According to Barbee Mooneyhan, the BISO affiliate leader within WICyS (women in cybersecurity, although gender is not relevant to the role), the appearance of the BISO is contemporaneous to the appearance of the CISO – or if anything, predates it. Organizations were becoming increasingly aware of the need to secure their business information, so the role of BISO was created.
These positions had a business focus, and different departments or lines of business or geographical regions had their own BISOs to help defend their own business focus.
As cyber threats grew and cyber hackers evolved, the concept of companywide cybersecurity became more prevalent. ‘Cyber security’ is now a more common term than ‘information security’, even if the two concepts are inextricably bound. The need for a C-level executive with overall responsibility for cybersecurity across all lines of business became apparent.
As a business grows and expands, the need for a CISO becomes more obvious (but note the title still contains ‘information security’). With the rise of the CISO, the BISO concept has dwindled in smaller companies, subsumed by the CISO – but it clings on in larger organizations with sometimes multiple and different lines of business. As globalization continues, the need for a BISO specializing in aligning security with different lines of business is beginning to reemerge and expand.
The role of the BISO
In general, “A BISO is assigned to provide security leadership for one particular business unit, group, or team within the greater organization,” explains Andrew Hay, COO at Lares Consulting. “Using a BISO divides responsibility in large companies, and we often see the BISOs reporting up to the central CISO for the organization.”
“A BISO is responsible for establishing or implementing security policies and strategies within a line of business,” adds Timothy Morris, chief security advisor at Tanium. “Before the BISO role became popular, other director-level roles performed similar functions in larger organizations as an information security leader.”
The precise role of the BISO varies from company to company depending on the needs of that company. “In some cases, the BISO will hold a senior position reporting directly to the CISO, CTO, or CIO,” explains Kurt Manske, managing principal for strategy, privacy, and risk at Coalfire. “At this level, the BISO acts as a liaison with business unit leaders and executives to promote a strong information security posture across the organization.”
Alternatively, the BISO may be lower in the organizational chart, and focused on supporting the cybersecurity controls. “In this capacity,” continued Manske, “the BISO may work closely with the cybersecurity team to ensure that security controls are being implemented effectively.”
In other organizations, the BISO may report directly to business unit leaders rather than to the cybersecurity or IT leaders. “This can be particularly relevant in organizations where business unit leaders have a clearly defined responsibility to align with cybersecurity and compliance requirements and where the BISO can play a key role in facilitating the alignment,” adds Manske.
The ability to collaborate between security and business is consequently essential. This can involve working closely with both technical and non-technical stakeholders to ensure that security is integrated into key business processes and operations.
While all this this may be true, the ‘business’ origin of the BISO remains central to the role. The BISO needs to be close to the department it serves, must understand the business requirements, and must be able to translate the overarching cybersecurity policy as laid down by the CISO into actionable security at the business level. At the same time, the BISO must be able to communicate business necessities to the CISO. “it’s about bridging from your business to the security,” says Mooneyhan.
“BISOs have cropped up to bridge the gap between the technical and the business as it relates to cyber and information security,” adds Morris. You can almost consider the B of BISO as standing for ‘bridge’.
Being a BISO
Jo Justice is BISO for the Leidos Defense Group. She started her career in IT, more than two decades ago. “At the time,” she said, “I had no intention of becoming a leader – I simply wanted to be good at what I do.” However, the result was that she became the go-to person for IT queries, and the foundation for learning soft and communication skills was laid down.
About a decade ago, she got involved in cyber. She was no longer the go-to person – so instead of answering questions, she began to ask them. She wanted a better understanding or how cybersecurity and business should work together – and again, her soft skills were further developed.
“I didn’t know until recently that I wanted to become a BISO – they weren’t trending like they are today – although I knew years ago my ultimate goal was to become a CISO,” said Justice. “But as the BISO roles began to grow within my organization, I began to understand the requirements. I was able to reach back to my cyber relationship experiences. because that is key. I also have a very technical background and that’s equally critical because I am responsible for providing guidance, when necessary, on how to implement the CISO’s overall security strategy within the business unit I serve.”
Relationship with CISO
A CISO is typically strategy-focused for the enterprise security. “Often,” says Morris, “CISOs – especially in large organizations – can get so consumed with managing the ‘external’, such as the C-suite, shareholders, regulators, and so on, they don’t have the time to focus on the ‘internal’ duties required.”
Having multiple BISOs is a way of handling the delegation of duties, but the role is best seen as more than mere delegation: it’s more like an extension of the CISO, extending the CISO goals and objectives into the business.
Some CISOs may be dismissive of the BISO role, even seeing it as a threat to the CISO position; but this is a shortsighted approach, says Manske. “Rather than viewing the BISO role as a threat, I believe it should be seen as a valuable resource that can help to bridge the gap between cybersecurity and the business. By working closely with business leaders and ensuring that security policies and procedures are aligned with the needs and objectives of the organization, the BISO can help to build a stronger and more effective security program overall.”
Mooneyhan also stresses the resource element of the role. “If a CISO sees a BISO as a threat,” she says, “then there’s a lot of work that needs to be done for the culture of the security team.”
The BISO role is not new, but in recent years the term has started trending. The most common reporting structure is with the CISO and security linking out to the business lines; but the BISO may also be reporting to the business line and linking back across to security. Either way, the purpose is similar — to find a fully functional way for business and security to work together for the benefit of the enterprise.
The role is becoming more popular and more necessary as enterprises grow, diversify, and digitalize. This primarily occurs with larger organizations — but the need to align security and business exists for all companies of all sizes. All companies have that requirement even if they don’t have a formal BISO position.
For small companies, the role may be achieved by a line-of-business specialist within the security team, or a security lead within the line of business — or both. But as companies grow, both in lines of business and geographical locations, the need for a single person with a foot in both security and the line of business, becomes more pressing. The need for BISOs is growing — and the role has the added attraction of offering a clear career path.