In 2020, a Business Information Security Officer (BISO) attended RSA, one of the most influential global cyber security conferences of the year, eager to connect with others who occupied the same business role. Because few BISOs were easily identifiable, this BISO launched a conference session about the role.
In 2022, this top-rated conference session provided BISOs, CISOs, CIOs, and executives with insights into why this role can be useful, how to position BISOs as enablers of innovation, and how to create paths towards success.
What is the BISO role?
The Business Information Security Officer (BISO) is a senior cyber security leadership role designed to connect security with larger business interests. A BISO may act as a CISO’s deputy, overseeing the details of strategy implementation; serving as a tactical and operations-level ambassador.
The BISO in 2022
The 2022 RSA Business Information Security Officer talk started out with a discussion of the problems that the BISO role is designed to solve. “There is a disconnect between information security and business,” stated Nicole Dove, Head of Security, Games Division, for Riot Games.
Chief Information Security Officers (CISOs) often lack deep levels of business expertise. Executives often lack a clear understanding of cyber security. Requesting for either of these positions to holistically understand the other may be too tall of an order. To bridge the gaps, the BISO has a role to play.
Why the BISO role
Organizations often need BISOs to align business and information security priorities. Security can function as a strategic business enabler, but only if someone is in charge of making that happen. If you or someone in your organization notices that your security and business teams are not collaborating, consider creating or expanding a BISO role. Further, if your company retains a strong security team, but incidents are still occurring, that could also prompt an organization to consider opening a BISO role.
The BISO profile
You want a BISO. Who should your enterprise hire? The Business Information Security Officer needs sharp interpersonal skills and an inherent sense of curiosity. The BISO needs to be able to identify issues. The BISO also needs to be able to creatively solve problems. This person needs to be able to work at all levels of the organization. Executive presence is key.
The BISO works on everything, but ‘owns nothing’. Consequently, the BISOs need to be collaborative, flexible, and to have a growth mindset.
In some instances, a BISO simply needs to know which people to bring into a room in order to address an issue. In other instances, the BISO provides customer service, administrative assistance, or manages technical fixes.
It’s a multi-dimensional role. The BISO ultimately needs to be able to wear many different hats.
What makes a good BISO?
A good BISO manages the business and security experience, both internally and externally. Within the organization, the BISO serves as a first-point of escalation for commonplace cyber security concerns. Externally, the BISO sees to it that partners and other third-parties enjoy working with the security team; that third-parties do not report meeting unfriendly, unhelpful or incomprehensible employees. In essence, a BISO provides ‘white glove service’ and ensures that everyone has a positive experience while working to address security concerns.
Key questions for new BISOs
- Is there someone in the organization who is currently functioning as an ad-hoc security and business integrator and for whom you can lighten the load?
- Where is the need right now?
- Where can small changes be made?
- What stories should you tell about the businesses’ security?
- Can you ‘pressure test’ your approach to ensure that it’s the best way to problem solve?
- How can you invest in strategic road mapping?
What to do if starting a BISO role
- Learn about who’s who.
- Go on a ‘listening tour’.
- Start with low-hanging fruit.
- Gain initial quick wins
- Focus on high-impact operations.
- Determine what the friction points are.
- Build a service catalogue for each domain; what are the top services that people request, how do we intake work, are there SLAs…etc.
- Gain deep expertise.
- Make security easy.
- Remove ‘department of no’ image.
- Determine how to balance priorities.
- Focus on new efforts.
- Educate members of the business on why a BISO role exists.
Is the BISO role really necessary?
A CISO with a large group of interconnected projects on a to-do list and multiple direct reports is chasing a lot of bouncing balls. The BISO role assists with prioritization, project management, and can function as a delegatory point-person to help prevent CISO overwhelm and burnout.
And as Nicole Dove astutely pointed out, there is much said about how cyber security enables a business. It’s a common topical discussion point. However, in asking CISOs and executives about precisely how the enablement works, in many cases, no one can point to tangible efforts or outcomes. The BISO is responsible for truly making cyber security a business enabler.
CISO vs. BISO
CISOs work to move high-level security strategies forward. The CISO tends to interact with leadership at the strategic level. In contrast, a BISO might work at a tactical and operational level. The BISO is a bit of a ‘utility player’ in some organizations. Both roles work to ensure that corporate security objectives are treated as business requirements and enablers.
BISO reporting structure
A BISO often reports to the CISO or to a similar position. Sometimes, a BISO reports to the VP of Information Technology.
What does the organizations structure under a BISO look like?
Some organizations do not give BISOs direct reports. Other organizations have a manager from a security team supporting the BISO, if not reporting in. This can be advantageous in that a security manager or an engineer can ‘speak the language’ of security and can provide ‘translations’ and technical insight when talking across organizational departments.
How can BISOs make inroads with security teams that do not wish to engage?
The BISO is a relationship management role + cyber security. One way to make inroads is to provide active listening for security teams. Sometimes, the BISO will need to really get to know the root causes of security problems/issues. BISOs will then need to engage in strategic problem solving. If able to authentically solve security personnel’s challenges, a BISO builds a strong security partnership.
In some cases, a BISO may not be able to provide a comprehensive resolution for security’s pain points. However, progress towards that goal or goals can engender good will.
Is the role of a BISO a good job?
The BISO role is an up-and-coming title within the cyber security sphere. Job advertising sites, like LinkedIn and Glassdoor, have more than 10,000 BISO roles listed. This career path is generally high-paying too. In the US, the average annual salary starts at $127,000, as of 2022.