[BreachExchange] Why the BISO May Be the Utility Player Your Org Needs Now

[Destry Winant]

https://securityboulevard.com/2021/03/why-the-biso-may-be-the-utility-player-your-org-needs-now/

Back in 2012, Security Innovation wrote about what – at the time – was
a relatively new C-Level role dubbed Chief Information Security
Officer. In the introductory blog post, the author attempted to
explain this multifaceted role by suggesting that someone in that
position could approach their work in one of several ways: most tended
to fall in the categories of technical-focused CISO or a
policy-focused CISO.

These approaches, referred to as TISO (“Technical Information Security
Officer”) and BISO (“Business Information Security Officer”)
respectively in the piece, were presented less as disciplines in their
own right and more just ways to define approaches to the CISO role. It
was as though how one approached the job was kind of up the
individual, but at the end of the day, they had to bear the
responsibility of all technological security concerns, from
anticipating problems to implementing solutions to educating and
aligning internal teams.

For anyone who came of age professionally in the late ‘90s and through
the 2000s, what happened in the ensuing years after Security
Innovation’s post should come as no surprise. Technological
advancements would often start out clearly siloed and distinct before
becoming gradually ingrained into every level of an organization’s
business – in fact, becoming key to the company’s overall business
growth.

So, the suggestion that a CISO could be a TISO or a BISO has now
become: Is it time for a dedicated BISO?

Evolving to the BISO

To clearly define the BISO’s role, it’s important to know how it
evolved. Going back 20 or 30 years, the first real C-Level title to
grow out of the IT space was the CIO. This was an executive who had to
balance technical expertise with the ability to elevate and
communicate the organization’s tech needs to the CFO. Out of that role
emerged the CISO, which focused on technological innovation and
communication in terms of security – but usually with a similar task
of convincing top-level stakeholders that investment in security was
necessary to the health of their business.

A 2021 study conducted by PwC found that 50% of CISOs surveyed said
they are now more likely to consider cybersecurity in every business
decision, which was an increase from 25% the year before. On top of
that, an overwhelming 96% said they will adjust their cybersecurity
strategy due to COVID-19. And it doesn’t require a leap to make the
connection between these stats and the increase in the rise and
visibility of the BISO.

“The role was born out of necessity,” says CyberArk Strategy and
Corporate Development Associate Lex Register. “It’s probably
impossible for a leader in IT security to just bolt on business
skills. A lot of organizations are seeing that you need a bridge – you
need someone who can talk to both sides.”

If more CISOs were seeing the importance of making cybersecurity a
part of every business decision, the security concerns raised by the
increase in remote work and at-home “device hopping” due to the
pandemic has only further crystallized the idea that this “bridge”
role was a necessary evolution and a discipline in its own right.

“They can’t just talk tech anymore,” says Register. “They have to put
into business terms why the investments they’re making on the security
side are needed.”

As writer and security advocate Alyssa Miller writes, “BISOs work
closely with the CISO and business leaders to make sure that corporate
security objectives are treated as business requirements.” To put it
another way, rather than expecting a CISO to suddenly adopt business
jargon, the BISO would – ideally – have experience on both sides to be
able to smoothly translate concerns, solutions and responses in a
language that speaks to both groups.

A New Multitool Player Mashup

The SolarWinds attack at the end of 2020 was seen by many in
cybersecurity. It’s the type of event that sends ripple effects
through nearly every industry, causing a widespread reevaluation of
what organizations are doing to increase security, which partners
they’ll do business with and what kind of people they need in place
internally to help defend against attacks. It’s also, in turn, paved
the way (albeit with some fairly treacherous asphalt) for more BISOs.

A search of BISO job listings these days brings up terms not often
associated with any technical position, much less upper-level
technical positions – things like “creative problem solving” and
“influencing company culture.” This is because BISOs do more than just
address security issues, they must be the tip of the spear when it
comes to cultivating a security-aware culture. It’s almost equal parts
tech, business and public relations. Yes, PR – it seems the BISO could
be considered a Swiss Army knife role.

As so many incidents like the SolarWinds breach have shown,
cybersecurity threats still thrive most effectively on human error. A
BISO has to be creative, and almost think like a PR strategist (or
even an HR rep) – finding engaging ways to influence leadership and
build awareness that security is just as much the employees’ job as it
is that of the IT department. Register describes BISOs sending out
fake company-wide emails with phony phishing links in them to
reinforce employee awareness – and whomever takes the bait and clicks
receives a reminder to be more careful or follow-up cybersecurity
training.

A BISO may also be called upon to interact with marketing and
corporate communications, bringing their research into potential
attack vectors, typical points of vulnerability and unique
understanding of the “attacker mindset” to the fore to guide
organizations that are increasingly  touting cybersecurity as a
competitive advantage in the marketplace. The BISO can help shape the
conversation not only to strengthen the infrastructure behind the
claim internally, but to ensure clear and effective information about
a company’s cybersecurity efforts is also conveyed to the customer.

While the CISO is focused on getting executive support for critical
security initiatives, the BISO is working in tandem to creatively
educate leadership and non-technical employees about the importance of
these initiatives.

Infusing Creativity into Cybersecurity Roles

Perhaps the biggest and arguably most impactful change to come out of
the increased visibility of the BISO role is a rethinking of
cybersecurity roles through the prism of creativity. People in IT
roles are rarely afforded the time to think creatively. Allowing a
BISO the time to research, network and experiment – even if the end
result isn’t highly visible across an organization – will ultimately
have a much more positive impact on your organization’s overall
security. That’s because a BISO must anticipate new security threats.
They know how attackers think, so they need to stay a few steps ahead,
and this is only possible if they’re allowed that space.

“A lot of the job is managing internal and external relationships,
talking with vendors and finding out what’s the newest, greatest stuff
out there,” says Register. “It’s part internal execution and part pure
exploration.”

To use the insurance analogy, cybersecurity is doing its job when you
don’t know it’s there. And when BISOs are doing their jobs, you don’t
see them as singularly focused – they are strategic resources who can
appreciate the speed it takes to innovate, without sacrificing
security and raising overall organizational risk. They are in every
room, in every conversation, helping every stakeholder understand that
security is a top-down responsibility. The evolution has been
relatively slow when you consider the speed at which other aspects of
technology have grown, but it has been steady. Recent events have
pushed these ideas to the forefront, and as perceptions change, roles
are more clearly defined and more creativity enters the mix – the
result is stronger, more agile cybersecurity.

So, yes – now is the time for a dedicated BISO.