What does a business information security officer do?
For most cybersecurity professionals, striking a balance between adequate security and user productivity is a persistent challenge. The chief information security officer’s role is (CISO) to enable the business while also efficiently mitigating risk. In a growing number of organizations, they are accomplishing this critical goal, in part, with the support of business information security officers (BISOs).
According to data presented by Gartner at their 2020 Security and Risk Management Summit, the most effective CISOs are those who can execute on four key metrics: functional leadership, information security service delivery, scaled governance and enterprise responsiveness. However, “only 12% of CISOs excel in all four categories,” according to a survey by Gartner. This is one reason why many organizations are getting creative and adding BISOs to their security team.
FREE role-guided training plans
What is a BISO?
A BISO is an up-and-coming job title within cybersecurity. Combined, LinkedIn and Glassdoor have more than 10,000 advertised BISO positions. The career path is also a high-paying one. Payscale ranks the average annual salary at $127,000 in the U.S.
The basic premise behind the BISO position lies with senior executives tasked with aligning business and cybersecurity needs for the line of business they serve. While nuances of the role vary depending upon the organization, it’s similar in scope to a divisional CISO but with a stronger emphasis on business, says Alyssa Miller, a BISO for S&P Global Ratings. Her role is to interface with business leaders and the organization’s centralized security function.
“My focus isn’t exclusive to security,” Miller explains. “It’s bridging the gap between security and the centralized CISO function. I bring the security initiatives and strategy [that come from the centralized CISO function] and build out how that applies within the context of our business.”
Making the security policies that have been defined by the centralized CISO office meaningful within the business unit and applying them in a way that causes the least amount of friction is Miller’s focus. On the flip side, she also brings important business context to the centralized security team. Compliance requirements, instances of needed exceptions and other areas are all examples, she says.
Technologists vs. business strategists
How an organization chooses to structure its technology team varies widely, as does who it decides to hire. The BISO position is no exception. A common way large enterprises fill their C-suites is by appointing a chief information officer (CIO) or chief technology officer (CTO) and then adding a CISO who may report to that person. In this case, the CISO often works primarily as a technologist, tactically handling security incidents and, in some cases, working closely with chief digital officers or chief data officers on the security technologies necessary to protect the organization’s data.
Companies may find BISOs particularly helpful when this is the structure. As the CISO builds a centralized framework for a comprehensive organizational security strategy, the BISO can bring in-depth business unit knowledge to the security table. In this way, security can be a part of every new technology initiative rather than tacked on as an afterthought, which is how productivity is often negatively impacted by security.
Conversely, new security initiatives are most effective when they consist of both technology and process. BISOs implement the new technology, but they help define and then operationalize the processes as they work best within their business unit.
What skills are required for BISOs?
BISOs are senior leadership executives who have a strong cybersecurity background. Extensive knowledge across a broad spectrum of security risk and mitigation strategies is usually required for the position. As is the case with most cyber jobs, a computer science college degree or specific certifications aren’t a blanket requirement, but the information gained through these avenues is always helpful. For a well-rounded technical understanding, these certifications offer a strong foundation:
- (ISC)² Certified Information Systems Security Professional (CISSP) demonstrates a broad understanding of existing and emerging cybersecurity threats and how to prevent them from impacting an organization.
- ISACA CRISC and CISM certifications validate a strong understanding of risk management and skills in assessing and overseeing an enterprise’s information security.
- CompTIA Security+ validates baseline skills required to perform core security functions and pursue a career in information security.
As Miller describes in her What is a BISO blog, enabling and influencing business is critical. Understanding the inner workings of their unit and its needs is key, as is an ability to communicate those needs up through the leadership ranks. This is why the executive presence and influencer leadership are also essential for successfully navigating the BISO role, Miller writes.
In some instances, BISOs go on to serve as CISOs, given their extensive technical and business acumen. These senior leadership positions aren’t a starting point in cybersecurity careers, rather a culmination of training and experience with security approaches and business needs.
To learn more about outlining a successful career path in the field, watch the Cyber Work Podcast, How to pick your cybersecurity career path with Alyssa Miller.
What should you learn next?
Sources
- What are the habits of highly effective CISOs?, Computer Weekly
- Gartner Survey Reveals Only 12% of CISOs Are Considered “Highly Effective,” Gartner
- Average BISO salary, Payscale
In this Series
- What does a business information security officer do?
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity