In a world where people are relying on technology, more than ever, across each and every department, team, and function in the business, it is significantly important that these business and security teams begin to collaborate and work together. In addition to that, we have an ever-evolving threat landscape which has led to a demand for Chief Information Security Officer (CISO) roles. Business-side leaders seek someone to point to when a security situation arises.
If companies want to stay ahead of the curve, they must be on top of their game. Business leaders understand the need to have cybersecurity expertise and leadership. There’s a sense at the top that the company needs to create a proactive security culture, awareness, and responsibility throughout our organization. So we're seeing all these CISO opportunities, but they can only be in one place at once.
An added layer to the complexity of security and business is business leaders unable to speak the language of security and vice versa. Now more than ever, we need these two sides of the coin to work together. And there's such a significant disconnect because we don't expect our business leaders to be cybersecurity experts, and we don't expect our cybersecurity experts to be business leaders. The Business Information Security Officer (BISO) role essentially helps resolve all of these challenges.
Discover the role and responsibilities of a BISO in this post based on the STRONGER 2022 presentation led by Nicole Dove, Head of Security, Games at Riot Games and GAB Member at CyberSaint.
The Emergence of the BISO
BISOs are the liaison between information security and business. They're tasked with staying on top of what's happening, monitoring that threat landscape, and understanding how the bad actor strategies are evolving. And they support those CISOs by having a deeper understanding of how each business unit works.
BISOs bring organization to security operations. They can delve into shaping security operations for effectiveness and establish an aligned process. BISOs will pressure test the security practitioners and the things asked of the business. And if those things are not neatly aligned with the business goals, leaders should ask themselves, why are we requesting these things for our business partners? And, of course, we just need to maintain some foundational security elements. However, when teams are pulling on the business's resources and looking to mature their security program, it's critical to be intentional.
Another thing to consider is business innovation. Security should not stifle the business. Again, if companies want to stay ahead of the curve, being insightful, thoughtful, and proactive about addressing where our bad actors will go can create such significant space for innovation. The BISO has to ensure that they're enabling the business to be creative and innovative to continue making cutting-edge products and services for their customers and stay ahead of the game.
Proactive Cyber Risk Management
Security cannot be considered last minute. It needs to be involved from the beginning, at the ideation stage, so that the risks and vulnerabilities are considered as the planning continues instead of evaluating the risk impact retroactively. Security teams should begin to work with the different domain leaders across the information security function and craft feasible and implementable relevant security strategies. That would put organizations in a great space to be proactive with cyber risk management instead of reactive.
Why Do You Need a BISO?
The BISO is essentially a complimentary role to business-side leaders and the CISO and security function. The distinguishing quality of a BISO from other security roles is that they have a dedicated business focus.
The BISO will be that one person to connect with on the InfoSec Leadership Team who can explain what's coming down the pipeline for the business, what is the customer sentiment, and what are the challenges they're having with the products and services offered. When we collectively look at those things and couple that with the intelligence from a security team, that puts BISOs in a great place to add value to the business. It’s all part of connecting security to business for seamless communication and operations.
Another standout quality of the BISO role is the sort of “white glove service” to the business. Imagine the business is moseying on and doing all the great things they do, but because the BISO is invited and sits at the table, they are collecting so much information. And instead of the business leaders having to go and request activities from the security team, the BISO is there to represent the security operations and offer timelines and risk considerations to improve decision-making. It's much more complimentary and easier to have somebody there to assess what the team needs and provide some solutions to support decision-making.
The BISO role is the first point of escalation for the business. Business leaders don't necessarily understand how the security teams are structured or what services are offered. So having a trusted partner they can communicate with to help them navigate the different domains services, and layers the cybersecurity team offers will increase collaboration and partnership
It’s important for the BISO to be collaborative and understand how to work with different people. They need to manage and keep up with projects, timelines, and priorities that are always changing. A BISO must bridge the gap between the business and the information security functions. They're curious, innovative problem solvers. They are collaborators with executive presence and specific cyber and information security domain expertise.
BISO Collaboration
A BISO is there to foster collaboration between security and business operations. They can deliver on high-impact operations, scale growth, and build partnerships, all with collaboration. Even if your organization does not have a formal business information security officer title, it’s important to have someone on the team who is dedicated to aligning the initiatives and roadmaps of business and security.
The goal is not to limit operations to the point of stifling innovation but to give teams enough space to innovate while collaborating over goals and objectives. A BISO can help organizations collectively learn to build business direction with security as a main collaborator. Strategic road mapping is not the right thing but the smart thing to do.