Who are BISOs and what do they bring to the cybersecurity table?

By Steve Durbin, Chief Executive, Information Security Forum.

  • 1 month ago Posted in

The role of a Business Information Security Officer (BISO) is gaining traction in security communities and board conversations. But why do organisations need BISOs? What are the main business drivers? What is their relationship with security leaders and what traits are ideally suited for the role? 

The Main Drivers for a BISO

Collaborating with information technology has been around since its inception, when it started as a transactional order-taking department. Over time a partnership emerged with business because technology soon assumed a central role across every process. Along similar lines, cybersecurity too has come of age, with the understanding that security requires better alignment with the business. 

In large organisations, the chief information security officer (CISO) is expected to apply risk management and oversight of every department, something nearly impossible to achieve, especially in a distributed environment. If CISOs become too involved in daily security and compliance operations, they run the risk of spreading themselves too thin.

Additionally, there’s always been a disconnect between business leaders and security leaders driven by a perception that cybersecurity is a necessary expense that does little to further the business. Security leaders may have previously seen themselves as the most urgent voice in the room, leaving little room for collaboration on security matters — a problem exacerbated by technical jargon and complexity.

BISOs deliver the much-needed headspace CISOs need to strategise and to lead. By delegating day-to-day security issues, CISOs can focus on developing a security strategy aligned with the larger business goals. 

The Key Objectives of a BISO

A BISO role has primarily two objectives:

1. Enrich the value of security for the business: A closer relationship with the consumer – the business – can make security more alluring and demonstrate its value by understanding the motivations and needs of the business and mapping the security proposition to those needs. The goal is to reach a point where the business ‘wants’ security as a line of investment, rather than security being seen as something it must have. 

At a high-level, the role of a BISO is to build enduring relationships across the organisation; find solutions to specific business risk challenges; support the delivery of corporate security strategies; earn trust and confidence of both technical and non-technical stakeholders; nurture security culture by factoring in local and demographic considerations; and enable risk-based decision making at a more granular level across the organisation. 

2. Support the strategic ambitions of enterprise security leadership: While the CIS) owns the organisation’s overall security strategy and ensures that the strategy protects the overarching values of the organisation, a BISO is responsible for executing strategy at a more granular, functional, and departmental level. A BISO is basically the arms and legs of a CISO, serving as a mediator between central and local security functions. For instance, they can recommend optimisations that reduce the burden on business teams.

Does Every Organisation Need a BISO?

Small organisations will likely not have a need for a BISO. However, this doesn’t mean that the security leader or CISO will not require some sort of business partnership arrangement. Smaller organisations could lean on “security champions” to achieve similar outcomes. For larger organisations, the decision to onboard a BISO will depend on the scale, maturity, geographic location and future goals of the security function. Some organisations may want to consider a hybrid approach, splitting the BISO responsibility 50-50 with an additional responsibility such as leading a specific security function (e.g., supply chain risk management) or geography.

What Skills and Characteristics Must Organisations Look for in a BISO?

A key requirement of the BISO role is bringing security, technical, and business stakeholders together in partnership to exploit the strength of all parties – a challenge to achieve without a balance of business and technical knowledge. Someone with deep technical experience could present an unconscious bias towards technology, potentially limiting the BISO’s capacity to think more broadly and implement practices that meet the needs of the business. Although having a technical skillset isn’t always necessary, someone with deep technical experience can be helpful when striving to earn the respect of technical staff. Along with business and technical acumen, a BISO is expected to have familiarity with a wide range of applications and systems, an understanding of business risks and mediation skills – a problem solver, active listener, and analytical thinker. 

The position of a BISO is still in its formative stage, much like other security leadership roles including the CISO, which initially struggled with role clarity (and still struggles today to some extent). Adopting a business partnering approach by appointing a BISO can be a profitable strategy for fostering inclusive cultures, proactively addressing security risks, and positioning security as a valuable business opportunity rather than a mere compliance requirement.

By Brandon Green, Senior Solutions Architect & Threat Modeling SME, IriusRisk.
By Isaac Douglas, CRO at global IaaS hosting platform Servers.com.
By Rob Pocock, Technology Director, Red Helix.
Andrew Smith, Kyocera’s CISO, has shared his top five tips to make sure any organisation can take...