The role of the chief information security officer (CISO) has evolved from a niche technical position to a board-level strategic function. Over the past 20 years, a diverse set of leaders—researchers, executives, policymakers, and even former hackers—have shaped this transformation. This retrospective highlights 20 key figures whose work reset the playbook for adversaries and defenders alike.
Steve Katz: The First CISO
Steve Katz pioneered the CISO role at Citicorp in 1995 after a major breach. He emphasized that cybersecurity is about business risk, not just technology. His legacy includes integrating security into corporate strategy and advocating for diversity in the field.
Howard Schmidt: Bridging Public and Private Sectors
Schmidt served as cybersecurity coordinator under President Obama and as CSO at Microsoft. He helped develop the National Strategy to Secure Cyberspace and promoted public-private collaboration, establishing security as a governance priority.
Dan Kaminsky: Saving the Internet
In 2008, Kaminsky discovered the DNS cache poisoning vulnerability that threatened the entire web. He coordinated a multi-vendor patch and later contributed to telemedicine and accessibility tools. His work set a standard for responsible disclosure.
Barnaby Jack: Medical Device Security Pioneer
Jack demonstrated vulnerabilities in ATMs and insulin pumps, forcing industries to address physical device security. His research led to FDA cybersecurity oversight and international standards for medical devices.
Kevin Mandia: Defining Incident Response
Mandia founded Mandiant and shaped modern incident response and threat intelligence. His firm attributed cyberattacks to state actors like APT1 and responded to major incidents such as SolarWinds and Colonial Pipeline. He later sold Mandiant to Google for $5.4 billion.
Troy Hunt: Democratizing Breach Data
Hunt created Have I Been Pwned? in 2013, a free service allowing users to check if their data was compromised in breaches. The API now powers breach notifications for password managers, browsers, and the FBI, making security accessible to millions.
Katie Moussouris: Vulnerability Disclosure Advocate
Moussouris established vulnerability research programs at Symantec and Microsoft, and launched the US government's Hack the Pentagon bug bounty program. She has been instrumental in creating safe, legal outlets for cybersecurity researchers.
Window Snyder: Proactive Secure Development
Snyder helped create the Security Development Lifecycle at Microsoft, later moving to Apple, Mozilla, and Intel. Her work on proactive software security preceded major frameworks like CISA's Secure by Design, influencing how enterprises build secure products.
Jeff Moss: Building Hacker Culture
Founder of DEF CON and Black Hat, Moss created forums where researchers and companies could collaborate. His Voting Village exposed vulnerabilities in election systems, leading to policy changes and decommissioning of insecure machines.
Bruce Schneier: Linking Security to Real Life
Through his books and blog, Schneier has shaped public understanding of cryptography, privacy, and risk. He has held roles at Counterpane and Harvard Kennedy School, consistently arguing for measurable risk and resilience over fear-driven responses.
Chris Krebs: Election Security and Political Fallout
As first director of CISA, Krebs oversaw election security efforts and declared 2020 the most secure election ever. Fired by President Trump, he became a symbol of the politicization of cybersecurity, later facing security clearance revocation.
Joe Sullivan: CISO Accountability Under Fire
Sullivan, former CSO of Uber and Facebook, was convicted for covering up a 2016 data breach. His case highlighted personal liability for security leaders and sparked discussions about ethics and transparency in incident response.
Albert Gonzalez: Cybercrime's Tipping Point
Gonzalez masterminded the largest identity theft case of its time, stealing 160 million payment card accounts while working as an informant for the Secret Service. His 20-year sentence marked a shift in how law enforcement treats organized cybercrime.
Edward Snowden: Insider Threat Defined
Snowden leaked classified NSA documents in 2013, revealing mass surveillance programs. Viewed as either a whistleblower or traitor, his actions forced a global debate on privacy and the insider threat, while he later sought asylum in Russia.
Kevin Mitnick: From Fugitive to Security Guru
Mitnick became a household name after a high-profile arrest for hacking in the 1990s. Post-release, he authored books on social engineering and founded Mitnick Security Consulting, demonstrating how reformed hackers can contribute positively.
Marcus Hutchins: WannaCry Hero and Convicted Malware Author
Hutchins registered a kill switch domain that stopped the WannaCry ransomware attack in 2017, preventing billions in damages. Months later, he was arrested for creating the Kronos banking Trojan as a teenager, creating a complex legacy.
Charlie Miller & Chris Valasek: Automotive Security
The duo remotely hacked a Jeep Cherokee on a highway in 2015, forcing Chrysler to recall 1.4 million vehicles. Their work raised awareness of IoT risks and led to new security standards in the automotive industry.
HD Moore: Metasploit and Open Source Exploitation
Moore created the Metasploit framework, which democratized penetration testing. His Month of Browser Bugs project pressured vendors to prioritize security, and his later work on network visibility led to runZero, spanning IT, OT, and IoT.
Chenxi Wang: Cloud Security Visionary
Wang transitioned from analyst to executive to investor, shaping cloud-native security and identity-centric approaches. At Forrester, Twistlock, and now Rain Capital, she has influenced how enterprises secure multi-cloud environments.
These 20 leaders—from pioneers to controversial figures—have collectively rewritten the enterprise risk playbook. Their work continues to influence boardroom discussions, national policies, and the daily practices of cybersecurity professionals worldwide.
Source: Dark Reading News