CISO vs. BISO. Two job titles separated by a single letter.
Everyone recognizes the chief information security officer as the senior IT executive in charge of protecting data and systems. But in an increasing number of organizations, a second role known as the business information security officer is growing in stature.
The role of the BISO and its place within the corporate hierarchy is a little trickier to define. Generally, the BISO’s responsibility is to assess, contour and augment companywide infosec initiatives so that they strongly align with key business objectives and compliance needs.
More complicated still: some organizations may have multiple BISOs, each acting as a mini-CISO within an individual business unit or geographical region. Hence, you might also see the job title listed as business area information security officer (BAISO) or regional information security officer (RISO).
So what does this role entail? And what of the argument from some cyber experts, who say BISOs should really just be the natural evolution of the CISO, since CISOs should already be business-aligned when executing their vision?
Ultimately, the way an organization defines and deploys BISOs depends on how complex, risk-averse and regulated the business.
The business case for a BISO
There’s no denying it: A disconnect often exists between IT/security teams and business management, and bridging that gap is an important skill. That’s the crux of the BISO’s role, say experts, and we’re starting to see more of these officers as the industry realizes that technological know-how alone is not always enough.
“Information security isn't really a technical discipline anymore; it's a risk management discipline,” said Nathan Wenzler, chief security strategist at Tenable, which commissioned the recently published Forrester research paper, “The Rise of the Business-Aligned Security Executive.”
“We're moving away a little bit from this idea that the security team is just made up of the people who install and manage firewalls. And now we're moving to this idea that the security team is helping us mitigate our loss from data breaches and intellectual property theft, and they're the ones who help advise us on where we can better mitigate risk,” Wenzler continued. “It becomes this business advisory role to take all that technical security information and translate it into something that is better and universally understood as a risk function to those areas of the organization that are concerned about risk.”
Indeed, the Forrester report – primarily based on an April 2020 online survey of 416 security executives and 425 business executives – revealed that business-aligned security leaders are eight times more likely than “their more siloed peers” to be highly confident in their ability to report on organizational security or risk.
Additionally, 85 percent of BISO-type security leaders say they have metrics for tracking the return on investment and business performance impact of cybersecurity projects, compared to just 25 percent of their more traditional, less business-inclined security leaders.
“That's a massive difference when you're trying to show value for something that's often seen as just pure overhead,” said Wenzler. “Because when you understand what matters to the business and align to that, suddenly you see … ‘I can provide value.’”
But wait. If that’s what a BISO does, shouldn’t CISOs already be doing this? Candy Alexander certainly thinks so.
“I would see it actually as a progression of maturity” of the CISO position, said Alexander, president of the International Systems Security Association (ISSA International), and CISO and security practice lead at NeuEon. “I think the CISO needs to grow up to be that BISO.”
“A lot of businesses are hiring… a technical CISO. That’s not what they need, that’s not what they want. They think they want that,” continued Alexander, who was recently named a 2020 SC Media Women in IT Security honoree. What they really want, she explained, is someone who understands business goals and says “no” to technology that doesn’t help achieve them. But those responsibilities should typically be within a CISO’s purview, not delegated elsewhere, she added. Otherwise, “We’re breaking our profession into many nuances and too many variables.”
On the other hand, asking for a security executive to both be an adept technologist and businessperson can be a tall order. “Everybody wants a unicorn,” said Wenzler. “Everybody wants the pen tester who can also deploy firewalls and can talk at conferences and can stand up in front of the board and explain why ROI happens, and they want all in one person. Good luck. If you know that person, let me know because we'll hire them.”
“If you can do that in one role, awesome. I totally support those CISOs who can do it both, and are really good at that,” Wenzler continued. “If you can't, or you don't have the skills in the organization, then it may make sense to have two people, or two different roles to handle that, or even distribute it to multiple roles.”
BISOs chime
Branden Williams, director and senior vice president of cybersecurity and head BISO of the Americas region for Japanese banking and financial services company Mitsubishi UFJ Financial Group (MUFG) views CISOs and BISOs as very distinct roles.
“The CISO looks across the firm and builds the security function into the business, while the BISO represents the business back to the cybersecurity function,” said Williams. “Oftentimes we require a bit of translation to make sure that both sides can understand each other and have an advocate. That’s the BISO.”
In some companies, like MUFG, BISOs report directly to the CISO. In other cases, they’ll work closely with the CISO’s team, but instead report directly to a vice president or general manager. Such is the case for Beth Dunphy, BISO at IBM Security, the security software and services division of IBM.
“It’s a BISO’s role to work with the business unit leader and be accountable for that business’s security success,” said Dunphy. “BISOs must understand how the business operates and be able to understand how to improve security while reducing risk in that business.”
In many cases, Dunphy has taken corporate-mandated security standards, as well as governance and compliance requirements, and then built additional policies on top of those specifically for the IBM Security division, to account for "the different security expectations that we would encounter as we build products," compared to other divisions.
IBM introduced the role of BISO into its organization about five years ago, said Dunphy, and has more than a dozen across its organization, each handling a different area of the business such as Public Cloud and Watson Health. The scope and responsibility of the role have expanded over time, she added, as the company and the BISOs themselves gained more experience and understanding of what was required.
For smaller or medium-sized organizations, it’s not unreasonable to expect the CISO to fulfill BISO responsibilities, as Alexander suggested. But IBM’s multinational operations and organizational complexities serve as a clear example of why it may be too much to ask CISOs to be familiar with all aspects of the business.
“One single person at a corporate level who… needs to have their pulse on the execution of everything happening, day in and day out – security, risk, compliance implications – isn't feasible,” said Dunphy. “In any multinational or large company, there's certainly opportunity to have value from both a BISO and a CISO.”
Indeed, “BISOs make more sense in organizations that have specific business units that may have differing needs or client bases,” said Williams. “If the firm is sufficiently large to need that embedded [BISO role] in the business, then the role will flourish,” said Williams.
BISOs can also prove useful in heavily regulated industries, Dunphy added, where you “need to have a security leader that is very familiar with the regulations, and the requirements of that industry." If those requirements are not core to the business, then the CISO may not have full appreciation for the particulars of the regulatory situation.
For the above reasons, certain business sectors in particular have gravitated toward the BISO position. Financial services is ahead of the curve when it comes to the maturation of the BISO role, Williams said, because firms tend to function as a collection of businesses with common customers, but differing operations, regulation and markets.
Wenzler cited the insurance industry as another example.
“They live in a risk world just by the nature of their business, so the idea of taking cybersecurity and making it as a risk management function makes sense,” he said.
Insurance firms sometimes myopically view cybersecurity as an overhead expense with no measurable ROI, Wenzler added. But “once you reframe it and say, ‘Well this [BISO] team is actually a risk management effort…in your organization, everything clicks; they get it."
Wenzler also said consulting firms are starting to hire BISOs as well, especially those offering outsourced, virtual CISO services. “A lot of the customers who engage in these services really want an understanding of risk in their environment,” he explained. “And so the consulting firms have also had to step up a little bit, and bring in people that aren't just technical implementers who can run a technical security team. They have to bring in a BISO-type role to run the effort.”
Dunphy said she’s also seeing the BISO title appear more frequently among executives in large manufacturing, industrial and automotive companies – and believes the pharmaceutical sector could adopt the trend as well.
A particular set of skills
So what skills make for the perfect BISO?
“What makes a good BISO is someone who can live in the business world while being a security professional," said Williams. "If you cannot think like a business strategist while blue/red teaming, you may struggle as a BISO.”
In many ways Dunphy had the perfect background to take on her BISO role, with her career experience alternating between business and tech over her nearly 17 years with IBM.
“I wasn't ever purely technical or purely managerial,” said Dunphy. “I think that has well-positioned me for walking that balance between understanding and supporting our business and being able to understand the technology and more detailed aspects of what we're trying to secure.”
Before earning her BISO title, she was named program director, IBM CISO – Cybersecurity Technologies, during which time she led a tech program responsible for designing and deploying new enterprise security solutions across IBM’s corporate environments around the world.
"And now I'm back on the business unit side. I'm now a consumer of those CISO-shared services and driving the adoption and the execution within the [IBM Security] unit," Dunphy explained. "So I did get to see both sides and it was very enlightening to go to that corporate team and to see the diversity of needs and interpretations and implementations of the security programs, and then to now have the responsibility to implement it for our own IBM Security business as the BISO."
While knowledge of both business and technology is a major plus, in the end is it better to hire someone who thinks technology first or business first?
Either can work, according to Wenzler, who said he's even seen auditors and lawyers ably fill the BISO role.
“They do have to kind of approach it backwards – they understand the risk concepts, but they don't understand the technology" in heavy detail. But they do need to dive into the technical specs when discussing cybersecurity initiative with business leadership. They need to be able to explain why the asks of the CISO will help the bottom line and mitigate risk. "And that's where they can start to bridge that gap,” Wenzler said.
Indeed, that ability to translate tech speak into business speak requires one more key skill that is too often lacking – communication. “You're working with senior business leaders who are focused, rightfully, on the business at hand – making money getting, the products out the door, meeting our customers needs," said Dunphy. "You have to be able to effectively communicate [with] them on: Why security? Why compliance? Why privacy? Why do we need to manage risk?”