BISO on board: Ambassadors bridge the gap between cybersecurity and business
Do you have a BISO in your organization? If not, it might be time to write that BISO job description.
Business Information Security Officers (BISOs) have been gaining traction for years. The role is on the rise and demand for skilled, experienced BISOs is increasing.
Google searches for “Business Information Security Officer’ have climbed from an estimated 1,950 in January 2021 to 2,879 in January 2023. Cybersecurity publications and podcasts covering the BISO have increased dramatically. There’s even a BISO Forum on LinkedIn.
In this blog, we'll delve into the significance of the BISO, how it differs from the Chief Information Security Officer (CISO), their roles and responsibilities, and why they have become indispensable.
What is a BISO?
A BISO—Business Information Security Officer—is a mediator on a two-way bridge, with a foothold both in the world of cybersecurity and in the line of business. The BISO translates concepts and connects the dots between cybersecurity and business functions to ensure teams are in synch.
BISO vs. CISO: What’s the difference?
While a BISO and Chief Information Security Officer (CISO)share many areas of expertise, their roles are different. Think of the BISO as the right-hand person to a CISO. The BISO is deputized to represent the CISO when interacting with the business. BISOs implement the CISO’s strategies on more operational and tactical levels.
Shifting CISO responsibilities have brought about an increasing role for BISOs. The cybersecurity team has a lot to handle as companies face more cyber threats, compliance requirements, growing remote workforces, and rapid adoption of new cloud-based technologies. With such a large scope of duty, the CISO is often stretched thin.
Having a BISO allows the CISO to concentrate on implementing and managing technical security measures, identifying and mitigating technical vulnerabilities, and reducing risk by defining security controls and policies.
Becoming a BISO can be an excellent career path for becoming a CISO, especially as CISOs are increasingly called upon to align cybersecurity with business needs. To reach that level, BISOs will benefit from exposure to multiple parts of the business and aspects of cybersecurity.
What does a BISO do?
The BISO role has many responsibilities that fall into two categories: Cybersecurity champion and business champion.
BISOs work on behalf of the cybersecurity team as an emissary among other departments and business units. As cybersecurity champions, BISOs build awareness to instill a sense of shared responsibility for cybersecurity throughout the organization. They help users adopt cybersecurity technologies and processes with training sessions, awareness campaigns, and workshops. For example, they might work with developers on building security into their SDLC (or checking credentials out of a Privileged Access Management (PAM) solution)!
As business champions, BISOs work in the interest of business teams to ensure the CISO and the rest of security IT departments understand business team needs and provide tools and solutions to meet them. For example, BISOs might raise the need for more usable security tools that integrate with communications or workflow tools the business already uses.
BISOs are crucial for strategies requiring technical cybersecurity and strategic business input. For example, they may be involved in risk management and cyber risk quantification projects, in which they help to evaluate and prioritize cybersecurity risks based on financial and operational impact on business goals. They collaborate with business leaders to make informed risk acceptance, mitigation, or transfer decisions.
How do you know if you need a BISO?
BISOs are most commonly found in large, distributed organizations where information is often siloed and people don’t always know who does what. In those types of companies, the CISO and their team need to build stronger bonds with the business proactively, or they risk losing touch.
You might need a BISO if:
- You have challenges measuring or communicating the business value of your security program or solutions
- You don’t know which IT assets are most important to business processes
- You don’t know who should have access to what systems and rely on business owners to tell you
- Business users are skirting security policies because they don’t understand them or don’t know how to use tools properly
ROI of the BISO role
While BISOs deliver tremendous value to organizations in terms of risk management, BISOs can also deliver value in revenue generation.
In an interview with Microsoft’s security podcast, “Security Unlocked,” CISO (and former BISO) Alyssa Miller gives the example of a CISO that wants to spend $5M on a new Endpoint Detection and Response (EDR) tool. In this case, the BISO can help to articulate what that investment will enable in terms of revenue from the business side.
“They will have a lot easier time winning that funding if they can say, ‘it will help you make more money,’ because it’s a far stronger message than, ‘I am going to spend this $5M to protect you against this nebulous risk that may or may not ever happen.’”
Considering that an average BISO salary is $320,000, according to the 2023 BISO Compensation Survey, that’s quite a return on investment.
Where should a BISO sit in your organization?
The reporting structure for the BISO position depends on your organization, priorities, and the security program’s maturity.
Often, BISOs report to the CISO and are part of the IT department. Nicole Kinney, BISO at Fifth Third Bank, said in a recent Cyber Security Business podcast that BISOs should be an extension of the CISO across the organization.
However, there’s also good reason for the BISO to be part of the business unit. A BISO understands the business far better than the technical folks do.
Miller says her survey of BISOs found that 41% of BISOs report to the CISO. That number may seem low if the BISO is an extension of the CISO, but Miller claims it’s too high.
She argues that it’s actually in the best interest of the CISO if the BISO is part of the business team. Having the BISO speak from the business perspective is better for getting buy-in from the business for security initiatives and can help the security team build a stronger business case.
Whether the BISO resides in your security team or a business unit is best determined by your organization’s needs and your industry sector. Either way, the BISO’s communication and collaboration must remain bi-directional.
The BISO skillset: what to look for when you’re hiring a BISO
Like the BISO reporting structure, the ideal BISO skillset varies based on the organization and whom you ask. A good description of BISO skills, experience and responsibilities includes a balance between technical and interpersonal.
Kinney emphasizes that a successful BISO should have a broad, interdisciplinary background in cybersecurity with the breadth to understand the importance of all areas, and depth in at least a few. For example, she started in technology project management, worked at the management level in information security, focusing on email and web gateways, and then moved into her BISO position.
While Kinney claims that a BISO should be as technical as a CISO, some organizations may find that soft skills such as communication and leadership are equally, if not more, important for a BISO.
As the prevalence of the BISO role increases, we can expect them to become more prominent in C-level meetings. Miller’s survey of BISOs found that 70% are called upon to deliver updates to executive committees and boards. The BISO’s position of neutrality and ability to balance interests makes them a valuable voice of reason for corporate leadership.
Miller says the job requirements for a BISO shouldn’t be a laundry list of technologies, degrees, and certifications if other abilities are more valuable, such as the ability to work in a high-stress environment.
When hiring a BISO, it’s worth casting a wide net. In his podcast interview with Business Security Weekly, Ben Carr suggests that a BISO could also have a marketing background, be a sales engineer, or have experience in other customer-facing—and customer-friendly—roles. These are the type of people who are often adept at whiteboarding concerns, documenting issues, and achieving compromise across teams.
Whether you’re looking to hire a BISO or become one, the position is instrumental in today’s corporate security landscape. Organizations see the value of having a BISO who can help implement the CISO’s security strategy and makes sure the business units feel heard.
With their unique blend of technical expertise, business acumen, and communication skills, BISOs are the linchpin connecting cybersecurity measures with organizational growth and stability.