Why your organisation may need a business information security officer
By The Integrity360 Team on August 28, 2020

Why your organisation may need a business information security officer

From chief information officers to chief security officers, organisations now have many different job titles with responsibilities over security.

No longer can companies house all of their security duties under one job title and brief, especially as technology becomes more and more pervasive in the way that businesses operate.

As part of this tech transformation, threats also become more pervasive and with that come greater security responsibilities. Personnel have had to adapt with new skill sets and in many ways become more niche with dedicated roles that may not have existed five or ten years ago.

A relatively new job title that has come to the fore during this transformation is the business information security officer, or BISO, who wears many hats.

So what does a BISO do? And does your company need one?

Roles of a BISO

A business information security officer’s job is to link business and technology. The emergence of the position has been driven by the ever-increasing migration to the cloud in many businesses and the ubiquity of technology in day-to-day operations.

Increased technology may mean greater efficiencies for the business, but it can also mean new risks from a security standpoint.

One of a BISO’s chief roles is to make information security an important business requirement, just like any other business requirement within an organisation. The business considerations of a company and the information security duties can no longer run on separate tracks so there has to be a meeting of the minds.

A BISO’s role is multifaceted but one of the top skills needed is communication. While they must be technically competent in the sector they are working in, they also need to be able to communicate and translate that knowledge for various other teams in the organisation.

A company’s BISO will typically come from an information security and risk management background with a mindset for business. In many respects, this person acts as a sort of bridge between different personnel in different teams or departments and helps them all understand each other.

One key challenge for a BISO is relaying security requirements to the team responsible for customer-facing products and services. Now more than ever, product designers need to create secure products without sacrificing the usability that appeals to customers. This means engaging more with their security colleagues to make compromises and develop the best product.

Expanding security teams

The business information security officer usually reports to the chief information security officer (CISO). The latter’s role was once a purely technical one but now it must account for strategic and business thinking.

A CISO’s role has become more important in recent years, requiring greater attention as work moves to the cloud, but there’s only so much that one CISO can do on their own. This is where a BISO steps in.

Similarly, other specialist roles have emerged, such as technical information security officers and strategic information security officers, that fall under the purview of the CISO to create a more robust security division.

This diversification of cybersecurity leadership and management roles is, as expected, more prevalent in larger organisations that have the resources to invest in creating new teams and building them out.

According to a report from Oracle and KPMG, one-third of large organisations have at least one BISO among their ranks. The role is much less prevalent in mid-sized companies but more organisations are waking up to the fact that this is a skills gap that they need to plug.

The report surveyed 750 IT and cybersecurity professionals globally about security and cloud threats and the structures of their organisations to address these threats.

It found that among organisations that had hired BISOs, they were looking for someone to integrate a security culture into their business culture and make the two mutually beneficial.

A BISO should not be acting alone either. In an ideal scenario, an organisation would have at least one BISO for each business unit to ensure that security remains a top priority in each unit’s development.