As the business world fully embraces the necessity of cybersecurity, a new dilemma has emerged: How to bridge the gap between business leaders and cyber professionals. It's becoming increasingly clear that boards need to address cyber threats, rather than just leaving it up to their IT department.
When cyber and business are effectively integrated, cyber can become a very powerful business enabler. However, when the c-suite and the chief information security officer are on different wavelengths, there’s great potential for disaster as we’ve seen by recent shareholder derivative suits against corporate boards for outsourcing data breach protection.
What BISOs bring to the table
This has led some companies to develop a new position: Business Information Security Officer, or BISO. A CEO runs the company, but may not have a technical understanding of the cybersecurity tools their company uses. Likewise, CISOs are heavily involved in the technical and tactical implementation of cyber solutions, but may or may not have a good understanding of the overall business strategy.
The BISO has emerged as a way to bridge this gap. In many organizations, the BISO reports to the CISO, but they have feet in multiple teams. Think of a BISO as a liaison between business leadership and the security department. They help the IT team understand the goals of the organization, while at the same time work with the CEO to properly evaluate cyber concerns.
This understanding helps cybersecurity professionals better pursue technology solutions that support the rest of the business and better manage and mitigate risks accordingly. When I was the Global CISO at Comcast, I instituted the BISO position. It was critical that this individual had a sense of why we were securing the business. In other words, how did security directly impact the company’s goal of increasing sales and market share, as well as profits and future growth?
If companies don't understand what they are securing from a business perspective, how can they make a proper risk-based analysis? The goals of the cyber team need to align with the business objective, and BISOs are in a unique position to help the two distinct teams see eye-to-eye.
BISOs help translate business objectives to tech teams to help guide their decision making. Implementing security solutions incorrectly can have wide-ranging impacts across the rest of the company. Understanding what they’re protecting, and the potential risks involved, can help CISOs and their teams make better decisions for the improvement of the whole organization. The BISO needs to take the guidance and priorities from leadership and translate them into terms the CISO and security teams can understand.
The elements of an effective BISO
The best BISOs are flexible thinkers who are capable of understanding both business and technical terms and translating one into the other. A lack of common vocabulary between CEOs and CISOs can make technical decisions much more difficult, but a BISO can lessen that stress by helping each department understand the other. They also need to make the complex more simple, as new technology constantly evolves and can be very complicated. BISOs need to help CEOs understand the decisions they’re making from a technology standpoint as well as offer possible solutions to issues the company faces.
BISOs are by no means a replacement for CISOs; they're most effective when they're used by the CISO to help ease the friction that commonly develops between technology teams and leadership. The CISO still needs to stay closely tied into the rest of the executive team, but a BISO can free-up the CISO for researching and implementing innovative technology solutions.
Companies with BISOs
A quick search on Glassdoor indicates that plenty of big-name enterprises have recognized the need for BISOs and have incorporated them into their leadership team. These companies include:
- Charles Schwab
- National Grid
Clearly, there's something to the idea of using a BISO. With the dynamic and ubiquitous importance of cybersecurity to business operations, neither the CEO nor the CISO have the time or the knowledge-base to know how to effectively blend business and tech. The BISO can bridge that gap and align a company's efforts for maximum effectiveness.
Myrna Soto, chief strategy and trust officer, Forcepoint