A new role for the cybersecurity industry: the Business Information Security Officer (BISO)

Why you should consider hiring Business Information Security Officers to develop security strategies that are more connected and integrated into the business.

This is a contributed article by Myrna Soto, Chief Strategy and Trust Officer, Forcepoint.

Traditionally, those working in the cybersecurity industry have been technically savvy and laser-focused on finding tools and solutions to ensure that data, and the people who access it, are secure from breach or attack. At a time when the whole enterprise was safely housed in a corporate office and on the corporate network, this worked fine.

However, digital transformation, open supply chains and mobile devices have been changing this paradigm for some time, and we were all beginning to change our approach. 2020 had other ideas, however, and changes required due to the coronavirus pandemic have exponentially accelerated these trends, bringing fresh complications around assessing and balancing risk.

The mass shift to remote working has dramatically increased the unmanaged security risks of the remote working environment, from unsecured networks to using unsecure personal devices to access corporate systems. At the same time, cybercriminals keep chasing the money – we’ve seen phishing attacks up more than 667% in the first half of this year.

Couple this with the sobering financial, brand trust and intellectual-property damaging costs of a data breach (latest research shows that the average cost of a breach is US $3.92 million) and you’ve got a perfect risk-based storm.

Ensure you have cybersecurity warriors who know the business inside out

I do believe that the changes our industry has had to make due to the pandemic will be irrevocable, and they go far deeper than mass home working. CISOs are no longer operating within the tight controls of a traditional security system and have new unmanaged security risks to tackle – once this genie is out of the bottle, it’s hard to put it back in. We now need to enhance the skillsets of cybersecurity personnel, and find and train people within an IT department to both understand risk, and how a business operates, so they can advise on how best to protect it.

Our recent research found that 63% of cybersecurity leaders report that a lack of common vocabulary between CEOs and CISOs can make identifying top organisational priorities difficult, and 53% say it makes technical decisions more challenging.

In my previous role as CISO of Comcast, I encountered these issues first-hand, and created the role of Business Information Security Officers (BISO), to develop a security strategy that was more connected and integrated into the business. Although I had ultimate responsibility for the security of the business, the BISOs who reported into me helped to develop a line of sight across different business units.

The security professionals in this role developed relationships with business unit leaders in order to better understand the goals of the business unit, and what it would need to protect and achieve in order to be successful. The role undertaken by BISOs helped us to realise that because the goals, missions and workstreams of each business unit was different, they required different security and tech solutions to protect them.

The skills required to be a BISO

If you’re considering deploying BISOs within your business, you’ll need to know the key skills that makes a candidate good for the role.

BISOs should not only be well versed in the latest cybersecurity threats and technologies, but also great communicators and fast learners. They will need to be able to distil complex security imperatives and talk about them in business terms, with the ability to understand risk and the impact of security decisions. An understanding of data analytics or machine learning would be helpful: when it comes to gaining true visibility of risks across an organisation, it can’t be done by human alone – data analytics offers both a real-time and historical view of events. This provides a unified view of threats and security breaches and allows for smarter planning, faster resolution and better decision making – something that a BISO would benefit from.

Good candidates are also those who have had some sort of operational role during their career where they managed a team, who understand P&L and costs, and who are strong analytically. For example, I have hired BISOs previously from financial analyst backgrounds – they had moved into technology or fintech roles and learned security controls.

However, it’s clear that in a world with limited talent, you’ll need to train and nurture people from a range of different skillsets and backgrounds to become a successful BISO. You cannot expect new hires to be completely up to speed on business principles and terminology, so you may consider fast-tracking their learning by embedding them within different business units for “tours of duty” to understand how different departments work. This can benefit not only the enterprise but also the individual’s growth, helping to open their eyes to business needs and perspectives and make them more well-rounded employees and executives.

The flipside can also be valuable: technically savvy business-side workers can be stationed temporarily in the security organisation to expand their perspective and knowledge. Cross-pollination across all levels can only increase understanding and help security better understand what’s at stake.

The most successful security leaders understand the importance of their businesses and have a sense of why it needs to be secured. In other words, they understand the business goals and security’s function in enabling and protecting value creation in order to contribute to them. Too many cybersecurity professionals are focused on hardening of systems, asks or perimeters without wondering why. Understanding what you’re trying to secure allows you to make the correct risk-based analysis and choose the correct security solutions to tackle today’s most pressing security problems.

Myrna Soto is the Chief Strategy and Trust Officer for Forcepoint. A strategic business and technology leader, Soto drives and champions the company’s enterprise vision, strategy and programs to protect people, critical data and IP both within the company and for thousands of Forcepoint customers around the globe. A transformational security and business leader, Soto has more than 25 years’ experience in information technology and security strategy and execution having held senior leadership roles with many of the world’s most recognised Fortune 500 brands.