A Business Information Security Officer (BISO) is a senior security leader assigned to lead the security strategy of a division or business unit. They provide a bridge from the centralized security function to the business. The BISO functions like a deputy CISO reporting into the business line.
The BISO role is becoming more common in larger organizations, especially those with more mature security programs. BISOs translate the goals and policies of the centralized security function of the corporation down to specific practices and procedures within the business lines. Additionally the BISO is responsible for providing business context back to the CISO’s organization to help shape future direction.
Why do organizations have BISOs?
BISO’s work closely with the CISO and business leaders to make sure that corporate security objectives are treated as business requirements. The BISO ensures that those objectives are met with processes and procedures tailored to best fit the unique inner-workings of the division. This often includes connecting security initiatives to compliance, audit, and regulatory requirements.
Having a senior security leader dedicated to the business unit creates an a single owner for the division’s security strategy. Programs like vulnerability management, compliance, and application security are typically owned and driven by the BISO. Additionally, the BISO serves as a consultative resource for technology and development teams for security related issues. All of this helps build credibility for security within the business unit and create a culture that recognizes that security is everyone’s job.
The BISO is also responsible for providing upward visibility into the security posture of the division. In many organizations, they are called upon to report the division’s state of security not just to the CISO but to the Executive Committee (EC) and Board of Directors as well. The BISO therefore must have a solid plan for measuring improvement and ensuring appropriate goals are established and tracked.
What are qualities of a good BISO?
Desirable characteristics for BISOs are very similar to that of a CISO. There are four key characteristics that a successful BISO should possess:
- Broad security knowledge
- Executive presence
- Influencer leadership
- Strategic thinking
Broad security knowledge
As you’d likely expect for a security leader, a BISO should possess a great deal of proficiency in the technical aspects of cyber security. The ideal person possesses a wide breadth of experience across the various domains. However, depending on the scope and make-up of the business unit, it is often beneficial to find someone that has more focused expertise with key strategic technologies. For instance, if they’ll be leading a division that is going through a focused cloud transformation, it would be beneficial for the BISO to have particular expertise in cloud native technologies.
What is important to remember from a skills and experience perspective is that the BISO will be the primary owner of the security strategy for the division. Therefore, they need to be able to speak credibly to each of the technology domains while also working with subject matter experts when depth of expertise is needed.
Executive Presence
Since the BISO directs the security initiatives within the division or business unit, they must communicate up the leadership structure. Effectively communicating the risk and security posture of their organization to executives and the Board of Directors is a crucial skillset. This means rising above the technical implications and instead speaking in the context of business objectives and risks that are impacted.
In some organizations where the BISO is aligned to smaller units of the business, there may be less opportunity to communicate with the EC and Board. However, this does not make executive presence less important. The BISO still needs to be able to speak to business impacts and understand how their message is received at the highest levels of leadership.
Influencer leadership
While BISOs typically report through the business leadership structure, that doesn’t mean they operate in a position of authority over the technology and business groups with whom they’ll work. The BISO functions as the bridge between the business and the corporate security function. Therefore they need to be able to influence both organizations effectively without formal authority.
In the end, influencing actions by speaking to the motivations of each audience demonstrates stronger leadership prowess than ruling by edict. For the BISO it’s an absolute necessity. The best leaders clearly communicate the value of the initiatives they propose to those who will be asked to adopt them. A BISO’s worth lies in empathizing with their audience and addressing their concerns credibly and effectively.
Strategic thinking
The successful BISO is one who doesn’t get mired in the technical details. Instead they see the big picture, how all the various elements of the business and security strategy work together. They look at their work in terms of a long term vision. Individual tactical elements and mid-level initiatives all connect in some way to that vision.
That ability to see things from the higher level grounds the BISO to meeting their core objectives. They unite security strategy with business objectives to continuously improve the security posture rather than chasing a singular objective.
An Emerging Role
The BISO role is still very new. Even for the select organizations that have embraced the role, how they structure the role can vary. In the end, the goals are the same however. The BISO is there to ensure that security initiatives are implemented with business context in mind. The BISO advocates for security within the division and connects security to business enablement. BISOs are a valuable resource that will likely continue to be established within an increasing number of organizations.
Munmun
Hi Alyssa – Great article! Could you provide insights into possible career paths if one chooses to become a BISO today? Wondering if CISO is the only next step or there could be other options?
Bola Guines
Would like to pick your brain. If you have a BISO leading a team of BISOs, what name would you call that BISO? Lead BISO? Global BISO? Is there a more elegant and effective name you can come up with?
Alex
Hi Alyssa,
do you think it is also valuable to have strong project management skills and being stress resistant? There can be tough situations where BISO stands between corporate sec guys and business.
Second challenge is having business acumen, managerial skills and some technical ones and keeping it all fresh in just one head
Alyssa Miller
Yes for sure, project management skills could definitely be a great asset. And yes, the challenge of developing a balance of business, leadership and technical skills is definitely a part of the role.
Brandon
Would you be able to update your article with resources, books, courses, up-coming certifications for the BISO role?
Alyssa Miller
I’m honestly not aware of much in terms of resources specific to a BISO role at this point. The qualifications would be similar to that of a CISO ultimately.