What is the BISO role and is it necessary?
Relatively new and somewhat controversial, the business information security officer, or BISO, acts as the CISO's tactical and operations-level ambassador to the business units.
In early 2020, as the recently appointed business information security officer at Canadian cable operator Cogeco Communications in Montreal, Manuel Chowrimootoo was eager to connect with others in the BISO role. But, when he attended his first RSA conference that March, he was disappointed. "Unfortunately, I could hardly find one," he said.
So, this year, Chowrimootoo took matters into his own hands, creating and leading an RSA conference session on the rise of the BISO. While hiring data is limited, anecdotally, the new security position seems to be making modest gains in the enterprise.
"It's a role we're hearing more about as IT becomes more distributed within the lines of business," said Doug Cahill, vice president and analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "There's a growing need to embed the CISO function inside the business units."
Typically, BISOs enact CISOs' high-level strategies on the ground, working to enable the business while mitigating cybersecurity risk. "The CISO interacts more with leadership at the strategic level," Chowrimootoo said. "In my role as BISO, I work at a tactical and operational level."
Proponents of the BISO role say it increases cybersecurity-business alignment, which research suggested significantly improves outcomes. According to a 2020 survey conducted by Forrester Consulting on behalf of vulnerability management vendor Tenable, for example, business-aligned security executives are eight times more likely to have high confidence in their internal security and risk assessments than their more tech-focused peers. In the same report, researchers found that organizations with strong security-business alignment are more than twice as likely to employ BISOs or similar executives.
What is the BISO role?
The BISO role is a senior cybersecurity leadership position intended to bridge the gap between security and business interests, with the BISO typically acting as the CISO's deputy to oversee strategy implementation at a granular level. In a large enterprise, multiple BISOs might be embedded across major business units or regional teams.
Manuel ChowrimootooBISO, Cogeco Communications
"In a past life, I was a BISO working with a single business unit," wrote Allan Alford, CISO and CTO at security performance management provider TrustMAPP, in a LinkedIn post. "I was the face of security for that [business unit]. I reported to the CISO all my commitments, plans and success tracking. I was a mini-CISO."
Now, as a CISO himself, Alford said he has several BISOs acting as his delegates throughout the organization. "I see my BISOs as an extension of me," he added.
Sometimes, a single BISO covers multiple lines of business. As the only BISO at Cogeco Communications, Chowrimootoo said he has a four-part mandate from the CISO to do the following:
- raise the cybersecurity program's profile within the organization;
- increase delivery of cybersecurity services internally;
- connect with business units, learn their needs and offer them technical and operational support; and
- organize and execute cybersecurity service delivery.
To meet these objectives, Chowrimootoo wears many hats, selling internal stakeholders on the cybersecurity function, advertising new service offerings, advising on technical issues and mediating among competing organizational priorities.
He also must frequently toggle between a wide- and narrow-angle lens. For instance, Chowrimootoo said he keeps a finger on the pulse of stakeholders "in the field," providing the CISO with real-world context that helps inform high-level strategy. He also spends time tackling practical concerns, such as the mechanics of the internal cybersecurity service request system. "We initially built a request form on an Excel sheet, but we quickly had to decommission it and move to a more user-friendly one with drop-down menus," he said.
In a single morning, Chowrimootoo might have back-to-back meetings with in-house legal counsel, the director of procurement, the network security team and a third-party vendor. "People skills are actually much more important in my role than technical skills because I coordinate with so many internal and external parties and so many different types of individuals," he added. "They all speak different languages, so I need to be able to speak security on their level."
A BISO building relationships and interacting with business stakeholders at the project level can also do a lot to improve the cybersecurity program's credibility, Cahill added. "There's a cultural dynamic where, if I have a BISO who is part of my team and understands our business objectives, I trust them more and know they're not going to slow us down," he said.
Because he is the liaison among so many disparate groups, Chowrimootoo added that one of his biggest initial challenges in the BISO role was getting the right people at the right meetings. "Sometimes, you will be in a meeting and realize, 'Had I known, I would have brought our network architect,'" he said. "Having the right people is key as it avoids delays."
In a much less common organizational model, a BISO might have a seat at C-level meetings and work parallel to, rather than downstream from, the CISO. In this case, the BISO's business acumen theoretically complements the expertise of a more technically minded CISO. This paradigm is controversial, however, as many experts argue that today's CISOs should themselves have both the technical and business expertise to align security and business objectives, without requiring the input of a specialized, business-oriented security peer.
Is the BISO role necessary?
"CISOs I talk to just laugh at the term BISO," ESG analyst Jon Oltsik said, adding that the best CISOs are themselves especially business-oriented. "They say, 'OK, so then what's my job?'" Elsewhere in the C-suite, no one calls a CFO a BFO, added Candy Alexander, CISO at IT services firm NeuEon in Newton, Mass., and president at Information Systems Security Association International. Similarly, as the senior-most security leader, the CISO's attention to the business should be implied and assumed, she added, making the BISO moniker both redundant and confusing.
"It all comes down to the cybersecurity profession's identity crisis," Alexander said. "Others in the business don't really understand our role, and now, here we are, our own worst enemy, complicating things even further by creating this new BISO title."
Yet, just 47% of security executives said they frequently consider business priorities when establishing cybersecurity agendas, according to Forrester Consulting. And the problem may start before a CISO even accepts a job, as many organizations persist in recruiting technologists rather than strategists to lead their security programs. "I see CISO job descriptions that are all about technology, but I can't tell you the last time I configured a firewall," Alexander said. "As a CISO, my job is strategy." Those who consider themselves "technical CISOs" rather than "business CISOs" should consider whether their work amounts to that of a C-level executive or perhaps is actually that of a chief security architect, she added.
While acknowledging CISOs' misgivings about the BISO role, Oltsik and Cahill argued that, in large, geographically distributed organizations, BISOs can help drive security into business processes, critical assets, sensitive data and employee roles at a granular level. Much like a COO responsible for executing a CEO's strategies, a BISO might play a critical role in turning a busy CISO's vision into reality on a day-to-day basis.
Alexander countered, on the other hand, that, in that case, a BISO amounts to little more than an information systems security officer or deputy CISO -- roles that have existed for years. "I just tossed out three job titles for a very similar position and therein lies cybersecurity's problem," she said. "That complexity makes it hard for businesses to understand what we do."