IT infrastructure
• Establishing firewalls, antivirus systems, and access controls
• Responding to emerging virus threats and cyberattacks

Security teams often operated in isolation, and the role was seen as a subset of IT, typically reporting to the Chief Information Officer (CIO). The emphasis was on technical safeguards rather than enterprise-wide risk.

The Early 2000s: Expanding Scope and Accountability

As the digital economy grew, so did the attack surface. In the wake of high-profile breaches and the introduction of compliance regimes such as Sarbanes-Oxley (SOX), HIPAA, and PCI DSS, CISOs found themselves pulled into broader conversations around:

• Regulatory compliance
• Data governance
• Third-party risk
• Business continuity planning

The role began shifting from “IT security expert” to “business risk manager.” Some CISOs began reporting not to the CIO, but to Chief Risk Officers or even directly to boards, recognising the cross-organisational impact of security decisions.

The 2010s: Maturation and Strategic Alignment

By the 2010s, cybersecurity had become a board-level concern. High-profile incidents (e.g., Target in 2013, Equifax in 2017) and the proliferation of ransomware attacks made clear that digital security failures could have existential consequences.

In this decade, the CISO role matured in several ways:

• Strategic Integration: CISOs began influencing broader business strategy, risk appetite, and digital transformation plans.
• Privacy Leadership: With GDPR and other privacy laws emerging, CISOs often took on overlapping responsibilities with Chief Privacy Officers (CPOs).
• Cross-Functional Influence: Security now touches every department—from HR and finance to marketing and product.

Today’s CISO: An Executive Role Under Pressure

In 2025, the CISO is no longer simply a technologist but a hybrid leader—part strategist, part communicator, part risk expert.

Key themes defining the modern CISO:

• Evolving Threats: Advanced persistent threats, supply chain compromises, and AI-generated attacks challenge traditional defences.
• Regulatory Complexity: Navigating a patchwork of global laws (e.g., DORA, NIS2, CCPA) while aligning to standards like ISO 27001 or NIST CSF.
• Talent and Burnout: Many CISOs face high turnover and burnout, given the 24/7 nature of the role and accountability without full control.
• Board-Level Visibility: Increasingly, CISOs are expected to present directly to the board, communicating technical risks in business terms.

Reporting Structures: CIO or CEO?

Initially reporting to the CIO, many modern CISOs now report directly to:

• The CEO, to emphasise independence from IT and signal strategic importance
• The CRO (Chief Risk Officer), where cybersecurity is framed primarily as risk management
• The COO (Chief Operating Officer), where cybersecurity similarly rolls up into GRC as an operational concern
• Or even to the board or an audit committee, particularly in regulated industries

This shift reflects a broader recognition that cybersecurity is not just an operational concern but a fundamental element of enterprise resilience and competitive differentiation.

The CISO in the UK: A Gradual Shift in Language and Leadership

In the United Kingdom, the adoption of the term Chief Information Security Officer (CISO) lagged somewhat behind its US origins. Throughout the late 1990s and early 2000s, British organisations tended to use titles such as Head of Information Security, IT Security Manager, or Director of Information Assurance, particularly within the public sector and financial services.

Cultural and Organisational Context

British corporate culture has historically placed less emphasis on C-suite titles than its American counterpart. The use of “Chief” designations, such as CIO, CTO, or CISO, became more common as UK companies expanded globally or sought to align with international governance and compliance frameworks. This was particularly evident among FTSE 100 firms and UK subsidiaries of multinational corporations.

As a result, the shift to the CISO title in the UK often came with:

• Organisational Maturity: Firms adopting a more formal governance, risk, and compliance (GRC) model tended to elevate their security leads into the CISO role.
• Cross-Atlantic Influence: The presence of US-based parent companies or clients, particularly in finance, legal, and defence sectors, encouraged the adoption of consistent C-level security nomenclature.
• Regulatory Pressure: Frameworks like ISO 27001, the UK GDPR, and the Financial Conduct Authority’s operational resilience rules demanded clearer lines of accountability, often prompting formal recognition of the CISO function.

The Public Sector and National Initiatives

In government and critical national infrastructure (CNI), the CISO title is still used inconsistently. Roles may be labelled Chief Security Officer (CSO), Departmental Security Officer (DSO), or Head of Cybersecurity, depending on departmental structures and risk frameworks. However, the UK’s National Cyber Security Centre (NCSC) and Government Security Profession have helped standardise the expectations of the role, even if the title itself varies.

Notably, the NHS, MOD, and Cabinet Office have all established formal CISO roles in recent years, often tied to digital transformation and cyber resilience agendas. Similarly, local authorities and universities increasingly appoint CISOs or equivalents to address the expanding cyber threat landscape.

Boards and the Role of the CISO in the UK Today

While many UK CISOs still report to the CIO, there is a growing trend, particularly post-GDPR and amid rising ransomware attacks, for CISOs to report directly to the CEO, CFO, or board risk/audit committees.

This transition is especially visible in:

• Financial Services: Where PRA, FCA, and BOE requirements mandate clear risk ownership.
• Legal and Insurance: As client assurance and cyber due diligence grow more demanding.
• Higher Education and Research: In response to intellectual property threats and international cyber-espionage risks.

Conclusion: The Role Still in Flux

The CISO title may have begun with a single appointment in 1995, but its meaning and scope have transformed dramatically. Today, CISOs must not only secure systems but foster trust, support innovation, and guide organisations through a turbulent cyber and regulatory landscape.

And yet the role remains in flux, varied across sectors, inconsistently defined, and often under-resourced relative to its demands. In that sense, the CISO is not just a security leader but a litmus test for how seriously an organisation takes risk, reputation, and resilience in the digital age.

In the UK, the term CISO has gained traction, particularly in regulated and international-facing sectors, but remains unevenly applied. While the responsibilities of the role are increasingly well understood, the title itself is still catching up with the expectations placed upon it. For many UK organisations, the journey from “security manager” to “board-level cyber strategist” is ongoing.