The Business Information Security Officer Has Entered the Chat
Cybersecurity professionals seem to have a special affinity for acronyms. DDoS, VPN, TTP, ATP…the list goes on and on. After awhile you just want to shout out “SOS!” to save yourself from drowning in all of these annoying abbreviations.
There’s yet another acronym that is quickly entering the cybersecurity lexicon: the Business Information Security Officer (or “BISO”). The BISO role is still relatively new, and not all organizations have one. But this increasingly important position is worth knowing about, because it has the potential to substantially strengthen your cybersecurity posture.
Structuring Your Cyber Team
Organizations differ significantly in how they structure their cybersecurity workforce. Some companies handle cyber matters in house; others outsource it to third parties. Some employ a small army of cyber professionals; others employ none.
Organizations are increasingly hiring a Chief Information Security Officer (CISO) to oversee their cybersecurity efforts. The CISO is an executive position charged with executing the information security and risk management goals as defined by senior officers. CISOs develop and oversee the enterprise’s cybersecurity strategy, including cybersecurity policies and controls. Furthermore, they help manage security technologies and ensure compliance with applicable regulations and standards, among a slew of other responsibilities. One of their greatest (and most challenging) tasks, however, is to help senior leadership understand the business implications of infosec decisions. It is a notoriously tough job; but when it’s done correctly, CISOs can substantially reduce your organization’s cyber risk.
I Understand the CISO Role, But What the Heck is a BISO???
CISOs can be instrumental in establishing a high-level cybersecurity strategy; however, depending on the size of the organization, getting granularity across the enterprise has become exceedingly more difficult. In a large organization, a CISO needs eyes and ears on the ground to implement and monitor the information security plan. The best cyber strategy in the world is useless if it is not executed properly. That’s where the BISO comes in.
Think of BISOs as a deputy-like role that the CISO embeds within and across different business units. BISOs are charged with making sure that security policies and controls are filtering down to all areas of the enterprise; they also help business units identify which assets and information require further protections. In short, BISOs are bridge-builders, serving as key liaisons between business executives and cybersecurity teams. BISOs help establish an even stronger cybersecurity foundation for the enterprise by establishing trust and collaborating with the various business unit stakeholders.
The Building Blocks of a BISO: Key Competencies for People in this Position
The job market for BISOs is booming. A quick glance at the employment postings website Indeed shows that approximately 60 BISO positions are currently open. What are the key qualities you should look for when hiring for this position? Here are three to put at the top of your qualifications list.
Cybersecurity is an interdisciplinary and interdepartmental field. Individuals with a variety of different job titles, from all areas of the enterprise, are involved in executing an information security strategy. As the departmental point person on cyber matters, BISOs need to be able to work effectively with others that have different backgrounds, skill sets, and personalities.
Creating a culture of cyber resilience is a true team effort. Hackers only need to be right once to breach your business. As the defender, you need to be right every time. Your cybersecurity posture is only as strong as its weakest link. That’s why getting buy-in from all employees in the enterprise is essential to minimizing vulnerabilities. BISOs need to be cyber champions, driving the cybersecurity strategy throughout key parts of the organization.
Cybersecurity can sometimes be a technical field, filled with lots of confusing concepts and jumbled jargon. As such, it is often a challenge for BISOs to explain their role to colleagues. As Mike Kearn, Managing BISO at US Bank, put it: “I never have the luxury of working with people who understand exactly what I do.”
This is why it’s essential that BISOs have strong communication skills. Given the multidisciplinary and multiple-department nature of the job, BISOs must be fluent in multiple “languages,” seamlessly translating tech talk into business speak.
Big Picture Thinking
Cybersecurity is less linear than many people think. Digital threats are increasingly complex; consequently, combating them requires both left- and right-brain thinking. Tunnel vision can put your enterprise in peril. Therefore, you want to hire BISOs who think holistically about information risk, and can tie their individual work back to the broader security goals of the organization.
Want to Learn More?
Interested in learning more about building a cyber workforce? Check out our Resolve and Advance programs. Let us show you how to hire and train your infosec staff— helping you put the best people in place to protect your organization from cyber threats.