Rise of the BISO and what it says about IT Security
I have to admit, until very recently, I have never heard of a BISO (Business Information Security Officer), and the first time I came across this title, I was a little confused. I at first thought that it had something to do with physical security or maybe keeping business’ financially secure…and I was wrong. If (like me), you weren’t aware of what a BISO is, it is s a senior security leader assigned to lead the security strategy of a division or business unit. They act like a bridge between the centralized security function and the business. It appears at most companies this role acts like a deputy CISO, but not always.
I found this fascinating for what I think are all the wrong reasons, because I think it shows a problem in the information security field. I think that business’s needed to patch this foundational fault with a new role, show were we are failing. Let me make my case in two different parts. First there are no other parts of the information technology family that feels that need to have this type of role. You don’t find many companies with a Business Information Officer, as your traditional IT staff already serve for the business. Secondly, there aren’t any other C-level functions that need that same level of distinction, you don’t have a Business Finance Officer, or a Business Marketing Officer.
Don’t get me wrong, I’m not saying that some companies don’t need this, to fill a gap in their current organization. What does it say out IT Security as a whole, that we need a separate part to take business into account. It may be 100% in my background in that every position I have ever held, I took the business into all my decisions, and worked with units impacted to make sure things rolled out with as little issue as possible and even in meeting express their concerns. Even when I transitioned into IT Security, everything I did was weighed on the impact of the business as a whole. I work for the business, every decision should help the business, and where things needed to happen (like MFA for example), I took time to help the users understand and work through the new processes.
My frustration with this title, is that either directly or indirectly insinuate that information security isn’t integrated into the business functions and vice versa. Information Security is a tricky balancing beam, as you want to keep the business as safe as possible, with the risk as low as possible and sometimes the business processes can be reluctant for that kind of change. I will stand by that every level of IT, including security should have an active role in business operations and that it isn’t a one way street. Information Technology or Information Security, should not just dictate what is going to happen, they should actively solicit advice and comments from the business.
Every definition or description I see for the BISO roles, are ones that I honestly think that every IT if not Security person should have without having to add Business Infront of it. In my opinion you could have a deputy CISO or Information Security Officer doing that same role and not need to say it’s for the business, because any one else on that lateral level, I start to wonder who they serve, because it must not be the business.
I admit it nitpicky, but no other function needs to call out it’s for the business, and maybe there are roles like that, but I never came across them (like this one), but my gut reaction, is why do we need to call this out, and my fear that it makes Information Security seem like it doesn’t care about the business, so much so, they need a role where it does.