A new role for the cybersecurity industry: the Business Information Security Officer (BISO)

Traditionally, those working in the cybersecurity industry have been technically savvy and laser-focused on tools and solutions. At a time when the whole enterprise – all its data and all its people – were safely housed in a corporate office and on the corporate network, this worked fine.

However, that paradigm was starting to shift with digital transformation prior to 2020 and now the COVID-19 crisis has blown it out of the water, with the fresh complications it has brought around assessing and balancing risk.

The mass shift to remote working has introduced the unmanaged security risks of the remote working environment, from unsecured networks to using unsecure personal devices to access corporate systems. At the same time, cybercriminals have been refusing to rest on their laurels – with phishing attacks up more than 667% in the first half of this year.

In addition to this, data breaches can have significant consequences for all organisations and research shows that the average cost of a breach is US $3.92 million. And this cost can not only include significant fines, but also lost revenue, brand trust, and Intellectual Property that can irrevocably impact an organization’s competitive advantage.

Ensure you have cybersecurity warriors who know the business inside out

These enhanced risks mean it’s critical to ensure the cybersecurity personnel within your company understand how your business operates in order to understand how best to protect it.

Our recent research found that 63% of cybersecurity “leaders” report that a lack of common vocabulary between CEOs and CISOs can make identifying top organisational priorities difficult, and 53% say it makes technical decisions more challenging. 

In my previous role as CISO of Comcast, I encountered these issues first-hand so created a new role of Business Information Security Officer (BISO) to develop a security strategy that was more connected and integrated into the business. The security professionals in this role developed relationships with business unit leaders in order to better understand the goals of the business unit, and what it would need to protect and achieve in order to be successful.

The skills required to be a BISO

BISOs should not only be well versed in the latest cybersecurity threats and technologies, but also great communicators and fast learners. Good candidates are also those who have had some sort of operational role during their career where they managed a team, that understand P&L and costs, and that are strong analytically.

It’s clear that in a world with limited talent, you’ll need to train and nurture people from a range of different skillsets and backgrounds to become a successful BISO. You cannot expect new hires to be completely up to speed on business principles and terminology, so you may consider fast-tracking their learning by embedding them within different business units for “tours of duty” to understand how different departments work.

This can benefit not only the enterprise but also the individual’s growth, helping to open their eyes to business needs and perspectives and make them more well-rounded employees and executives. 

The flipside can also be valuable: technically savvy business-side workers can be stationed temporarily in the security organization to expand their perspective and knowledge. Cross-pollination across all levels can only increase understanding and help security better understand what’s at stake.

The most successful security leaders understand the importance of their businesses and have a sense of why it needs to be secured. In other words, they understand the business goals and security’s function in enabling and protecting value creation in order to contribute to them.

Too many cybersecurity professionals are focused on hardening of systems, asks or perimeters without wondering why. Understanding what you’re trying to secure allows you to make the correct risk-based analysis and choose the correct security solutions to tackle today’s most pressing security problems.

Myrna Soto, Chief Strategy and Trust Officer, Forcepoint


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.