Who is in charge of information systems security for the business?

Much has been said about the role of the CISO, but today's CISO can't do it alone. She needs a cast of managers to execute her myriad of responsibilities; a trusted inner circle of governers, an Avengers team properly assembled. TISOs and BISOs fill out the senior ranks for effective security governance in large organizations. Read on to discover the role BISOs play and how you can become one!

As information security continues to evolve to meet both the cyber threats we face as well as the business needs of our organizations, new types of leadership roles are emerging. Even the traditional "governance, risk, and compliance" roles - known as GRC - are experiencing a type of renaissance that goes beyond their original boundaries. The hiring boom of security executives into the Chief Information Security Officer (CISO) role has helped to stand up proper security programs across the global private and public sector landscape, but CISOs quickly become overwhelmed with the myriad of tasks expected of them: security operations and threat intelligence, understanding the various business verticals and risks associated with delivering value, communicating risks and outcomes to other executives and the board... a CISO needs a staff of both technical and business-minded folks to cover down on all of these functions.

Thus, many organizations are employing information security officers, which are loosely defined as senior level professionals operating in leadership roles or high positions of trust within the security organization. Many don't realize that there are several "types" of ISOs:

• The Chief Information Security Officer (CISO) is the executive overall in charge of information security. This is the most recognized and discussed role, and for good reason -- getting the right fit for the CISO role sets the tone for the organization's entire security strategy.
• The Technical Information Security Officer (TISO) role can have many titles (Tech Director, Executive Director, Deputy CISO, etc.) but will generally be responsible for technical security controls and network security operations - the "blocking and tackling" of cybersecurity.
• The Business Information Security Officer (BISO) blends business and security acumen to best align information security strategy, policies, and operations to customer-facing business activities. They have a foot in both business administration and IT security disciplines and ensures information security is a fundamental business requirement.

This article focuses on the BISO, and when I mentor up-and-coming professionals I get asked "what the heck is a BISO?" quite a lot! A BISO must wear many hats: liaison, trusted advisor, special projects lead, security engineer, and risk manager... the list could go on, and that makes the BISO a unique and challenging role for a senior security practitioner. I've been fortunate to find myself in a BISO role following my active duty naval career and found a deep affinity for the role. Here are a few impressions after my first year on the job that I'd like to share with the community.

BISOs Within your Organizational Structure

The Business Information Security Officer is a versatile role and can serve the needs of the business in several organizational structures. Below are three common examples:

In a functional structure, the BISO reports directly through the security department. Here, BISOs are aligned to business portfolios or product lines but have a direct-report line to the CISO. A BISO in this structure best serves the business by acting as a trusted advisor to both the business leaders of their portfolio and the CISO, and a security liaison to portfolio managers and delivery experts. Notice that the chief deputy to the CISO is the Technical Information Security Officer, or "TISO." I made a case in my 2019 Pulse article "The CISO Dream Team" in which I advocated for a technical director, and I'm pleased to see this role more defined in recent years.

In a market-based structure, the BISO is removed from the security department and shifts their direct-report line to divisional leadership, with a "dotted line" relationship with the security department and CISO. BISOs in this structure benefit from directly supporting business operations and integrating themselves into delivery or product lines of effort and also act as (somewhat) independent expert advisors to the CISO.

A matrix structure offers the most complex, disaggregated business operations for security, and arguably the most challenging. Think of a hospital with several departments with the heads of those departments acting as semi-autonomous clinics. The leaders of these product lines wield a lot of organizational authority; planting a BISO within the services component (which may also replicate some IT and security functionality) of each product line ensures BISOs are steeped in that line's unique operational challenges.

In all structures above, one of the most important aspects is ensuring the BISOs balance the needs of the business with good security practices. It doesn't do the organization any good for the BISO to "go native" or otherwise prioritize one over the other. This erodes trust and confidence in the BISO's judgment and ability to "speak truth to power." Regardless of what structure makes sense, a BISO in a large enterprise offers exceptional advisory value within a single full-time role, especially in periods of rapid growth.

What makes a good BISO?

Just being technically proficient isn't enough; they must be an expert communicator, well versed in business administration, a fast learner, and able to translate tech-to-business. For a business manager, they are the "rosetta stone" that translates what security means for the business and the client. And for the CISO, they are the eyes, ears, and sometimes mouth of the security department to client-facing teams, providing much-needed visibility and risk management oversight when necessary. I've compiled a few suggestions based on my own lessons learned:

Ask the right questions. A book by the same name was a required textbook for MBA students of the University of Maryland Global Campus while I attended, and it features prominently on my bookshelf today. Critical thinking is a staple, dare I say a primary skill, of senior information security managers; a BISO must be naturally curious and even a little suspicious of everything at face value, and get below the surface to a problem or request.

Be an information broker. To me, this means adopting a researcher's mindset, particularly when resolving problems. I hoard references, working notes, and lessons learned, and make a habit of sharing those with others when it's appropriate and most relevant. You don't have to have all the answers, but you do need to know where to find them, and who should be looped into a problem to best resolve it. Sometimes asking for help and bringing in other expertise is the answer, too!

Be biased towards action ("Audentes Fortuna Juvat"). This Latin phrase is popular amongst military units, and translates to "Fortune Favors the Bold." BISOs are delegated authority by senior management for a reason -- their expertise and judgment are depended upon to support risk decisions and, in many cases, speak for the CISO or senior business executives. While many security professionals have an active case of "imposter syndrome," that cannot get in the way of trusting our own judgment and decisions. For me, that means making sure I can justify my actions and back up my decision-making with authoritative references.

Seek harmony in conflict! If there's any constant for senior leaders, it's having your decisions challenged. BISOs need conflict resolution skills, and the ability to seek unemotional resolutions to challenges that find consensus and bring people to the table to find common ground. There may be times where the right answer for security doesn't mean the right answer for the business as a whole... or vice versa (and most conflict erupts when security MUST override business desire, such as when legal and regulatory compliance are in question).

How can I become a BISO?

When mentoring others on their infosec journey, I've often stressed that what makes anyone successful in this community is the balancing of three lines of effort: education, certifications, and experience.

BISOs should possess an educational background that blends business and science, and there are many degree paths that get you there: Information Technology Management, Cybersecurity Policy and Management, and Business Administration with a Cyber/IA focus are degree plans available at many major public or private universities across the globe, and will give you a solid foundation for understanding IT and cybersecurity concepts with a business mindset.

Certifications are the "licenses" of the information security world (without the regulation). A successful BISO candidate should focus on senior-level certifications that blend technical and business acumen (are you seeing a trend here?): CISSP, CISM, and CRISC are three certifications that are most common. CISSP concentrations in architecture (ISSAP), engineering (ISSEP), or management (ISSMP) can also hold weight and set you apart from other CISSP holders but are likely not prerequisites to landing the role. Certs can generate some controversy in the security world, but I like them for what they do best: provide a verifiable baseline for your skill level. A reliable starting point and assurance to a recruiter or hiring authority that the hard skills are there.

Source: (ISC)2 Cybersecurity Workforce Study, 2021, p. 12, available at https://www.isc2.org/Research/Workforce-Study

Yet there are a lot of mid to senior-career professionals out there still on the job hunt, with the education, credentials, and experience on their resume to prove their worth. Where is the real discriminating factor? Many hiring authorities will tell you that they place a premium on those ill-defined "soft skills"... the right candidate just "feels right" and gets the offer. I believe the reason is that, at the senior levels of the security profession, organizations consider many of them hybrid roles - blending a desire for soft skills, analysis, and management know-how with technical skills and experience - despite technical titles like "senior security engineer" or "managing security architect." You can learn more about hybrid skills in this excellent 2019 Burning Glass Technologies report: "The Hybrid Job Economy: How New Skills are Rewriting the DNA of the Job Market."

An up-and-coming security professional who desires to become a BISO, and eventually CISO, would be wise to pursue a hybrid-skills model in their professional development.

The best part, though, is career paths aren't set in stone, and BISOs shine when they demonstrate a diverse background. Just like CISOs, business managers who have become versed in information security concepts can become excellent security executives, especially with the knowledge of business governance, risk (not just information risk), and compliance (applicable business laws and ethics, going beyond just security frameworks). With the right strategic approach to your professional growth and development, the BISO role is achievable, very rewarding, and a proven path to the CISO chair if one so desires.

_____________________________________

Travis is a certified information systems security management professional with over 20 years in the field. He is a retired U.S. Navy information warfare officer with extensive operational experience as a military IT/cybersecurity leader at sea and ashore during the global war on terrorism and now works as a business information security officer in the private sector. You can view his writing portfolio at travishowardauthor.com, and you may also like his other popular Pulse articles:

CISO: Everything was on fire when I got here

Fighting the ‘Culture of No’

A Sea Story about Trust in Leadership

Three Reasons why Vets are uniquely suited to run your Cybersecurity Program