What does a business information security officer do?
For most cybersecurity professionals, striking a balance between adequate security and user productivity is a persistent challenge. The chief information security officer’s role is (CISO) to enable the business while also efficiently mitigating risk. In a growing number of organizations, they are accomplishing this critical goal, in part, with the support of business information security officers (BISOs).
According to data presented by Gartner at their 2020 Security and Risk Management Summit, the most effective CISOs are those who can execute on four key metrics: functional leadership, information security service delivery, scaled governance and enterprise responsiveness. However, “only 12% of CISOs excel in all four categories,” according to a survey by Gartner. This is one reason why many organizations are getting creative and adding BISOs to their security team.
What is a BISO?
A BISO is an up-and-coming job title within cybersecurity. Combined, LinkedIn and Glassdoor have more than 10,000 advertised BISO positions. The career path is also a high-paying one. Payscale ranks the average annual salary at $127,000 in the U.S.
The basic premise behind the BISO position lies with senior executives tasked with aligning business and cybersecurity needs for the line of business they serve. While nuances of the role vary depending upon the organization, it’s similar in scope to a divisional CISO but with a stronger emphasis on business, says Alyssa Miller, a BISO for S&P Global Ratings. Her role is to interface with business leaders and the organization’s centralized security function.
“My focus isn’t exclusive to security,” Miller explains. “It’s bridging the gap between security and the centralized CISO function. I bring the security initiatives and strategy [that come from the centralized CISO function] and build out how that applies within the context of our business.”
What does a business information security officer do?
Making the security policies that have been defined by the centralized CISO office meaningful within the business unit and applying them in a way that causes the least amount of friction is Miller’s focus. On the flip side, she also brings important business context to the centralized security team. Compliance requirements, instances of needed exceptions and other areas are all examples, she says.
Technologists vs. business strategists
How an organization chooses to structure its technology team varies widely, as does who it decides to hire. The BISO position is no exception. A common way large enterprises fill their C-suites is by appointing a chief information officer (CIO) or chief technology officer (CTO) and then adding a CISO who may report to that person. In this case, the CISO often works primarily as a technologist, tactically handling security incidents and, in some cases, working closely with chief digital officers or chief data officers on the security technologies necessary to protect the organization’s data.
Companies may find BISOs particularly helpful when this is the structure. As the CISO builds a centralized framework for a comprehensive organizational security strategy, the BISO can bring in-depth business unit knowledge to the security table. In this way, security can be a part of every new technology initiative rather than tacked on as an afterthought, which is how productivity is often negatively impacted by security.
Conversely, new security initiatives are most effective when they consist of both technology and process. BISOs implement the new technology, but they help define and then operationalize the processes as they work best within their business unit.
What skills are required for BISOs?
BISOs are senior leadership executives who have a strong cybersecurity background. Extensive knowledge across a broad spectrum of security risk and mitigation strategies is usually required for the position. As is the case with most cyber jobs, a computer science college degree or specific certifications aren’t a blanket requirement, but the information gained through these avenues is always helpful. For a well-rounded technical understanding, these certifications offer a strong foundation:
- (ISC)² Certified Information Systems Security Professional (CISSP) demonstrates a broad understanding of existing and emerging cybersecurity threats and how to prevent them from impacting an organization.
- ISACA CRISC and CISM certifications validate a strong understanding of risk management and skills in assessing and overseeing an enterprise’s information security.
- CompTIA Security+ validates baseline skills required to perform core security functions and pursue a career in information security.
As Miller describes in her What is a BISO blog, enabling and influencing business is critical. Understanding the inner workings of their unit and its needs is key, as is an ability to communicate those needs up through the leadership ranks. This is why the executive presence and influencer leadership are also essential for successfully navigating the BISO role, Miller writes.
In some instances, BISOs go on to serve as CISOs, given their extensive technical and business acumen. These senior leadership positions aren’t a starting point in cybersecurity careers, rather a culmination of training and experience with security approaches and business needs.
To learn more about outlining a successful career path in the field, watch the Cyber Work Podcast, How to pick your cybersecurity career path with Alyssa Miller.
- What are the habits of highly effective CISOs?, Computer Weekly
- Gartner Survey Reveals Only 12% of CISOs Are Considered “Highly Effective,” Gartner
- Average BISO salary, Payscale