The role of the CISO has shifted dramatically in the past ten years. Almost 20 years ago, in the early years of the information security officer role, the person who filled that position was focused on the very basics of security: antivirus, firewalls, and file system access control. At the time, there were no data security laws like HIPAA, no industry standards such as PCI or NERC, and no best practices such as NIST 800-53 or COBIT. There was just a small community, almost invariably culled from the ranks of IT. And for many years, they were all functioning as appendages to IT—sometimes lucky enough to report directly to the CIO, but more often than not, relegated to a position that had a limited opportunity to give advice and lots of hands-on activity, but little ability to actually affect policy.