Back in 2012, Security Innovation wrote about what – at the time – was a relatively new C-Level role dubbed Chief Information Security Officer. In the introductory blog post, the author attempted to explain this multifaceted role by suggesting that someone in that position could approach their work in one of several ways: most tended to fall in the categories of technical-focused CISO or a policy-focused CISO.
These approaches, referred to as TISO (“Technical Information Security Officer”) and BISO (“Business Information Security Officer”) respectively in the piece, were presented less as disciplines in their own right and more just ways to define approaches to the CISO role. It was as though how one approached the job was kind of up the individual, but at the end of the day, they had to bear the responsibility of all technological security concerns, from anticipating problems to implementing solutions to educating and aligning internal teams.
For anyone who came of age professionally in the late ‘90s and through the 2000s, what happened in the ensuing years after Security Innovation’s post should come as no surprise. Technological advancements would often start out clearly siloed and distinct before becoming gradually ingrained into every level of an organization’s business – in fact, becoming key to the company’s overall business growth.
So, the suggestion that a CISO could be a TISO or a BISO has now become: Is it time for a dedicated BISO?
Evolving to the BISO
To clearly define the BISO’s role, it’s important to know how it evolved. Going back 20 or 30 years, the first real C-Level title to grow out of the IT space was the CIO. This was an executive who had to balance technical expertise with the ability to elevate and communicate the organization’s tech needs to the CFO. Out of that role emerged the CISO, which focused on technological innovation and communication in terms of security – but usually with a similar task of convincing top-level stakeholders that investment in security was necessary to the health of their business.
A 2021 study conducted by PwC found that 50% of CISOs surveyed said they are now more likely to consider cybersecurity in every business decision, which was an increase from 25% the year before. On top of that, an overwhelming 96% said they will adjust their cybersecurity strategy due to COVID-19. And it doesn’t require a leap to make the connection between these stats and the increase in the rise and visibility of the BISO.
“The role was born out of necessity,” says CyberArk Strategy and Corporate Development Associate Lex Register. “It’s probably impossible for a leader in IT security to just bolt on business skills. A lot of organizations are seeing that you need a bridge – you need someone who can talk to both sides.”
If more CISOs were seeing the importance of making cybersecurity a part of every business decision, the security concerns raised by the increase in remote work and at-home “device hopping” due to the pandemic has only further crystallized the idea that this “bridge” role was a necessary evolution and a discipline in its own right.
“They can’t just talk tech anymore,” says Register. “They have to put into business terms why the investments they’re making on the security side are needed.”
As writer and security advocate Alyssa Miller writes, “BISOs work closely with the CISO and business leaders to make sure that corporate security objectives are treated as business requirements.” To put it another way, rather than expecting a CISO to suddenly adopt business jargon, the BISO would – ideally – have experience on both sides to be able to smoothly translate concerns, solutions and responses in a language that speaks to both groups.
A New Multitool Player Mashup
The SolarWinds attack at the end of 2020 was seen by many in cybersecurity. It’s the type of event that sends ripple effects through nearly every industry, causing a widespread reevaluation of what organizations are doing to increase security, which partners they’ll do business with and what kind of people they need in place internally to help defend against attacks. It’s also, in turn, paved the way (albeit with some fairly treacherous asphalt) for more BISOs.
A search of BISO job listings these days brings up terms not often associated with any technical position, much less upper-level technical positions – things like “creative problem solving” and “influencing company culture.” This is because BISOs do more than just address security issues, they must be the tip of the spear when it comes to cultivating a security-aware culture. It’s almost equal parts tech, business and public relations. Yes, PR – it seems the BISO could be considered a Swiss Army knife role.
As so many incidents like the SolarWinds breach have shown, cybersecurity threats still thrive most effectively on human error. A BISO has to be creative, and almost think like a PR strategist (or even an HR rep) – finding engaging ways to influence leadership and build awareness that security is just as much the employees’ job as it is that of the IT department. Register describes BISOs sending out fake company-wide emails with phony phishing links in them to reinforce employee awareness – and whomever takes the bait and clicks receives a reminder to be more careful or follow-up cybersecurity training.
A BISO may also be called upon to interact with marketing and corporate communications, bringing their research into potential attack vectors, typical points of vulnerability and unique understanding of the “attacker mindset” to the fore to guide organizations that are increasingly touting cybersecurity as a competitive advantage in the marketplace. The BISO can help shape the conversation not only to strengthen the infrastructure behind the claim internally, but to ensure clear and effective information about a company’s cybersecurity efforts is also conveyed to the customer.
While the CISO is focused on getting executive support for critical security initiatives, the BISO is working in tandem to creatively educate leadership and non-technical employees about the importance of these initiatives.
Infusing Creativity into Cybersecurity Roles
Perhaps the biggest and arguably most impactful change to come out of the increased visibility of the BISO role is a rethinking of cybersecurity roles through the prism of creativity. People in IT roles are rarely afforded the time to think creatively. Allowing a BISO the time to research, network and experiment – even if the end result isn’t highly visible across an organization – will ultimately have a much more positive impact on your organization’s overall security. That’s because a BISO must anticipate new security threats. They know how attackers think, so they need to stay a few steps ahead, and this is only possible if they’re allowed that space.
“A lot of the job is managing internal and external relationships, talking with vendors and finding out what’s the newest, greatest stuff out there,” says Register. “It’s part internal execution and part pure exploration.”
To use the insurance analogy, cybersecurity is doing its job when you don’t know it’s there. And when BISOs are doing their jobs, you don’t see them as singularly focused – they are strategic resources who can appreciate the speed it takes to innovate, without sacrificing security and raising overall organizational risk. They are in every room, in every conversation, helping every stakeholder understand that security is a top-down responsibility. The evolution has been relatively slow when you consider the speed at which other aspects of technology have grown, but it has been steady. Recent events have pushed these ideas to the forefront, and as perceptions change, roles are more clearly defined and more creativity enters the mix – the result is stronger, more agile cybersecurity.
So, yes – now is the time for a dedicated BISO.