Business Information Security Officers (BISOs) have become increasingly popular over the last few years. But what they are, what they do, and how they relate to the CISO is not so obvious in organizations that do not have BISOs.
The evolution of the BISO
While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.
According to Barbee Mooneyhan, the BISO affiliate leader within WICyS (women in cybersecurity, although gender is not relevant to the role), the appearance of the BISO is contemporaneous to the appearance of the CISO – or if anything, predates it. Organizations were becoming increasingly aware of the need to secure their business information, so the role of BISO was created.
These positions had a business focus, and different departments or lines of business or geographical regions had their own BISOs to help defend their own business focus.
As cyber threats grew and cyber hackers evolved, the concept of companywide cybersecurity became more prevalent. ‘Cyber security’ is now a more common term than ‘information security’, even if the two concepts are inextricably bound. The need for a C-level executive with overall responsibility for cybersecurity across all lines of business became apparent.
As a business grows and expands, the need for a CISO becomes more obvious (but note the title still contains ‘information security’). With the rise of the CISO, the BISO concept has dwindled in smaller companies, subsumed by the CISO – but it clings on in larger organizations with sometimes multiple and different lines of business. As globalization continues, the need for a BISO specializing in aligning security with different lines of business is beginning to reemerge and expand.
The role of the BISO
In general, “A BISO is assigned to provide security leadership for one particular business unit, group, or team within the greater organization,” explains Andrew Hay, COO at Lares Consulting. “Using a BISO divides responsibility in large companies, and we often see the BISOs reporting up to the central CISO for the organization.”
“A BISO is responsible for establishing or implementing security policies and strategies within a line of business,” adds Timothy Morris, chief security advisor at Tanium. “Before the BISO role became popular, other director-level roles performed similar functions in larger organizations as an information security leader.”
The precise role of the BISO varies from company to company depending on the needs of that company. “In some cases, the BISO will hold a senior position reporting directly to the CISO, CTO, or CIO,” explains Kurt Manske, managing principal for strategy, privacy, and risk at Coalfire. “At this level, the BISO acts as a liaison with business unit leaders and executives to promote a strong information security posture across the organization.”
Alternatively, the BISO may be lower in the organizational chart, and focused on supporting the cybersecurity controls. “In this capacity,” continued Manske, “the BISO may work closely with the cybersecurity team to ensure that security controls are being implemented effectively.”
In other organizations, the BISO may report directly to business unit leaders rather than to the cybersecurity or IT leaders. “This can be particularly relevant in organizations where business unit leaders have a clearly defined responsibility to align with cybersecurity and compliance requirements and where the BISO can play a key role in facilitating the alignment,” adds Manske.
The ability to collaborate between security and business is consequently essential. This can involve working closely with both technical and non-technical stakeholders to ensure that security is integrated into key business processes and operations.
While all this this may be true, the ‘business’ origin of the BISO remains central to the role. The BISO needs to be close to the department it serves, must understand the business requirements, and must be able to translate the overarching cybersecurity policy as laid down by the CISO into actionable security at the business level. At the same time, the BISO must be able to communicate business necessities to the CISO. “it’s about bridging from your business to the security,” says Mooneyhan.
“BISOs have cropped up to bridge the gap between the technical and the business as it relates to cyber and information security,” adds Morris. You can almost consider the B of BISO as standing for ‘bridge’.
But the role should not be underrated. “An effective BISO must have enough autonomy and authority to make decisions,” continued Mooneyhan. “A BISO must have an executive ability in situations regardless of where they are in the structure. You can’t just have somebody at the table that’s saying things, and nothing happens. You need somebody at the table who can say, ‘We cannot do it this way. These are our options, and this is the best option.’ The BISO must be able to say ‘no’ when warranted; but it should be always a ‘no, but… this is how we can do it safely to get the business done’.
A BISO should have the executive ability to do this in specific lines of business, and be able to bridge that gap between absolute cybersecurity requirements and genuine business needs. The skills required for such an executive role are extensive: IT, infosec, and soft skills. Manske summarizes them as executive presence, technical expertise, business acumen, communication skills, and alignment focus.
Being a BISO
Jo Justice is BISO for the Leidos Defense Group. She started her career in IT, more than two decades ago. “At the time,” she said, “I had no intention of becoming a leader – I simply wanted to be good at what I do.” However, the result was that she became the go-to person for IT queries, and the foundation for learning soft and communication skills was laid down.
About a decade ago, she got involved in cyber. She was no longer the go-to person – so instead of answering questions, she began to ask them. She wanted a better understanding or how cybersecurity and business should work together – and again, her soft skills were further developed.
“I didn’t know until recently that I wanted to become a BISO – they weren’t trending like they are today – although I knew years ago my ultimate goal was to become a CISO,” said Justice. “But as the BISO roles began to grow within my organization, I began to understand the requirements. I was able to reach back to my cyber relationship experiences. because that is key. I also have a very technical background and that’s equally critical because I am responsible for providing guidance, when necessary, on how to implement the CISO’s overall security strategy within the business unit I serve.”
Ann Hines is BISO at USAA – a provider of insurance, banking and financial products and advice to the military community. She has a similar view, and background, to Justice. “Having a strong security foundation is key,” she said, “and an IT background also helps in understanding what is possible, how to achieve it and who to engage in problem solving. It also allows for a bit of compassion and empathy in what you are asking folks to do.”
She too started in IT (in the US Air Force). “I began my career as an IT developer, network admin, security admin, and then moving into security risk, vendor risk and both IT and security ops roles. A strong sense of curiosity, what I call a ‘digger mentality’, a willingness to be constantly learning new things, being open minded to the possible, and strong communication skills are key to the role as well.”
She continued, “Some BISOs start in the business, some start in Infosec. The role requires the ability to articulate sometimes complex security topics and articulate risks in a language that the business finds meaningful and use that information to make more informed decisions. You must be willing to think of yourself as a business leader specializing in security risks.”
Alyssa Miller, currently CISO at Epiq Global, was formerly BISO at S&P Global Ratings. She described her BISO role as, “Focused on aligning corporate security practices with divisional business objectives to accelerate innovation and demonstrate the business value of security initiatives.” She describes her CISO role as, “Leading the cybersecurity program for the global organization. Aligning strategic security initiatives with business line objectives to ensure the protection of our customers’ data and privacy.” Clearly, the BISO role is considered as a rung on the ladder to becoming a CISO.
Relationship with CISO
A CISO is typically strategy-focused for the enterprise security. “Often,” says Morris, “CISOs – especially in large organizations – can get so consumed with managing the ‘external’, such as the C-suite, shareholders, regulators, and so on, they don’t have the time to focus on the ‘internal’ duties required.”
Having multiple BISOs is a way of handling the delegation of duties, but the role is best seen as more than mere delegation: it’s more like an extension of the CISO, extending the CISO goals and objectives into the business.
Some CISOs may be dismissive of the BISO role, even seeing it as a threat to the CISO position; but this is a shortsighted approach, says Manske. “Rather than viewing the BISO role as a threat, I believe it should be seen as a valuable resource that can help to bridge the gap between cybersecurity and the business. By working closely with business leaders and ensuring that security policies and procedures are aligned with the needs and objectives of the organization, the BISO can help to build a stronger and more effective security program overall.”
Mooneyhan also stresses the resource element of the role. “If a CISO sees a BISO as a threat,” she says, “then there’s a lot of work that needs to be done for the culture of the security team.”
The BISO role is not new, but in recent years the term has started trending. The most common reporting structure is with the CISO and security linking out to the business lines; but the BISO may also be reporting to the business line and linking back across to security. Either way, the purpose is similar — to find a fully functional way for business and security to work together for the benefit of the enterprise.
The role is becoming more popular and more necessary as enterprises grow, diversify, and digitalize. This primarily occurs with larger organizations — but the need to align security and business exists for all companies of all sizes. All companies have that requirement even if they don’t have a formal BISO position.
For small companies, the role may be achieved by a line-of-business specialist within the security team, or a security lead within the line of business — or both. But as companies grow, both in lines of business and geographical locations, the need for a single person with a foot in both security and the line of business, becomes more pressing. The need for BISOs is growing — and the role has the added attraction of offering a clear career path.
Related: Why Some CISOs Fail
Related: CISO Conversations: Steve Katz, the World’s First CISO
Related: Why CISOs Make Great Board Members