For the longest time within the cybersecurity industry, we have had Chief Information Security Officers (CISOs) whose role is to set the strategic direction for Information Security within an organisation.
But what are the stepping stones to becoming a CISO?
In the past, this has been a difficult question to answer, but typically the CISO is someone who moved up through the ranks in IT and developed additional knowledge and skills related to data protection, privacy and risk management. But over the last decade, a quiet revolution has been gathering momentum, and a new role (and career path) has emerged.
The Dawn of the BISO
The Business Information Security Officer (BISO) may be an unfamiliar role in many organisations. It is a role that acts as a liaison between the various business units and the cybersecurity function. The BISO will be extremely familiar with the business and/or the supporting business units, and will be able to uniformly articulate the overall cybersecurity programme and strategy across the entire organisation.
The Rise of the BISO
The role of a BISO has emerged over the past decade, as organisations recognise the need for dedicated security roles and skills within specific business units or departments. While it is challenging to pinpoint an exact date when the role of BISO became established across all industries, it can be traced back to the increasing emphasis on information security, the evolving nature of cybersecurity threats and the increasingly complex technical infrastructures in use.
As businesses have become more digital, data-centric, and interconnected, the complexity and diversity of security risks have grown exponentially with it. Traditional approaches to information security, where the responsibility solely resides with the IT department or a centralised security team, have proved inadequate to address the unique security challenges faced by businesses today. Our reliance on and use of data has made every business in the land a target for cybercriminals, which makes the idea of employing a CISO and thinking all our security woes are going to be addressed a dangerous placebo.
BISO: We are the champions
When implementing information security in larger organisations, we would look for security champions within operational or support functions. People who showed some kind of interest in the world of cybersecurity usually resulted in them being offered a support role on a voluntary basis. Almost like the Fire Warden, they would receive additional training, a clipboard, and additional responsibilities in the event of a "fire".
Thankfully the role of the BISO is now more formally recognised and, in larger organisations, is essential in bringing the security strategy to life.
Objectives, Strategy, Tactics and Operations
A CISO and a BISO are both roles within organisations that are responsible for managing and implementing information security strategies, but they are fundamentally different roles.
The CISO is responsible for setting the objectives for the information security programme, which in turn should be identified from the overall business objectives. The CISO is typically a senior-level executive who oversees the organisation's entire information security program and is responsible for determining the strategy for achieving these objectives. The CISO has a broad role in developing and implementing security direction by determining the security controls to employ, the standards to achieve, and the policies, procedures, and initiatives across the organisation.
It is the responsibility of the CISO to determine how information security will be measured, along with determining how information security risks will be identified and managed. At the same time, compliance with internal and external stakeholders must be ensured, as well as ensuring that the latest threats and emerging technologies are being addressed.
The CISO's focus is on the overall security posture of the organisation, and ensuring the entire business understands that direction. From the highest to the lowest levels of the organization, the CISO ensures that the strategy is aligned with the business objectives and must ensure this is communicated in a way that brings the business (including the executive team) along on the journey.
Being a CISO is not an easy task. There are many hard skills that a CISO must have, such as risk management and technical understanding. But it is the soft skills which are often the hardest to find and cultivate. The most important skill a CISO has is the ability to communicate. Communication is about listening, and clearly articulating a (strategic) vision is of paramount importance.
The ability to communicate a strategy is a fundamental skill that all great leaders have. Think of positive leaders that you know personally, or from history. One of their greatest strengths is the ability to effectively communicate their vision. Either through written or verbal communication, they not only had a clear vision of what they needed to achieve, but they knew how to communicate it, as well as developing strategies to achieve it.
What about the BISO?
The BISO is typically a role that operates within a specific business unit or department of an organization, collaborating with each business unit's leadership to assess and manage information security risks specific to that unit.
A BISO must work closely with the CISO and other security teams to implement the objectives, vision, and security controls as determined by the senior leadership team. The key responsibility of the role is to ensure compliance and promote a security-aware culture within each area, as well as uniformly across the entire enterprise. The focus is on translating the organisation's information security strategy into practical, operational steps, aligning security with the unit's specific needs and objectives, and providing subject-matter expertise on security matters to each unit's leadership.
The CISO has a broader and more strategic role, overseeing the organisation's overall security program, while the BISO focuses on a specific business unit or department, ensuring that security measures are tailored to the needs of that unit.
The route to becoming a CISO is much clearer than perhaps it once was, and what makes the role of the BISO even more exciting is that it means that future CISOs will not originate only from the IT department. The BISOs of today and the CISOs of the future are people working in HR, Risk, Finance, Operations, and Facilities. This will lead to broader (and perhaps deeper) thinking about cybersecurity and how we engage with the topic and the organisations we work in.
The BISOs were the champions in the past, but perhaps they are the security champions of the future we have been waiting for.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.