Alyssa Miller

Hacker, Researcher, and Security Advocate

Category: Policy

BISO - Business Information Security Officer, white text on black background

What is a Business Information Security Officer (BISO)?

By

On December 23, 2020

In Application Security, Policy, Security Leadership

A Business Information Security Officer (BISO) is a senior security leader assigned to lead the security strategy of a division or business unit. They provide a bridge from the centralized security function to the business. The BISO functions like a deputy CISO reporting into the business line.

The BISO role is becoming more common in larger organizations, especially those with more mature security programs. BISOs translate the goals and policies of the centralized security function of the corporation down to specific practices and procedures within the business lines. Additionally the BISO is responsible for providing business context back to the CISO’s organization to help shape future direction.

Why do organizations have BISOs?

BISO’s work closely with the CISO and business leaders to make sure that corporate security objectives are treated as business requirements. The BISO ensures that those objectives are met with processes and procedures tailored to best fit the unique inner-workings of the division. This often includes connecting security initiatives to compliance, audit, and regulatory requirements.

Having a senior security leader dedicated to the business unit creates an a single owner for the division’s security strategy. Programs like vulnerability management, compliance, and application security are typically owned and driven by the BISO. Additionally, the BISO serves as a consultative resource for technology and development teams for security related issues. All of this helps build credibility for security within the business unit and create a culture that recognizes that security is everyone’s job.

An organization chart with human clip art images

The BISO is also responsible for providing upward visibility into the security posture of the division. In many organizations, they are called upon to report the division’s state of security not just to the CISO but to the Executive Committee (EC) and Board of Directors as well. The BISO therefore must have a solid plan for measuring improvement and ensuring appropriate goals are established and tracked.

What are qualities of a good BISO?

Desirable characteristics for BISOs are very similar to that of a CISO. There are four key characteristics that a successful BISO should possess:

  • Broad security knowledge
  • Executive presence
  • Influencer leadership
  • Strategic thinking

Broad security knowledge

As you’d likely expect for a security leader, a BISO should possess a great deal of proficiency in the technical aspects of cyber security. The ideal person possesses a wide breadth of experience across the various domains. However, depending on the scope and make-up of the business unit, it is often beneficial to find someone that has more focused expertise with key strategic technologies. For instance, if they’ll be leading a division that is going through a focused cloud transformation, it would be beneficial for the BISO to have particular expertise in cloud native technologies.

Picture of a busy security operations center.

What is important to remember from a skills and experience perspective is that the BISO will be the primary owner of the security strategy for the division. Therefore, they need to be able to speak credibly to each of the technology domains while also working with subject matter experts when depth of expertise is needed.

Executive Presence

Since the BISO directs the security initiatives within the division or business unit, they must communicate up the leadership structure. Effectively communicating the risk and security posture of their organization to executives and the Board of Directors is a crucial skillset. This means rising above the technical implications and instead speaking in the context of business objectives and risks that are impacted.

Woman speaking at the head of a table during a board meeting.

In some organizations where the BISO is aligned to smaller units of the business, there may be less opportunity to communicate with the EC and Board. However, this does not make executive presence less important. The BISO still needs to be able to speak to business impacts and understand how their message is received at the highest levels of leadership.

Influencer leadership

While BISOs typically report through the business leadership structure, that doesn’t mean they operate in a position of authority over the technology and business groups with whom they’ll work. The BISO functions as the bridge between the business and the corporate security function. Therefore they need to be able to influence both organizations effectively without formal authority.

In the end, influencing actions by speaking to the motivations of each audience demonstrates stronger leadership prowess than ruling by edict. For the BISO it’s an absolute necessity. The best leaders clearly communicate the value of the initiatives they propose to those who will be asked to adopt them. A BISO’s worth lies in empathizing with their audience and addressing their concerns credibly and effectively.

Strategic thinking

The successful BISO is one who doesn’t get mired in the technical details. Instead they see the big picture, how all the various elements of the business and security strategy work together. They look at their work in terms of a long term vision. Individual tactical elements and mid-level initiatives all connect in some way to that vision.

That ability to see things from the higher level grounds the BISO to meeting their core objectives. They unite security strategy with business objectives to continuously improve the security posture rather than chasing a singular objective.

An Emerging Role

The BISO role is still very new. Even for the select organizations that have embraced the role, how they structure the role can vary. In the end, the goals are the same however. The BISO is there to ensure that security initiatives are implemented with business context in mind. The BISO advocates for security within the division and connects security to business enablement. BISOs are a valuable resource that will likely continue to be established within an increasing number of organizations.

Girl covering mouth with photo of another mouth

Deep Fakes in 2020

By

On August 29, 2019

In Election Security, Policy

How artificial media could impact US Elections

Deep fakes, extremely convincing artificial media produced by deep neural networks, have entered the political arena. In 2017, Buzzfeed published a short video on YouTube that appeared to feature President Barack Obama sharing some surprisingly candid viewpoints. In reality, the visual portions of the video were artificially produced. The voice on the video was an impression done by comedian Jordan Peele. Many comments throughout social media lamented how terrifying this new technology is.

In my presentation, “The Death of Trust: Exploring the Deep Fake Threat”, at BSides Vancouver Island, I discussed the many threats posed by Deep Fakes. Among those threats is the expected role that Deep Fake media will play in the 2020 US Presidential election. While the technology continues to advance, it still has some important limitations that may help mitigate it’s impact. Moreover, there is a considerable amount of research being done into detection techniques. So far, this research boasts some impressive results.

How Deep Fakes are Created

Deep Fake videos are created using the learning capabilities of deep neural networks called Generative Adversarial Networks (GANs). In a GAN, two neural networks are pitted against each other. A Generator network is responsible for creating video frames that appear real. A Discriminator network in turn is attempts to validate whether the frame is “authentic” or not. The Generator essentially repeatedly tries to trick the Discriminator into believing images it creates are real.

Depiction of a GAN
A simplified view of a Global Adversarial Network (GAN)

Both networks are trained with a large set of still images of faces, often hundreds of thousands. After learning, the GAN can be provided a relatively small number of still images of the intended subject (for instance President Obama). The Generator is also typically provided a target video into which the subject’s face will be inserted. Frame-by-frame, the generator creates new artificial frames. The discriminator in turn decides if they belong with the set of subject images. Each time the discriminator rejects a frame, the Generator learns and refines it’s algorithms. The end result is very convincing video content.

The Political Threat

Deep Fakes are concerning for the political process because they further support the distribution of dis-information. As the capabilities of deep fake producing GANs improves, politically motivated actors can create false videos of their adversaries. These can be used to convince voters that a particular candidate said or did things things that are detrimental to their reputation. A striking characteristic of this type of dis-information is that once it is in the minds of the public, it is very hard to combat. Even with well documented evidence that a video is fake, many will still believe it is true.

However, another issue that is less talked about is the the opposite case. What happens when compromising video of a politician surfaces but they claim it is a fake? There are already an abundance of claims of “Fake News” echoing in political discord. Trying to prove the authenticity of a video claimed to be fake can be quite challenging. In this way, deep fake technology puts a heavy strain on our ability to trust anything we see or hear.

Limitations of Deep Fake Technology

The good news is, deep fake technology is still far from perfect. The limitations of the technology are constantly changing but researches continue to work on methods for exploiting those limitations. One limitation is that in the training process, GANs rely on facial images of a fixed size. This is due to processing limitations. As a result, researchers from University at Albany, SUNY have been able to train neural networks to find warping artifacts that are indicative of deep fake videos.

Another limitation of deep fake video creation is that currently the GANs do not account for context and linguistics. Facial habits that are specific to the content and or emotions being delivered are not easily replicated. Since training relies on static images, context-related expressions are not easily replicated. As a result, researchers from Dartmouth released research earlier this year that analyzes video for consistency with these “soft biometrics”. As of the release date, the study achieved a 95% accuracy rate. The researchers estimate that by the start of the 2020 primary season, that accuracy could be as high as 99%.

Finally more development needs to be done before fully synthesized (both audio and video) deep fake videos can be reliably produced. Tools like Adobe VoCo and Baidu’s “Deep Voice” can produce very realistic synthesized voices. However, combining both deepfaked audio and video has yet to be demonstrated with consistent reliable results. That said, it seems reasonable to expect that it is only a matter of time before fully synthesized video can be created from nothing more than a typewritten script.

Proving Authenticity

Researchers have also been working on ways to ensure that truly authentic videos can be validated. NYU researchers recently demonstrated how current high-end digital cameras can be modified to create digital watermarks. Their study went further however. They also used neural networks to overcome loss of forensic data due to regeneration (re-encoding an image/video). Overall they were able to build the framework of what could be an all-new approach to digital forensics.

Looking ahead

It certainly seems clear that for 2020, deepfakes will be a part of the (dis-) information bombarding the American public. If there is any good news in this it’s that we’ve not yet reached a level of capability talked about in the many doomsday scenarios regarding deepfakes. To truly limit the impact of deepfake media will require a coordinated approach of public awareness, careful and responsible journalism, and of course technological countermeasures. Security professionals can help shape the course of these three elements through our evangelism, influence and research.

Alyssa Hacker behind computer

Welcome Aboard

By

On July 12, 2019

In Application Security, Breaches, DevSecOps, Incident Response, Inclusion, IoT, Network Security, Pentesting, Policy, Red Teaming, Vulnerabilities

An Introduction of Epic Futility

OK well here I am interwebs!! After much encouragement from colleagues, friends, and acquaintances, I’ve launched a website and blog. As you’re likely aware, if you’ve found your way to this page, I’m very passionate about all things security and privacy related. It’s my career, it’s my passion, and most of all it’s something I love to share with others.

I’ve had a very a-typical journey into the world of security however. I’ll probably bore you in some other post with the full progression from my childhood interest in computers to my present day role as a security professional. But for now let me just share that what began as a hobby of playing with computers turned into a full-time job as a programmer which in turn lead to my entry into penetration testing and assessment work.

I have no delusions of grandeur. I am not the world’s greatest hacker, I am not some super security celebrity or highly touted “thought leader”. However, what I am is a person who really loves digging into technology, exposing how it works and how it fails, and sharing what I’ve learned with others. I’ve spoken at industry conferences, as you can see on this site. I’ve delivered various security assessments, training, and strategy guidance as part of my professional work. I’ve been featured in security publications and podcasts. I’m of course active on social media as well. But this is the first time that I own a dedicated space on the web to formally share my thoughts and opinions in written form.

Related to technology, security, and privacy, I also have a very powerful drive to correct what I see as a toxic environment in the tech and security communities. Women, People of Color, LGBTQ+ and other under-represented groups often find that the tech and security space is particularly unwelcoming. In security specifically, studies using the most liberal of criteria have found only around 20% of people in security roles are women. I believe that toxic environment is partly to blame. This is something I feel needs to change. I’m involved in multiple organizations that do work in this area, I speak on this topic as well, and so you’ll probably see posts from me focused on making our industry more inclusive as well.

So I hope you’ll enjoy. I hope you’ll reach out to me and share your own thoughts. I love to heard opposing viewpoints and discuss/debate at length as long as it’s done in a respectful and productive way. Thank you for visiting and please come back over and over!

Powered by WordPress & Theme by Anders Norén