- 20 Feb 2024
- 13 Minutes to read
- DarkLight
The Evolution of the BISO Role: Challenges and Opportunities
- Updated on 20 Feb 2024
- 13 Minutes to read
- DarkLight
Thank you to Mike Privette with Return on Security for sharing his valuable knowledge in our site.
Click here to read this article on the Return on Security website.
The Business Information Security Officer (BISO) role is essential in bridging the gap between cybersecurity and business, but it faces challenges. Learn what it takes to excel in this role and how to overcome its limitations.
Before diving into the challenges and opportunities of the BISO role, first, you have to understand what the role is and what the role is not.
What is a BISO?
A BISO, or Business Information Security Officer, is often considered "the security ambassador to the business," the "CISO's tactical and operational arm," or even a "mini-CISO."
Alyssa Miller defines it as:
A Business Information Security Officer (BISO) is a senior security leader assigned to lead the security strategy of a division or business unit. They provide a bridge from the centralized security function to the business. The BISO functions like a deputy CISO reporting into the business line.
The role is common in large companies with multiple lines of business (i.e., financial services, insurance, etc.). Over the last few years, this role has started to make its way into other industries and gained a lot of popularity.
I also like Alyssa's points on the necessary qualities for someone to be successful in a BISO role, including:
Broad security knowledge
Executive presence
Influencer leadership
Strategic thinking
A successful person in this role can get high visibility across the business and IT. They will be a leader who bridges gaps and enables the business to move forward securely.
The Goal of the BISO Role
The ultimate goal of the BISO role is to ensure security is implemented seamlessly across all parts of a business.
The BISO needs to enable a secure experience for employees and customers alike. You have to understand the line of business functions and goals and be able to align security with those objectives.
As a BISO, you get unique perspectives that many people in IT do not get the opportunity to experience. They get to:
✅ Understand a line of business
✅ Track customer-facing business services and understand the value
✅ Harness the ability to work cross-functionally (many cybersecurity people don't get this)
✅ Stay focused on risk mitigation for business enablement
That all sounds pretty good, right?
BISOs vs. CISOs
A Business Information Security Officer (BISO) and a Chief Information Security Officer (CISO) are both important roles in an organization's security strategy. However, they have distinct differences in their scope, responsibilities, and focus.
Here's a quick comparison of a BISO vs. CISO at a high level:
Scope
BISO - A BISO is typically responsible for a specific business unit or division within an organization. Their focus is on integrating security into the operations, goals, and functions of that particular unit.
CISO - A CISO, on the other hand, has a broader scope, overseeing the entire organization's security strategy. They are responsible for developing, implementing, and managing enterprise-wide security policies and programs.
Reporting Structure
BISO - BISOs usually report to the CISO or another senior security leader within the organization. They may also have a dotted line reporting relationship to the head of the business unit they support.
CISO - The CISO typically reports to a higher executive level, such as the Chief Information Officer (CIO), Chief Technology Officer (CTO), or even the CEO, depending on the organization's structure.
Focus
BISO - The primary focus of a BISO is to align security initiatives with the specific needs and objectives of the business unit they support. They act as a liaison between the centralized security function and the business, ensuring that security measures are tailored to the business unit's goals and risk appetite.
CISO - The CISO focuses on the overall security posture of the organization, which includes setting security strategy, managing risk, overseeing incident response, ensuring regulatory compliance, and building a security-aware culture.
Tactical vs. Strategic
BISO - BISOs are often considered the "tactical and operational arm" of the CISO. They work closely with the business unit to implement security measures, address day-to-day security concerns, and help the unit meet its security objectives.
CISO - The CISO is more strategic in nature and responsible for developing and driving the organization's security vision and long-term goals. They are also accountable for the effectiveness of the security program and ensuring that it meets the needs of the entire organization.
Skill Set
BISO - A BISO needs to have a deep understanding of the business unit's functions and goals, as well as strong security knowledge. They must possess executive presence, influencer leadership, and strategic thinking skills to effectively communicate and collaborate with both business and IT stakeholders.
CISO - A CISO requires a broader range of security knowledge and expertise, including risk management, policy development, and incident response. They also need strong leadership, communication, and executive presence to drive organizational change and build a security-aware culture.
Challenges and Opportunities for the BISO Role
The BISO role has risen up more over the past few years, and it's a relatively new discipline in cybersecurity. It has always looked good on paper but has trouble living up to the hype.
As a former BISO at a very large financial services company, many of the accolades and promises of the role on the Internet don't come from practical, first-hand experience. They are "paper understandings" of the role not always founded in real execution in a real organization.
I'm sharing my view on how this role needs to evolve based on having to live it every day. The BISO role falls short for one reason. The role comes with accountability and no responsibility.
❝
BISO's are accountable but have no authority.
It's typically not the fault of the individuals in BISO roles but rather the systems put in place to support the role.
When the BISO role is introduced, the centralized security teams and IT counterparts don't know what to do with the role. If the role is new to the organization, then likely all parties involved, including the BISO, do not know what to do with the role in that environment.
How and when should security teams and business teams engage the BISO? Are centralized teams no longer allowed to talk directly to end-users or the business teams? Who makes "the call" on risk-related issues?
Example Scenario: Is the BISO authorized to tell a business application team they can delay a security patch because of a business release or go-live event? If not communicated and supported clearly from the outset, the BISO role can create a death spiral environment. The environment invites the centralized security functions to bypass or scapegoat the BISOs and causes the BISOs to try anything to show their value (often coming up short).
When companies get large enough, each department is like a small company unto itself. Getting things done inside of those departments across teams is hard enough. Convincing outside teams to focus on your work over their work is an almost impossible challenge.
Now add the ever-changing, constant fire drill world that is cybersecurity to the mix. This isn't new to many cybersecurity professionals, but adding in the BISO role makes this even more challenging.
As a result of this split, the majority of the "security work" comes from the first three buckets. This is no surprise to most people in cybersecurity.
So what does that mean for the BISO role? If you're familiar at all with The Phoenix Project, then you may recall the Four Types of Work:
Business Projects - work led by the business for the business that may involve IT
Internal IT Projects - work led by IT for IT
Updates and Changes - work generated from the first two types of work
Unplanned Work (Recovery Work) - incidents and problems generated by work not in the first three types of work
Looking back at the four buckets of cybersecurity work, the first three buckets of people cover all four types of work above.
You might be asking yourself, "Well, what else is there then, and who is in that 'everyone else' bucket?"
❝
The fourth bucket is where the BISO role lives.
That fourth bucket is where the fires happen, and that's where the BISO can live. BISOs can wind up doing nothing but firefighting and apologizing for issues that shouldn't even be issues.
When priorities aren't aligned or when cybersecurity delivery is less than ideal, the BISO role gets called to the plate. As a result, the BISO role holds the blame from both sides for not meeting expectations.
The days quickly become nothing but damage control for one side or another. It's easy to spend your whole day beating back the fires instead of stopping the fires from happening.
Overcoming the Challenges: 5 Principles for Success as a BISO
If you find yourself in a BISO role, follow these five principles to drive accountability and improve the relationships between the business and cybersecurity teams:
Represent the customer experience side of cybersecurity.
Don't do the work of delivery teams.
Be the translation layer between business and cybersecurity teams.
Avoid hiring people from delivery teams.
Don't own the data - facilitate its use and integration.
Represent the customer experience side of cybersecurity.
❝
The number one goal of business is not to be the most secure, it's to serve customers and make money.
In most large companies, there is a one-way street where security teams tell business teams what to do and not do. As a result, security organizations often lack self-awareness. They lack the ability to see and understand how they impact the business with each thing they do.
A popular social media post in the cybersecurity community on the goal of the BISO role:
"The goal [of the BISO] isn't to recite security policy to the line of business being supported but to make the line of business successful through education of the sharp edges they need to worry about."
This quote starts off the right way with "The goal isn't to recite security policy to the line of business" but then falls short.
Did you catch it? That one-way statement?
The way of working that sees the role as a shepherd of the business, but not a two-way street? The BISO role does start with the word "Business," after all...
Pushing security efforts without respect to the downstream impacts on the business is missing the entire point. Security cannot be done for the sake of security, but that's often how it comes across to the business teams.
Things security teams do that affect the business team and sour internal relationships include:
Not thinking about the end-user experience of a security request or control (poor execution)
Many and overlapping requests from the same cybersecurity team (lack of prioritization)
Many and overlapping requests from different cybersecurity teams (lack of collaboration)
New requests that don't leverage the data or insights collected from previous requests (not working smart)
Every request is an emergency (security is not all about active threats)
Security teams work FOR the business, not the other way around. They need to understand the downstream impact of what they are asking of others.
When the business has to drop everything to respond to every ask from the security team, deliver that feedback as the BISO to the security teams to fix it.
The business often takes the brunt of security initiatives, but a BISO can fix this broken bridge.
The most important job is to be the missing feedback loop.
Don't do the work of the delivery teams.
This will be one of the most challenging aspects to deal with. A BISO who reports directly to the CISO will be viewed by the cybersecurity teams as someone who only works for the cybersecurity team.
As a result, BISOs will be expected to push cybersecurity work into the business without question. This will happen across all functions in a cybersecurity team, and inevitably, the work required will fall on the same sets of business and technology teams.
If you let it, the BISO role will become a one-way street, and you will be driving the bus over the business teams. This goes back to teams doing cybersecurity for the sake of cybersecurity and not as business enablement.
Remember, although you may report to the CISO, you work FOR the business.
You are in a unique position to see and understand the impact that yet another cybersecurity ask has on the business. If approached correctly, the unique viewpoint this role has can offer great strides in business enablement.
❝
Help me [BISO], you're our only hope.
the business teams (probably)
Be the translation layer.
Translation and explaining the "why" is of the utmost importance. If the business teams don't understand the need for a security initiative or change, give that feedback. Security teams need the opportunity to address it.
This may mean convincing the security teams to slow down and prioritize better. Every ask to the business cannot be of the utmost importance. Remember, the business has a day job too.
Focusing on what will mitigate the most risk is an essential key to a successful cybersecurity program. Here are quick reminders to make that work:
Clear and consistent communication for every ask with "why this is important."
Prioritization and timing for every ask.
Thoughtful collaboration with a focus on minimal end-user impact on every ask.
A forum to receive questions and ask for feedback with every ask.
Be the translation layer between security initiatives where the business needs to be involved but don’t do the work for the delivery teams. See above.
Don't hire people from delivery teams.
Do not hire architects, engineers, or other people who are used to "delivering" the work or being on the teams that deliver security services.
These people will have many (good) opinions on the best ways to deliver a service but will not be in a position to change the way a service is delivered. If they see obvious gaps with a service or team, they will be told to "stay in their lane."
No offense to anyone in the architecture or engineering roles today (I was personally in those roles for many years), but a BISO role may not be for you. If you enjoy delivering services and implementing technical solutions, this role is not for you.
Hiring people who are used to delivering security services will ultimately lead to frustration and not being fulfilled in their roles as a BISO.
If you are one of these people in this role today, it's time to get out now.
Don’t own the data.
The best people to solve a problem are those who are closest to the problem. That often means being the closest to the data and being the closest to understanding what the "ask" is.
As a BISO, you will have the (dis)advantage of being asked to do multiple things from many cybersecurity teams that have great overlap. You can help connect the right teams together to enrich each other's data and processes.
This can be met with resistance from cybersecurity teams, as it means changing a process or procedure on their side to solve a greater need. You may be asked to take on the brunt of ownership and stewardship of this newfound data.
As a BISO, you will be asked to stitch together dispersed data on the fly into coherent pieces. If you do it once, you will always have to do it, so be sure it makes sense for you to take on. If it doesn't make sense, this work should go back to the security teams who are closest to the data.
❝
BISO are consumers of services and data from the teams running the cybersecurity groups, not the data keepers.
As a BISO, your goal is to elevate the service delivery of cybersecurity to the business. You help see, uncover, and solve higher-level strategic challenges.
You are not the owner of these new sources, you are just the one who can see how they connect.
The power of networks is in how the pieces integrate with one another. As a BISO, you can be that integration piece, and you can use your visibility to make real value.
Closing Thoughts
By following these principles, BISOs can better understand the downstream impact of security measures on the business, ensuring that security initiatives are aligned with business objectives and customer needs. Additionally, BISOs can connect the right teams, enrich data and processes, and focus on solving higher-level strategic challenges.
By keeping these approaches in mind, BISOs can bring significant value to businesses and successfully navigate the complex cybersecurity landscape. If you're currently in a BISO role or aspire to become one, good luck on your journey!
And remember, don't just create spreadsheets for the sake of creating spreadsheets.
Do you agree or disagree with this list? What's your experience as a BISO? I'd love to hear your feedback.