Demystifying the BISO Role
The role of Business Information Security Officer, or BISO, is becoming more prevalent in security organizations, and more security leaders and professionals are asking what the role does, if it’s a fit for their organization, and if it makes sense as a next step in their career paths.
In this blog post we’ll discuss what a BISO is and how it supports the Chief Information Security Officer and its security organization. Next, we’ll discuss the types of organizations the role fits well with. Finally, we’ll dive into what both the day-to-day and the career path of a BISO can look like.
What is a BISO?
The Business Information Security Officer is a senior security leader responsible for managing the security posture, strategy and security relationships of a business segment or unit. BISOs are the bridge between their centralized security organization and the business they support.
On that bridge, the BISO represents security to the business by communicating and driving adherence to requirements and policies, and by providing both strategic and tactical security perspective and expertise. They also represent the business’ needs back into the security organization, sharing and driving action to resolve the challenges, concerns, and issues that the business has while trying to implement secure solutions. The BISO is the center of a flywheel of continuous improvement between security and their business segment and is a catalyst for improved partnerships and ways of working.
What does a BISO’s day look like, and how is it challenging? BISOs work up and down the “Organizational Stack” doing strategic work such as planning the security strategy for major business initiatives and working with executive leadership to understand security pain points. They also engage in tactical work including capturing security exceptions and hunting for signs of misconfiguration or bad practice throughout their business line’s attack surface.
These broad responsibilities mean the day in the life of a BISO can vary significantly, which adds to both the joy and challenge of the work. A new BISO can be overwhelmed by the variety of the work and forget to deliver on key drivers of success. It is critical for the BISOs leaders - both in their business segment and their security organization - to clearly define strategic success criteria for the role, and to provide a means of measuring the BISO role’s success at achieving these stated goals.
Is the BISO role right for my company?
The BISO role is valuable in large organizations with a centralized security function that serves multiple business units or segments.
Centralized security organizations create high level policies which apply broadly to its business and tend to measure the security posture of the organization as if it were a homogeneous unit.
This can lead to frustration at the individual business unit level, where it can be difficult to understand the applicability or impact of a given policy to their unique ways of delivering value. At its worst, the business can feel that security “doesn’t understand” them and is a roadblock, driving behaviors that skirt around security and leave the organization as a whole more vulnerable.
The BISO helps security leadership untangle business segments from the whole, helps clarify and craft top-level policy into meaningful guidelines for the individual business unit, and helps both its security organization and its business segment to partner to create value.
The BISO role can also be a valuable role in smaller but highly complex organizations, such as firms that serve a portfolio of companies across multiple geographic regions or verticals. This type of organization is often subject to regional or country-specific regulation that can be costly to implement and even costlier if not implemented properly.
The BISO in this organizational context can help its security and business leadership understand when and where certain regulations are truly applicable and can drive the work needed to ensure the business remains compliant and secure.
Where can the BISO role take me?
The BISO role offers many future opportunities to its practitioners due to its responsibility to understand and influence both business and security leadership. Its unique position between organizational archetypes with often competing interests helps to grow the BISO’s strategic vision, cross-organizational communication skills and ability to drive outcomes through negotiation and building mutual understanding.
These skills are often associated with senior leadership, particularly, the CISO role. This is why former BISOs like Allan Alford (now a CISO) refer to the BISO position as that of a “mini CISO.”
The unique organizational position the BISO fills can also be a steppingstone for current Chief Information Security Officers interested in moving into a larger company or interested in switching industries altogether. They can gain valuable insights into the inner workings of their new industry that will quickly prepare them to take on the role of CISO in future.
The future of the BISO Role
The future of the BISO role is bright and is being driven by organizations’ growth in size and complexity. Increasing demand for digital transformation, cloud and AI/ML talent will continue to create demand for this role which LinkedIn shows has 505 available job openings and growing. If you’re interested in a strategic role that will give you the opportunity to grow broadly as a security professional, consider finding a BISO role - or even building a BISO program in your current organization!
Where can I learn more?
Interested in learning more about the BISO role?
Have a look at my blog post “Getting Started as a BISO” which describes the common skillsets of successful BISOs and provides a path to success in your first 90 days in the role.
Also check out my podcast episode for the RSA Conference where I co-host with Cloud Security Podcast host Ashish Rajan to discuss “The Cloud First BISO.”