20 Leaders Who Built the CISO Era: 2 Decades of Change

20 Leaders Who Built the CISO Era: 2 Decades of Change

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCybersecurity CareersCyber RiskThreat IntelligenceNewsSince 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next.20 Leaders Who Built the CISO Era: 2 Decades of ChangeAs part of Dark Reading's 20th anniversary special coverage, we profile the CISOs, founders, researchers, criminals, and policymakers who rewrote the enterprise risk playbook.Dark Reading Editorial TeamMay 12, 202641 Min ReadSource: Artur Marciniec via Alamy Stock Photo20 Leaders Who Built the CISO Era: 2 Decades of ChangeTwenty years after Dark Reading debuted in 2006, the CISO era is no longer emerging — it's well-established. But you know what they say about standing on the shoulders of giants …It began with pioneers like Steve Katz formalizing the role at Citicorp and Howard Schmidt elevating cybersecurity to an administration-level hire in federal government; but now, cybersecurity has become a board‑level risk, and the job of the chief information security officer (CISO) has expanded from block-and-tackle cyber defense into the realms of business resilience, national security, brand protection, compliance, and corporate trust.This special 20th anniversary retrospective from Dark Reading traces a rich history of how a diverse set of voices reset the playbook for adversaries and defenders alike, and architected today’s CISO-led world. We profiled 20 newsmakers, from Dan Kaminsky to Barnaby Jack, Katie Moussouris to Troy Hunt, Window Snyder to Kevin Mandia. There are some tarnished haloes in there too, like Edward Snowden, Kevin Mitnick, Marcus Hutchins, Albert Gonzalez, and Joe Sullivan, all of whom have been at the center of hard conversations about accountability, offense/defense dynamics, how enterprises should ethically respond to threats, and redemption narratives.The list is by no means exhaustive, but we think it's representative. Each of these 20 profiles (organized alphabetically) have contributed to a practical road map for modern cyber defense: align cyber with business outcomes; modernize disclosure, collaboration, and crisis communications; bridge gaps between public and private, cloud and on-prem, the board and the SOC; pressure‑test supply chain and third‑party risk; prioritize safety for connected devices and critical infrastructure; and of course, ready your organization for AI‑accelerated threats. Happy (dark) reading!Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! 'Get Rich or Die Tryin': Albert Gonzalez & Cybercrime's Tipping Point Albert Gonzalez. Source: Dark ReadingThere was a time in the early 2000s when cybercrime busts were rare, and perpetrators were mostly nameless and faceless. That all changed in 2008, when federal authorities arrested 26-year-old Albert Gonzalez, the mastermind behind a massive hacking operation targeting some of the biggest names in retail (as well as card payment processor Heartland Systems). His self-titled "Operation Get Rich or Die Tryin'" spree marked the largest cybercrime and identity theft case in history for the US Department of Justice at the time, and his prison sentence of 20 years was the longest ever levied on a convicted cybercriminal.Gonzalez, whose online handles included "segvec," "soupnazi," and "j4guar17," between 2005 and 2007 hacked into retailers including TJX Companies, BJ's Wholesale Club, Office Max, Boston Market, Sports Authority, 711, Hannaford Bros., and Barnes & Noble, as well as Heartland, stealing in total some 160 million-plus payment-card accounts. The financial damages to companies and insurers initially were estimated at hundreds of millions of dollars.Even more stunning was the fact that Gonzalez performed much of his cybercrimes while working as a paid undercover informant for the US Secret Service, where he helped the agency engage and bust carders."Up to that point, most of the public still pictured hackers as kids defacing websites or pulling pranks," recalls David Maynor, a security expert with Tenable. "Gonzalez made it impossible to keep pretending. Real money was moving, with organized crews behind it, and companies were eating losses big enough to show up on quarterly earnings."The case represented a shift in the hacking conversation: cybercrime had become a money-making profession. "Gonzalez changed the talking points. This wasn't curiosity-driven; it was repeat, profit-driven intrusion across multiple companies," Maynor says. "Law enforcement stopped treating hackers as lone explorers and started treating cybercrime as the business it actually was."Gonzalez employed various techniques in the cyber heists, including "wardriving" near retailer Wi-Fi networks and installing sniffers that grabbed passwords and account information. He also later supplied his fellow hackers in Eastern Europe and the US with backdoor malware and SQL injection strings, to exploit holes in store payment servers and snatch payment account data.In 2011, Gonzalez unsuccessfully tried to appeal his conviction, arguing that the Secret Service had sanctioned his hacking and had made him feel like a part of the agency as he did their bidding.According to US Bureau of Prisons records, Gonzalez was released in September of 2023, having served 15 years of his 20-year sentence.Jennifer Granick: Battling on the Frontlines of Cyber Law   Jennifer Granick. Source: the ACLU.The past two decades have seen a wide range of legal battles regarding cybersecurity and Internet freedom, and perhaps no one has been more involved in those battles than Jennifer Granick.The former surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project, Granick began her legal career in criminal defense in the '90s, where she focused on digital law and computer crimes. Later, she helped create the Stanford Law School's Center for Internet and Society (CIS), which launched in 2000 as a program dedicated to technology law and policy. Granick led the CIS as executive director from 2001 to 2007, and later served as the civil liberties director at both the Electronic Frontier Foundation (EFF) and CIS before joining the ACLU in 2017. During her career, she helped develop Internet and privacy law policy, including an exemption of the Digital Millenium Copyright Act (DMCA) in 2006 that allowed subscribers to "jailbreak" mobile device firmware in order to switch carriers, leading to other legal protections and DMCA exemptions in later years.In addition to her policy work on cybersecurity and digital rights, Granick has been an outspoken critic of digital surveillance and authored the 2017 book American Spies: Modern Surveillance, Why You Should Care, and What To Do About It. But she's perhaps best known in cybersecurity circles as being a staunch defender of security researchers and hackers over the years, including defending the late Internet activist Aaron Swartz. She's served as a board member of the Internet Security Research Group (ISRG) and has spoken at several infosec conferences over the years and gave the keynote address at Black Hat USA 2015, in which she warned that Internet freedom was dying."She is an unflappable voice of reason, and thus one of the first people I turn to when things get tough," Josh Aas, executive director and co-founder of ISRG, says of Granick. "You won't find a better person to help you get comfortable with uncertainty, talk through nuance without letting it bog you down, and feel good about where you land. More often than not, she'll even make it fun."Troy Hunt Brings Breach Data to the Masses Troy Hunt. Source: Troy HuntA long-time security consultant, Troy Hunt's claim to fame is founding and operating Have I Been Pwned?, a database launched in 2013 that lets users insert their email to check if they've had personal information compromised in a data breach. As of this writing, the database includes 975 "pwned" websites representing 17.5 billion compromised accounts. No centralized public source of breach data existed prior to 2013. As a result of this work, Have I Been Pwned? has offered countless users the ability to gain a view of (and possibly take control of) their operational security in a way they might not have previously. Hunt's impact extends far beyond individual lookups: the HIBP API has become important infrastructure for the security industry itself, powering breach notifications in password managers, browsers, and enterprise security tools used by many. Organizations like Mozilla, 1Password, the FBI, and Bitwarden use HIBP data to identify whether a user's data has been compromised or password ha