As Jeff Pollard and I stated in our recent blog post announcing our top recommendations for your security program in 2022, CISOs now have the access, influence, and impact that they’ve long deserved — but they can’t be everywhere at once!
Businesses are charging forward with innovative ways to win, serve, and retain customers. This is putting greater pressure on development, procurement, and IT teams to move quickly. Constant communication is crucial for reducing roadblocks to the achievement of corporate objectives while ensuring the protection of sensitive data and IP. But in large organizations with multiple business units, building and maintaining a bridge that connects business objectives with security requirements cannot fall on the CISO alone.
Enter the business information security officer. In our newly published report, Role Profile: Business Information Security Officer (BISO), Forrester describes the role of the BISO as follows:
BISOs operate on behalf of the CISO, serving as an advisor to the business unit’s functional leaders. They also engage as a member of the [business unit’s] senior leadership team to understand, discuss, and advise on the intersection of strategic priorities and key IT and security risks. This role evangelizes security to the business unit, but critically also acts as the voice of the business unit with the CISO.
The BISO role got its start and is fairly established in financial services and insurance, but is still considered an emerging role in industries like high tech, healthcare, and manufacturing.
High-profile BISOs like Alyssa Miller, BISO for S&P Global Ratings, and Nicole Dove, now head of security at Riot Games, are advocating for and advancing the role within the information security community. In fact, it was Nicole who best described a BISO’s role and purpose in relation to the business by saying “ […] my job is not to tell them ‘no’ with everything that they want to do but really to help them find the most secure and thoughtful ‘yes.’”
The power of the BISO lies in that secure and thoughtful “yes.” Companies looking to differentiate and go to market as a trusted business should give their CISOs the green light to hire or develop BISOs for their organizations.
This is a role that requires technical and business acumen and effective translation between the two worlds. It’s also an opportunity to promote top talent from within your GRC, architecture, threat detection and prevention, and vulnerability management teams — as well as especially effective developer security champions. Additionally, as BISOs are often considered “mini CISOs” within larger organizations, look to your BISO ranks for potential successors.
Thinking about adding BISOs to your team? Our report, Role Profile: Business Information Security Officer (BISO), provides you with an overview of the common requirements, responsibilities, experience, and expertise necessary for hiring a BISO or promoting from within. Check it out, as well as our other role profiles, including for the security analyst, incident response analyst, and transformational risk officer — and please reach out with your questions or feedback!